Open IzzySoft opened 5 months ago
So to clarify the warnings:
android:usesCleartextTraffic
is used in our login process. We use web-views to login and retrieve access tokens.We use web-views to login and retrieve access tokens.
via insecure connections? :scream: Don't those servers support https?
these permission are used by BrainzPlayer to create a database of songs in user's device that they can listen to via BrainzPlayer.
Ah, thanks – yes, that explains android.permission.READ_MEDIA_AUDIO
and android.permission.READ_EXTERNAL_STORAGE
, added them to the "allow list" with the proper explanation. This still leaves android.permission.READ_PHONE_STATE
and android.permission.READ_MEDIA_IMAGES
open.
We will add it in next update.
Thanks, great!
Scanner yelled at me again with today's update, asking for
usesCleartextTraffic
(you wrote "retrieve access tokens" – which to me sounds like a security issue when happening via unencrypted settings)android.permission.READ_PHONE_STATE
and android.permission.READ_MEDIA_IMAGES
(which you didn't answer yetDEPENDENCY_INFO_BLOCK
(which you wrote will be added "in next update" – that would have been this one, right? But I do not see it in your build.gradle
yet)Apologies for nagging – but those who use my repo expect me to take care, and I don't want to disappoint them :wink:
Hi @IzzySoft, we are running some updates that should get rid of some warnings. We'll definitely let you know when we have finalised some changes (that affect these warnings).
Hi @IzzySoft, our next GitHub release should comply with all the policies of your repository. Please refer #381 for context.
Wonderful, thanks a lot!
My recently enhanced scanner just reported on yesterday's update of your app:
Could you please clarify what those permissions are needed/used for – and also which "cleartext connections" are used? As for the
DEPENDENCY_INFO_BLOCK
, that's pretty easy to heal:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks in advance!