Question on permissions

[IzzySoft]

My recently improved scanner just reported the following for today's update of SimpMusic:

! repo/com.maxrave.simpmusic_15.apk declares flag(s): usesCleartextTraffic
! repo/com.maxrave.simpmusic_15.apk declares risky permission(s): android.permission.READ_MEDIA_AUDIO android.permission.READ_MEDIA_IMAGES android.permission.READ_EXTERNAL_STORAGE

Now comparing it to the app description, I don't find what they might be needed for:

• usesCleartextTraffic: description names YouTube as (only) source, which uses HTTPS. What for are cleartext connections (HTTP without the S) needed then?
• storage: if streaming from the net, what for is local storage access needed? And especially:
• READ_EXTERNAL_STORAGE: the minimum Android version your app supports is Android 8. Since Android 5, there's SAF (Storage Access Framework) available for file system access – so this permission should not be needed at all unless your app is supposed to support Android < 5?

Thanks in advance for clarification!

[maxrave-dev]

For usesCleartextTraffic, I think it can be removed (I added it to be sure all requests successful) For storage, need to open the image to change the thumbnails and choose backup folder

[IzzySoft]

Thanks Max! And yeah, I just learned that on Android 9 and below indeed *_EXTERNAL_STORAGE is still needed to access media "owned" by other apps. Thought that was replaced by the media permissions but obviously got that wrong, apologies! They messed so much with the storage permissions since Lollipop that it's hard to keep track… :see_no_evil:

So I guess READ_MEDIA_IMAGES is needed to access album art even if it's located in the Music directory?

And thanks for taking care for the usesCleartextTraffic! I've just added READ_MEDIA_AUDIO and READ_EXTERNAL_STORAGE to your app's allow-list here now, waiting for confirmation on the images one then I'll add that as well.

[IzzySoft]

For usesCleartextTraffic, I think it can be removed (I added it to be sure all requests successful)

Still there with today's release. From the report:

! repo/com.maxrave.simpmusic_16.apk declares flag(s): usesCleartextTraffic
! repo/com.maxrave.simpmusic_16.apk declares sensitive permission(s): android.permission.READ_MEDIA_IMAGES
! repo/com.maxrave.simpmusic_16.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The check for signature blobs was just enabled recently – and actually, this one is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[IzzySoft]

@maxrave-dev any news on this? Latest release again triggered the scanner warnings:

! repo/com.maxrave.simpmusic_18.apk declares flag(s): usesCleartextTraffic
! repo/com.maxrave.simpmusic_18.apk declares sensitive permission(s): android.permission.READ_MEDIA_IMAGES
! repo/com.maxrave.simpmusic_18.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

[maxrave-dev]

I will fix in next build