Question on permissions

[IzzySoft]

I just received a warning from the scanners on your latest release:

! repo/com.codepup.workout_timer_26.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE
! repo/com.codepup.workout_timer_26.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what the storage permissions are needed for? Thanks in advance!

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided by a tiny change to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

[a-mabe]

Hello, thank you for raising this question, your interest in the project is greatly appreciated! The READ_EXTERNAL_STORAGE permission was originally added for importing and exporting timer configurations however upon further research, it may not be needed. I'll likely reevaluate for the next release

[IzzySoft]

Thanks! Yes, for that you probably can use the Storage Access Framework, so one can pick a dedicated directory to export to and import from.

Will you also take care for that BLOB?

[a-mabe]

Will you also take care for that BLOB?

Yes, will get all this rolled into the next release 🙂