First, cool to see another update! Our scanners reported on it:
! repo/org.kochka.android.weightlogger_33.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE
! repo/org.kochka.android.weightlogger_33.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
I assume the former is for the CSV export, together with the WRITE permission (and with the minimum supported Android version lifted from 4 to 5 now, you might consider taking a look at the Storage Access Framework (SAF) to substitute that and be able to drop the storage permissions). As for DEPENDENCY_INFO_BLOCK, this can be easily avoided with a minor addition to your build.gradle:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
That said: congratulations, I was just able to confirm the latest version as Reproducible Build (for some background, see e.g. Reproducible Builds, special client support and more at IzzyOnDroid) 🥳 So with the next sync, the "green shield" will be up.
First, cool to see another update! Our scanners reported on it:
I assume the former is for the CSV export, together with the WRITE permission (and with the minimum supported Android version lifted from 4 to 5 now, you might consider taking a look at the Storage Access Framework (SAF) to substitute that and be able to drop the storage permissions). As for
DEPENDENCY_INFO_BLOCK, this can be easily avoided with a minor addition to yourbuild.gradle:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
That said: congratulations, I was just able to confirm the latest version as Reproducible Build (for some background, see e.g. Reproducible Builds, special client support and more at IzzyOnDroid) 🥳 So with the next sync, the "green shield" will be up.