Question on permissions

[IzzySoft]

Type

Other

Bug description

We've just received a scanner warning at IzzyOnDroid:

! repo/io.chaldeaprjkt.boorusphere_1042.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE
  android.permission.REQUEST_INSTALL_PACKAGES
! repo/io.chaldeaprjkt.boorusphere_1042.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what those permissions are needed for?

Concerning DEPENDENCY_INFO_BLOCK, that can easily be avoided via a tiny adjustment to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

Steps to reproduce

n/a

Android version

n/a

App version

versionCode 1042

Screenshots or videos

No response

Solution

No response

Additional context

No response

Acknowledgements

• [X] I have searched the existing issues and this is a new and no duplicate or related to another open issue.
• [X] I have written a short but informative title.
• [X] I filled out all of the requested information in this issue properly.