donmor
cleartext traffic
Just wondering over what my scanner reported:
! repo/top.donmor.tiddloidlite_10.apk declares flag(s): usesCleartextTraffic
! repo/top.donmor.tiddloidlite_10.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
What cleartext connections are used by the app? The DEPENDENCY_INFO_BLOCK can easily be avoided btw:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks in advance!
The usesCleartextTraffic is there before Lite is forked from Tiddloid. It was added to support non-SSL connections(HTTP) in LAN. It may be removed someday since it is not necessary for Lite to make non-SSL connections.
As for DEPENDENCY_INFO_BLOCK, yeah I'd get rid of it somehow. P.S.: It's not clear if F-Droid builds have this🤔
usesCleartextTraffic: if it's not needed it's of course better removed. If it's still needed/used for LAN only, I can add that as exception, please let me know then. Err, I've just added that now – should you remove it my scanner will let me know.DEPENDENCY_INFO_BLOCK: thanks! And F-Droid.org will have that with reproducible builds, but only if you have it – as with RB they'd ship your build. But we're talking about my repo here, which always takes your APKs :wink:
I'll leave this issue open in case you need it for tracking usesCleartextTraffic – feel free to close if/when you don't (anymore).