Question on permissions
Closed this issue · 3 comments
My scanner got a few additional checks in January, and on today's update of your app reported:
! repo/de.benibela.videlibri_2783.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE*
! repo/de.benibela.videlibri_2783.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
The asterisk signals READ_EXTERNAL_STORAGE was granted implicitly because WRITE_EXTERNAL_STORAGE was declared. Can you please clarify what storage access is needed for here?
Ah, that DEPENDENCY_INFO_BLOCK is easily avoided:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks in advance!
The asterisk signals READ_EXTERNAL_STORAGE was granted implicitly because WRITE_EXTERNAL_STORAGE was declared. Can you please clarify what storage access is needed for here?
for import/export
Ah, that
DEPENDENCY_INFO_BLOCKis easily avoided:android { dependenciesInfo { // Disables dependency metadata when building APKs. includeInApk = false // Disables dependency metadata when building Android App Bundles. includeInBundle = false } }
do I not need that when uploading it in the app store?
for import/export
Thanks, so I got that right 😃
do I not need that when uploading it in the app store?
If you mean PlayStore: you probably upload the AABs there, right? In that case simply skip the includeInBundle = false line and just put includeInApk = false, so the toy shop gets it's opaque blob to play with and the FOSS folks are spared 😉
Thanks!