Question on permissions
Closed this issue · 2 comments
I'm just adding your app to my repo and wonder about what my scanner reports:
! repo/com.iyox.wormhole_2025.apk declares sensitive permission(s):
android.permission.READ_EXTERNAL_STORAGE android.permission.CAMERA android.permission.RECORD_AUDIO
! repo/com.iyox.wormhole_2025.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
Camera and storage are of course clear (QR-Code scanner and accessing the files to be shared). But what is RECORD_AUDIO for? I couldn't find it referred to in your repo here either, your AndroidManifest.xml doesn't declare it. So it might have been brought in by one of the dependency. If it wasn't inteded (which I assume) and isn't needed either, maybe you could remove that permission? See e.g. Removing Unwanted Manifest Permissions With tools:node for a possible approach to that.
Oh, and as for DEPENDENCY_INFO_BLOCK, that's easy to avoid:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks in advance!
Hey, thanks for your interest and for adding our app to your repo!
I've removed the unintended RECORD_AUDIO permission and fixed the DEPENDENCY_INFO_BLOCK as you suggested. I've just released a new version where those issues should be fixed.
Let me know if something is still not working.
Excellent, thanks!
$ iod repo get com.iyox.wormhole
com.iyox.wormhole: looking for 'https://api.github.com/repos/iyox-studios/iyox-Wormhole/releases'
com.iyox.wormhole: checking tag '0.1.4'
com.iyox.wormhole: lastRelNo set to '0.1.4', checking for files
com.iyox.wormhole: Upstream file date (2024-02-28 20:22) is newer than ours (2024-02-28 16:39).
com.iyox.wormhole: returning ['0.1.4','https://github.com/iyox-studios/iyox-Wormhole/releases/download/0.1.4/app-arm64-v8a-release.apk',1709148133]
com.iyox.wormhole: 0.1.3/0.1.4, https://github.com/iyox-studios/iyox-Wormhole/releases: https://github.com/iyox-studios/iyox-Wormhole/releases/download/0.1.4/app-arm64-v8a-release.apk
- Grabbing update for com.iyox.wormhole: OK
- Checking 'repo/com.iyox.wormhole_2026.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
com.iyox.wormhole: check if repo contains FUNDING.yml
com.iyox.wormhole: looking for 'https://api.github.com/repos/iyox-studios/iyox-Wormhole/contents/.github'
com.iyox.wormhole: Github reports "Not Found" for https://api.github.com/repos/iyox-studios/iyox-Wormhole/contents/.github
com.iyox.wormhole: looking for 'https://api.github.com/repos/iyox-studios/iyox-Wormhole/contents/'
com.iyox.wormhole: looking for 'https://api.github.com/repos/iyox-studios/.github/contents/'
com.iyox.wormhole: Github reports "Not Found" for https://api.github.com/repos/iyox-studios/.github/contents/
com.iyox.wormhole: no FUNDING.yml detected.
com.iyox.wormhole: no Fastlane configured, skipping Fastlane check.
All fine, so we can close here. If some lines of that log left some question marks on your face:
- FUNDING.yml
- Fastlane Cheat Sheet (I can send you a PR with a starter package if you want, using what I've set up here in my repo).
Aaand… Be welcome to pick a badge to link to your app's new presence e.g. from your README if you like 😃