question on permissions (and build reproducibility) #4
Description
Thanks for the new-year-present of the new release! As meanwhile the scanners at IzzyOnDroid (where your app is listed – be welcome to pick a badge to link there e.g. from your Readme) got several "lifts" (see e.g. Ramping up security: additional APK checks are in place with the IzzyOnDroid repo), they reported on the new version:
! repo/com.dan.simplerawcamera_15.apk declares sensitive permission(s):
android.permission.READ_EXTERNAL_STORAGE android.permission.CAMERA
android.permission.ACCESS_FINE_LOCATION
! repo/com.dan.simplerawcamera_15.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
While CAMERA of course is clear (went straight to the app's "green list" hence so it won't be reported anymore with future releases), and ACCESS_FINE_LOCATION most likely is to store the current location with Exif information in the image (right?) – I guess storage permission is needed to store the resulting photos, correct? READ always comes when WRITE is requested (which it is).
Concerning DEPENDENCY_INFO_BLOCK, this can easily be avoided with a small addition to your build.gradle:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
That said, I was checking if your app can be confirmed as Reproducible Build (see: Reproducible Builds, special client support and more at IzzyOnDroid). Do you really still use Gradle 6.5 and a JDK < 17?
Welcome to Gradle 6.5!
Here are the highlights of this release:
- Experimental file-system watching
- Improved version ordering
- New samples
For more details see https://docs.gradle.org/6.5/release-notes.html
Starting a Gradle Daemon (subsequent builds will be faster)
FAILURE: Build failed with an exception.
* Where:
Settings file '/build/repo/settings.gradle'
* What went wrong:
Could not compile settings file '/build/repo/settings.gradle'.
> startup failed:
General error during semantic analysis: Unsupported class file major version 61
I've tried with a newer Gradle version (which supports JDK-17), but that failed as well:
FAILURE: Build failed with an exception.
* What went wrong:
Could not determine the dependencies of task ':app:compileReleaseJavaWithJavac'.
> Could not create task ':app:dataBindingGenBaseClassesRelease'.
> Cannot use @TaskAction annotation on method DataBindingGenBaseClassesTask.writeBaseClasses() because interface org.gradle.api.tasks.incremental.IncrementalTaskInputs is not a valid parameter to an action method.
* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
OK, going with your definition of Gradle 6.5 and OpenJDK-11 seems to work, and gets pretty close to being RB. There are only some small differences in classes.dex (see the HTML in diffoscope.zip). Could be caused by some ordering issue, or by building from a "dirty tree" (i.e. local changes after the commit, remaining artifacts from a prior build). Do you have any idea what might cause it and how to fix this – and are you interested in having your app established as RB? You can also find some help on this with our hints on reproducible builds.