search

PamCatten / hot-stuff

Offline home inventory app for Android
Apache License 2.0
20 stars 1 forks source link

APK download? #2

Open IzzySoft opened 2 months ago

IzzySoft commented 2 months ago

Is there any chance you could provide a signed release APK for download (ideally attached to tagged releases here at Github, as that's where folks would look first) for those folks without access to PlayStore? Thanks in advance!

PamCatten commented 2 months ago

You really get around! I've seen posts from you on a couple of android apps that I took inspiration from while I was writing Hot Stuff. So, thanks for visiting my little corner of the internet.

This is my first public-facing app, so it's probably going to take a bit for me to become familiar with these features. Here's a link to that first release, and I'll make sure that these releases are made alongside the versions published to the Play Store.

IzzySoft commented 2 months ago

You really get around!

As repo maintainer that tends to happen, yes. So disclosure: I was hoping to include your app with my repo, yes :wink:

it's probably going to take a bit for me to become familiar with these features

Took me several years. But we all learn from each other, so it's usually a win-win.

Here's a link to that first release

Thanks! Looking at it now, running it through my scanners. First note:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

This can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

No show-stopper, but would be nice to have fixed with the next release.

Offending libs:
---------------
* Google Mobile Services (/com/google/android/gms): NonFreeComp

1 offenders.

Oof. That's not that good, as it's proprietary. What do you need it for? Looking at your build.gradle.kts, I have a guess:

id("com.google.android.gms.oss-licenses-plugin")

Not the best choice: always be careful if something carries .gms. in its package name. That plugin drags in GMS. But there are several good replacements available, some of them using the same license as your app and hence fitting from that point as well. I'm no Android developer, so I cannot tell which one to recommend by functionality – so please check for yourself. AboutLibraries is still actively maintained and probably a good choice, the other Apache-ones haven't seen any activity lately.

Permissions look fine. So it would be just that blob and GMS you'd like to fix. I'll meanwhile integrate your app now, it will have the NonFreeComp anti-feature first (because of GMS) which will be removed once fixed.

Oh, and it would be a good idea to have your tag names correspond to either the versionName (v1.1.1) or the versionCode (e.g. c5) :wink:

A "LOL" remark: you might wish to take a look at VT for your APK. Google doesn't like it for some reason, and Ikarus (a minor engine) considers it a Trojan…

That said:

image image

Funny: android.hardware.camera, but no CAMERA permission… Well, will become available here with the next sync around 6 pm UTC. Waiting for your updates to remove the "red flags" then :smiley:

I'll make sure that these releases are made alongside the versions published to the Play Store.

:heart_eyes:

PamCatten commented 2 months ago

Ouch, seems like I have some reconfiguring to do! These all seem like pretty simple fixes, so I should be able to have a version ready in a couple of days. Really appreciate you taking an interest, this is all great advice.

IzzySoft commented 2 months ago

Thanks, and best luck for easy adjustment! If you want to, I then also can send you the metadata in fastlane format via PR, so you have it in your own hands how your app is presented. For some background on that, you can see my Fastlane Cheat Sheet. But that can come later, don't want to distract you with too many tasks at once :wink:

Thewisem commented 2 months ago

Could you add support for armeabi v7a architecture in your next update.

PamCatten commented 2 weeks ago

This issue is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in a week.

IzzySoft commented 2 weeks ago

Hm, the last comment was from you on April 14th, @PamCatten, saying

These all seem like pretty simple fixes, so I should be able to have a version ready in a couple of days.

Now I wonder whose activity is expected? :wink: Hint: there was no new version since. No pressure, just saying :smiley: