Questions on permissions

[IzzySoft]

I see your app was removed from F-Droid, so I'm about to add it back to my repo. My scanner however reported:

! repo/ml.docilealligator.infinityforreddit_160.apk declares flag(s): usesCleartextTraffic
! repo/ml.docilealligator.infinityforreddit_160.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE*
! repo/ml.docilealligator.infinityforreddit_160.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

and also

Offending libs:
---------------
* BillingClient (/com/android/billingclient): NonFreeComp,NonFreeNet
* Firebase Data Transport (/com/google/android/datatransport): NonFreeNet

2 offenders.

Can you please clarify…

• what insecure connections are used (usesCleartextTraffic)
• what storage access permissions are needed for
• if the BillingClient and Firebase are really needed for functionality, or if you could provide e.g. the APK of a build flavor without those?

As for DEPENDENCY_INFO_BLOCK, this is easy to avoid:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

[Docile-Alligator]

Could you add the Patreon version to your repo? The Google Play version has the billing library because it requires a monthly subscription, while the Patreon version only uses the API from Patreon to check the subscription status.

I remember most of the clear text traffic was from imgur before.

I think it doesn't need storage permissions on the Android version > Q, while a read/write permission is needed on older versions.

[IzzySoft]

Switched to the Patreon version as requested:

! repo/ml.docilealligator.infinityforreddit.patreon_161.apk declares flag(s): usesCleartextTraffic
! repo/ml.docilealligator.infinityforreddit.patreon_161.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE*
! repo/ml.docilealligator.infinityforreddit.patreon_161.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Confirm BillingClient & Firebase gone, so NonFreeComp was dropped. NonFreeNet remains due to Reddit, naturally.

I remember most of the clear text traffic was from imgur before.

Can you please check if it's still needed – and if so, let me know what for; and if not, remove it?

while a read/write permission is needed on older versions.

What for? Maybe posting screenshots or attaching other (local) files to some Reddit post? In the list of features I see "Submit posts (text, link, image and video)", which would match that: *_EXTERNAL_STORAGE up to ~Android 10/11, then *_MEDIA_IMAGES resp. _VIDEO to access the media directories. But you do not request the latter, so I'm a bit confused. WRITE_* (for downloaded media) can go to other places via SAF, but READ_*?

[IzzySoft]

@Docile-Alligator any news on the permissions and the DEPENDENCY_INFO_BLOCK? Today's update again threw the warnings.

[Docile-Alligator]

Ah sorry for the late reply. I couldn't quite remember what the read permission is for. I can only see android.permission.WRITE_EXTERNAL_STORAGE in the manifest and it's for downloading media. The clear text traffic thing probably needs more testing. Is adding an android:networkSecurityConfig in manifest ok?
I will try disabling dependency info block in the next patreon release.

[IzzySoft]

I can only see android.permission.WRITE_EXTERNAL_STORAGE in the manifest and it's for downloading media.

And the trailing * at the corresponding READ permission indicates it was granted implicitly because of that. So:

android.permission.WRITE_EXTERNAL_STORAGE: needed to store downloaded content/media
android.permission.READ_EXTERNAL_STORAGE: implicitly granted by Android as WRITE_EXTERNAL_STORAGE was requested

Though I wonder, as your minSdk points to Android 5, if you really need that broad access? If it's for caching, shouldn't the content go to the app's own space? And if it's intended to allow exports, wouldn't SAF (StorageAccessFramework) be the better approach?

The clear text traffic thing probably needs more testing. Is adding an android:networkSecurityConfig in manifest ok?

Sure, that would be the direction to go if you need the cleartextTraffic for something specific and want to nail it to that. Always better than being overly broad.

I will try disabling dependency info block in the next patreon release.

Thanks!

[IzzySoft]

usesCleartextTraffic is still reported. Any news on that?

[Docile-Alligator]

Will be removed on the upcoming v7.2.5 release.