Permission question

[IzzySoft]

My scanner got an overhaul in January with more checks added, and on today's update reported:

! repo/be.martinelli.miniflutt_2728750.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE
! repo/be.martinelli.miniflutt_2728750.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what the storage permission is needed for? Thanks in advance!

Oh, and that DEPENDENCY_INFO_BLOCK is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[DocMarty84]

Hello,
READ_EXTERNAL_STORAGE is used for saving documents in the regular 'Download' folder of your device. You can deny the permission so that the files will be saved in Android/data/be.martinelli.miniflutt instead.

Thanks for letting me know about the DEPENDENCY_INFO_BLOCK, I'll have a look into this ASAP.

[IzzySoft]

READ_EXTERNAL_STORAGE is used for saving documents in the regular 'Download' folder of your device.

Thanks! And you didn't notice any problems with that on Android 13? Should you, the cause might be that you do not request MANAGE_EXTERNAL_STORAGE as well, which IMHO is the only way to access that specific directory on Android 13+.

    android.permission.READ_EXTERNAL_STORAGE: needed to access downloaded documents
    android.permission.WRITE_EXTERNAL_STORAGE: needed to store downloaded documents

Thanks for letting me know about the DEPENDENCY_INFO_BLOCK, I'll have a look into this ASAP.

Thanks a lot!

[DocMarty84]

Can you please clarify which scanner you are using? I mostly found 2 of your issues reported elsewhere regarding DEPENDENCY_INFO_BLOCK ¹,², but that doesn't seem to be a problem. Reading the Google documentation about this, ³ I'd even consider this as a best practice for publishing on Google Play. I would not be surprised if Google would enforce it at some point in the future.

Footnotes

1. https://github.com/TheHCJ/Quacker/issues/7 ↩

2. https://codeberg.org/y20k/transistor/issues/499 ↩

3. https://support.google.com/googleplay/android-developer/answer/10358880 ↩

[IzzySoft]

Can you please clarify which scanner you are using?

Sure. It's my own scanner, as described in Identify modules in apps. The scanner is available as FOSS, and used by several projects – see e.g. here.

but that doesn't seem to be a problem. Reading the Google documentation about this

That was the company stating they don't collect your location data when you've opted out, and is still getting caught year after year doing exactly that, right? Google can read what that blob really contains, as they have the private key to decrypt it. Nobody else can. So it's a proprietary blob, and we're talking FOSS here.

You can keep it with the AABs you upload to PlayStore, but preferably should keep it out of the APKs provided here and via IzzyOnDroid.