oxyroid
question on permissions
Our scanners got extended since your last release, so on the current one they reported:
! repo/com.m3u.androidApp_144.apk declares sensitive permission(s):
android.permission.READ_EXTERNAL_STORAGE
! repo/com.m3u.androidApp_144.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
I guess READ_EXTERNAL_STORAGE is used to access local media files (but what is WRITE_EXTERNAL_STORAGE needed/used for then)? Concerning DEPENDENCY_INFO_BLOCK, thats easily avoided with a little addition to your build.gradle`:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Thanks in advance!
These two permissions are used to save and restore the backup files.
Thanks! Added that to the "green list" of your app. Just out of curiosity: the app only supports Android 8+ – and backups just need access to a single directory. Any reason you don't use SAF instead?
And btw, will you address that blob?