Question on permissions

[IzzySoft]

The scanners at IzzyOnDroid just reported:

! repo/phone.vishnu.quotes_64.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE*
! repo/phone.vishnu.quotes_64.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

The asterisk indicates the permission was granted implicitly – most likely due to WRITE_EXTERNAL_STORAGE. May I ask what the storage permissions are needed for? Your app requires at least Android 5.1, so I'd assume it would use the Storage Access Network (SAF) which would (with exception of a few locations like Downloads or media storage) not need any specific permissions.

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided by a minor adjustment to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

[VishnuSanal]

Hi Izzy, I'll check & update, thanks!

[VishnuSanal]

hi, I have fixed the dependency issue. and, about the permission issue -- um... I don't remember the implementation from the top of my head. + that would require further investigation & extensive testing. will it be okay if I update/fix it in the next release? thanks!

[IzzySoft]

I have fixed the dependency issue

cool, thanks!

will it be okay if I update/fix it in the next release?

Sure – it's not THAT critical that it would kill little kittens, right? 😉 Thanks for addressing it!