Question on permissions

[IzzySoft]

The scanner here just reported:

! repo/my.noveldokusha_14.apk declares flag(s): usesCleartextTraffic
! repo/my.noveldokusha_14.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE
! repo/my.noveldokusha_14.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what cleartext connections are made and where to? And what the storage permissions (read + write) are needed for? As the minimal Android version supported is 8 I'd assume you'd use SAF (Storage Access Network) instead?

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor adjustment to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

[nanihadesuka]

usesCleartextTraffic was used for some https websites. Seems now all use https so make sense to remove flag. READ_EXTERNAL_STORAGE will also remove as is not needed anymore (and not asked)

[IzzySoft]

Cool, thanks a lot! Looking forward to the next release then :star_struck:

[IzzySoft]

Just a heads-up: The latest release caused the same warnings here. Just for information: any ETA on their removal?

[nanihadesuka]

Removed cleartextTraffic flag. Removed read and write permissions.

Will not remove google blob for the time being.

[IzzySoft]

Will not remove google blob for the time being.

May I ask why not? Not even Google insists on it. You could remove it from the APK and leave it in the AAB, for example. Remember all those signature block blobs are potential security risks; a 3rd party could easily replace them by something else without breaking the signature, and you couldn't tell as you cannot read what's inside. Only Google could.

[nanihadesuka]

I don't know the implications of removing this blob so I won't be disabling its generation for the time being. I want the app to behave as nicely as possible in devices with google services.

[IzzySoft]

Fair enough, thanks. If it helps: I've made this suggestion to hundreds of apps meanwhile. Implications were not heard of with a single exception: an app that used AccessibilityServices (there Google complained with their PlayStore review, IIRC). So as long as you don't use those, there should be no implications. I've heard of no issues on any devices (and why should there be any?).