Question on permissions

Question

Question on permissions

Closed this issue 4 months ago · 2 comments

IzzySoft commented 7 months ago

Checklist

I am able to reproduce the bug with the latest version.
I made sure that there are no existing issues - open or closed - which I could contribute my information to.
I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.
This issue contains only one bug.

Affected version

current

Steps to reproduce the bug

Note ahead: your discussions link gives a 404, so I have to pick another issue type here.

My scanner just reported on today's update:

! repo/com.thehcj.quacker_303000.apk declares sensitive permission(s): android.permission.CAMERA android.permission.READ_EXTERNAL_STORAGE
! repo/com.thehcj.quacker_303000.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify the permissions? Thanks in advance! The DEPENDENCY_INFO_BLOCK is easily healed btw:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Expected behavior

n/a

Actual behavior

n/a

Screenshots/Screen recordings

n/a

Logs

n/a

Affected Android/Custom ROM version

all

Affected device model

all

Additional information

none

Answer 1 · 2024-03-14T23:17:46.000Z

PS: What happened to your signing key? This release is signed with a different one than used before, so updates won't be possible. Previous sig:

Signer #1 certificate DN: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Signer #1 certificate SHA-256 digest: 45dd2d0bcc95e8e99a11fe0c8ff0d57899da4712112b83714a29e8b1bfe7c3dc
Signer #1 certificate SHA-1 digest: bdc360be6111c4edee729063565751a66b545542
Signer #1 certificate MD5 digest: 47fffb6367fc9ba91116f2b76fa6931e
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

current sig:

Signer #1 certificate DN: CN=Harley Jones, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=GB
Signer #1 certificate SHA-256 digest: 604a076cc65565bf7a6cc3df151b660963845b69685b3d8487c116dcf4ae60e0
Signer #1 certificate SHA-1 digest: 6a31f0ceaf1e83efda667c593cb03b435c4964d4
Signer #1 certificate MD5 digest: 2a7c0ae7fd53bde9eab3c09a620c23ea
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Answer 2 · 2024-03-15T06:41:31.000Z

These permissions were left over from the QR scanner feature and will be removed in a future update
The signing key was corrupt so I had to update it with a new one

Hope I cleared things up