Question on permissions and signing details

[IzzySoft]

My recently enhanced scanner just reported on yesterday's update of your app:

! repo/org.listenbrainz.android_49.apk declares flag(s): usesCleartextTraffic
! repo/org.listenbrainz.android_49.apk declares sensitive permission(s):
  android.permission.READ_PHONE_STATE android.permission.READ_MEDIA_AUDIO
  android.permission.READ_MEDIA_IMAGES android.permission.READ_EXTERNAL_STORAGE
! repo/org.listenbrainz.android_49.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what those permissions are needed/used for – and also which "cleartext connections" are used? As for the DEPENDENCY_INFO_BLOCK, that's pretty easy to heal:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

[07jasjeet]

So to clarify the warnings:

1. android:usesCleartextTraffic is used in our login process. We use web-views to login and retrieve access tokens.
2. So, these permission are used by BrainzPlayer to create a database of songs in user's device that they can listen to via BrainzPlayer.
3. We will add it in next update.

[IzzySoft]

We use web-views to login and retrieve access tokens.

via insecure connections? :scream: Don't those servers support https?

these permission are used by BrainzPlayer to create a database of songs in user's device that they can listen to via BrainzPlayer.

Ah, thanks – yes, that explains android.permission.READ_MEDIA_AUDIO and android.permission.READ_EXTERNAL_STORAGE, added them to the "allow list" with the proper explanation. This still leaves android.permission.READ_PHONE_STATE and android.permission.READ_MEDIA_IMAGES open.

We will add it in next update.

Thanks, great!

[IzzySoft]

Scanner yelled at me again with today's update, asking for

• usesCleartextTraffic (you wrote "retrieve access tokens" – which to me sounds like a security issue when happening via unencrypted settings)
• android.permission.READ_PHONE_STATE and android.permission.READ_MEDIA_IMAGES (which you didn't answer yet
• DEPENDENCY_INFO_BLOCK (which you wrote will be added "in next update" – that would have been this one, right? But I do not see it in your build.gradle yet)

Apologies for nagging – but those who use my repo expect me to take care, and I don't want to disappoint them :wink:

[07jasjeet]

Hi @IzzySoft, we are running some updates that should get rid of some warnings. We'll definitely let you know when we have finalised some changes (that affect these warnings).

[07jasjeet]

Hi @IzzySoft, our next GitHub release should comply with all the policies of your repository. Please refer #381 for context.

[IzzySoft]

Wonderful, thanks a lot!