Open IzzySoft opened 3 months ago
Any word? There will be no updates available before this is solved, @aritra-tech
PS: I have disabled updates for this app entirely now, so I won't get any reminders unless you answer here.
Hey sorry, @IzzySoft didn't get the time to look into it. I will look into this issue.
didn't get the time to look into it.
yeah, time's a bitch… and no personal grudge there, I know that feeling (have some such issues here as well – luckily no "show-stoppers"). My "pressing" is just as it's a technical necessity.
I will look into this issue.
Thanks! Just give me a ping please then, as I do no longer get "reminders" when the still unchanged update was pulled once a month due to updates being disabled entirely now.
The main thing would be the signing. That solved, I could re-enable updates and those permissions would just be shown as warnings until solved/explained. So assuming you still can access your signing key (and having used the debug one was just an accident), if you could take those 5..10 minutes to re-sign and re-attach the APK, we'd be a big step forwards – and those permissions could be addressed separately (luckily there's no "crucial one" involved :wink:).
Your current release passed my scanner yesterday, which reported:
I could find no hint in the app description helping me to answer the question what those permissions might be needed for. Could you please clarify? Thanks in advance!
Moreover, the updater rejected your APK:
APKs intended for distribution should have neither the
debuggable
nor thetestOnly
flag set. Further, the signing key doesn't match the one from prior releases – so updates are impossible. Could it be you accidentally added the wrong APK – one you intended for internal testing? Taking a closer look seems to suggest that:And a last thing, while I'm here:
This Blob can easily be avoided with a tiny adjustment in your
build.gradle
:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Thanks in advance for your help!
PS: As the current APK is not suitable but still would be fetched on each update run, I've disabled updates for your app until this issue was solved. Will of course re-enable once the proper APK is available. Thanks for understanding!