Proprietary components added

[IzzySoft]

Today's updated added several proprietary components, essentially making the app no longer fully FOSS:

• ML Kit
• Firebase
• Google Mobile Services

Hence I'll have now to either

• remove the app from my repo
• remove this version and disable updates until this issue is solved
• mark the app with the corresponding anti-features

The latter would be seen as a "red flag" for many folks looking for a good password manager – and in this case even violate inclusion criteria of the repo, as MLKit is also marked as Tracker – so I will for now take option 2, waiting for clarification. Options from your end would be:

• removing those dependencies again altogether
• replacing them with a FOSS alternative (I guess you're using MLKit for QR Code scanning? There are alternatives for which work fine, I e.g. never had any issues with KeePassDX in this concern)
• moving them into a separate build flavor, or (the other way around) creating a FOSS build flavor coming without those.

Thanks in advance for consideration! I hope we can find a good solution here, so I can re-enable updates soon.

[jeyasankar]

Thanks @IzzySoft for detailed analyzes.

Indeed it seems these services were included by some react native third party package meant for QR code scanning. I will try to find alternative solutions to remove these dependencies. Till that time please use option 2 as you suggested. I will update you when I have a solution for the next version

[IzzySoft]

I'm no Android dev (and have no idea about RN development at all), so I cannot help with that much. Checking the definitions of my library scanner for a fitting match, I only found react-native-vision-camera explicitly naming RN and checked with their package.json, not seeing anything obviously suspicious. But looking into yours, that seems exactly what you are using, so I'm a bit confused. Obviously the "vision" part of its name points to the very same component of MLKit, though I don't see where the dependency is declared :shrug: But it clearly does depend on it:

import com.google.mlkit.vision.barcode.common.Barcode

Not sure what a good alternative would be. Fingers crossed you find one easily, which then is also easy to "swap in" :crossed_fingers:

[IzzySoft]

While waiting for a hopefully easy solution to that, may I ask for these two as well?

! repo/com.onekeepassmobile_9.apk declares sensitive permission(s): android.permission.CAMERA
! repo/com.onekeepassmobile_9.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

I'd say CAMERA is connected with QR code here (if that was planned to be used). As for DEPENDENCY_INFO_BLOCK, that can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[jeyasankar]

Thanks @IzzySoft These hints are useful. Hopefully I can remove the use of camera for the APK release in the next planned release soon

[IzzySoft]

Thank you! Looking forward to that then :star_struck:

[jeyasankar]

Hi @IzzySoft, I have a new APK release - 0.13.0 without these proprietary components. Hopefully this should be good

[IzzySoft]

Looks good, thanks! So I'll re-enable update checks now.

[jeyasankar]

Thanks @IzzySoft