Why is cleartext traffic needed?

[IzzySoft]

My scanner just got a few additional checks, and reported on the latest release:

! repo/com.tomclaw.appsend_732.apk declares flag(s): usesCleartextTraffic
! repo/com.tomclaw.appsend_732.apk declares sensitive permission(s): android.permission.REQUEST_INSTALL_PACKAGES android.permission.REQUEST_DELETE_PACKAGES android.permission.READ_EXTERNAL_STORAGE*

While REQUEST_INSTALL_PACKAGES and REQUEST_DELETE_PACKAGES are clear for your app (and have been added to its allow-list already), the other two leave questions open:

• does the app use unsecured connections (i.e. http:// instead of https://) – or why does it declare usesCleartextTraffic?
• READ_EXTERNAL_STORAGE was granted implicit (indicated by the * at its end) as WRITE_EXTERNAL_STORAGE is requested. Can you please clarify what those are needed for? Not saying "alert!", just asking for information here.

Thanks in advance!

[IzzySoft]

@solkin any word?

[solkin]

@IzzySoft Thank you for your questions! Cleartext traffic is not used in Appteka, seems that flag was added for debugging purposes. I'll remove it. READ_EXTERNAL_STORAGE is needed to to find and upload apk files WRITE_EXTERNAL_STORAGE is needed to save and install downloading apk files to Downloads/Apps

[IzzySoft]

Thanks! Added those permissions to the allow-list then:

Err… DEPENDENCY_INFO_BLOCK is actually easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[solkin]

Dependencies block removed in commit 8b96323 Updates will become available in Appteka 14.0

[IzzySoft]

Thanks!