search

benibela / videlibri

:books: Cross-platform library client to automate any OPAC and library catalog from your local device, e.g. for renewing of borrowed books or searching for books available in the library in automated scripts.
https://www.videlibri.de/
GNU General Public License v3.0
36 stars 5 forks source link

Question on permissions #11

Closed IzzySoft closed 8 months ago

IzzySoft commented 9 months ago

My scanner got a few additional checks in January, and on today's update of your app reported:

! repo/de.benibela.videlibri_2783.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE*
! repo/de.benibela.videlibri_2783.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The asterisk signals READ_EXTERNAL_STORAGE was granted implicitly because WRITE_EXTERNAL_STORAGE was declared. Can you please clarify what storage access is needed for here?

Ah, that DEPENDENCY_INFO_BLOCK is easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

benibela commented 8 months ago

The asterisk signals READ_EXTERNAL_STORAGE was granted implicitly because WRITE_EXTERNAL_STORAGE was declared. Can you please clarify what storage access is needed for here?

for import/export

https://github.com/benibela/videlibri/blob/master/android/android/src/de/benibela/videlibri/activities/ImportExport.kt

Ah, that DEPENDENCY_INFO_BLOCK is easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

do I not need that when uploading it in the app store?

IzzySoft commented 8 months ago

for import/export

Thanks, so I got that right :smiley:

do I not need that when uploading it in the app store?

If you mean PlayStore: you probably upload the AABs there, right? In that case simply skip the includeInBundle = false line and just put includeInApk = false, so the toy shop gets it's opaque blob to play with and the FOSS folks are spared :wink:

IzzySoft commented 8 months ago

Thanks!