search

gfroerli / app-android

Android app for gfrör.li.
GNU General Public License v3.0
5 stars 1 forks source link

Question on permissions #65

Closed IzzySoft closed 4 months ago

IzzySoft commented 4 months ago

My updater just reported on today's release:

! repo/ch.coredump.watertemp.zh_16.apk declares sensitive permission(s):
  android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_FINE_LOCATION
! repo/ch.coredump.watertemp.zh_16.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

I guess location permission is used to report for the actual place one is at?

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

dbrgn commented 4 months ago

Hi, yes, the location permission is used to center the map at one's own location.

Thanks for the hint about the DEPENDENCY_INFO_BLOCK! I'll check that before the next release.

IzzySoft commented 4 months ago

Thanks! Added the perms to your app's "green list" then, including the proper explanation as given. Looking forward to the DEPENDENCY_INFO_BLOCK being gone :smiley:

dbrgn commented 4 months ago

Fixed in https://github.com/gfroerli/app-android/pull/67

IzzySoft commented 4 months ago

Thanks!

dbrgn commented 4 months ago

1.0.5 contains the fix.

IzzySoft commented 4 months ago

And should be pulled + sync'd in about 4h here, thanks again!