Question on permissions

[IzzySoft]

Nice to see a new update! My scanner just reported on it:

! repo/nz.org.cacophony.birdmonitor_210011100.apk declares sensitive permission(s):
  android.permission.RECORD_AUDIO android.permission.ACCESS_FINE_LOCATION
  android.permission.ACCESS_COARSE_LOCATION android.permission.READ_PHONE_STATE
  android.permission.READ_EXTERNAL_STORAGE*
! repo/nz.org.cacophony.birdmonitor_210011100.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

RECORD_AUDIO and the location permissions are clear. But could you please clarify what READ_PHONE_STATE and storage (app requests WRITE_EXTERNAL_STORAGE, so READ_EXTERNAL_STORAGE is granted implicitly) are needed for?

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

While on it: it would be great if there could be a FOSS build flavor coming without the proprietary components – especially without those not needed for the app's functionality, like Crashlytics and Firebase Analytics. Any plans for that? Thanks in advance!

[IzzySoft]

PS: getting further down the report, I see there are multiple more issues, keeping the update from showing up and being accepted. First, it seems like the signing key changed. Previous version had:

Signer #1 certificate DN: CN=Cameron Ryan-Pears, O=The Cacophony Project, L=Christchurch, ST=Canterbury, C=NZ
Signer #1 certificate SHA-256 digest: 4f916c7158295371b8c983bd3207a5ad2adc171c6c80c19e87d566d3c54e0e7e
Signer #1 certificate SHA-1 digest: a7998c1e2a674c21fa04ba875bf7f694615b01a1
Signer #1 certificate MD5 digest: 478db086efb890cd944faf8c3fff3cae
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Current version has:

Signer #1 certificate DN: O=The Cacophony Project
Signer #1 certificate SHA-256 digest: 13c580e2d6f19d636be2785d82d3a12c0dc43d15185b8a54197e618d8188b2e5
Signer #1 certificate SHA-1 digest: dbbf9a8b639a251ff4d1f3271e5ff509e9a56334
Signer #1 certificate MD5 digest: f11f5fcb8193efebf7d997c7e224d2af
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

That makes Android reject the update (and my repo does the same, as signing keys are pinned there). Looking for an explanation, I checked the releases – no comment there. So I checked its commit – and oops, that commit is not there either: the source code is missing:

So this release was dropped. Btw, it seems the app was dropped from F-Droid altogether, their badge in your Readme points to a 404 page.