proprietary components were added

[IzzySoft]

The latest release contains libraries from Google Mobile Services, which are proprietary. They most likely sneaked in as dependency to one of the newly added libraries, so you might wish to investigate and getting rid of this again.

[IzzySoft]

Guess this can be closed as solved, thanks! But while I'm here, our scanners also report 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE) – a binary lob (blob) which can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

(should Google insist on it, just keep it for the AAB which you upload there; we are more concerned for the APK here. Btw, be welcome to pick a badge to link to your app at IzzyOnDroid (where it is available for 5 years already) e.g. from your Readme 😃)