Question on permissions

[IzzySoft]

Your current release passed my scanner yesterday, which reported:

! repo/com.aritra.notify_15.apk declares sensitive permission(s):
   android.permission.CAMERA
   android.permission.RECORD_AUDIO
   android.permission.READ_EXTERNAL_STORAGE

I could find no hint in the app description helping me to answer the question what those permissions might be needed for. Could you please clarify? Thanks in advance!

Moreover, the updater rejected your APK:

2024-06-21 19:36:02,284 WARNING: repo/com.aritra.notify_15.apk: debuggable or testOnly set in AndroidManifest.xml
2024-06-21 19:37:55,350 WARNING: "com.aritra.notify_15.apk" is signed by a key that is not allowed:
57fe4ea74c39c230863d11cb5a3368532fd170dc56a65712a80e40423f31f429

APKs intended for distribution should have neither the debuggable nor the testOnly flag set. Further, the signing key doesn't match the one from prior releases – so updates are impossible. Could it be you accidentally added the wrong APK – one you intended for internal testing? Taking a closer look seems to suggest that:

Number of signers: 1
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: 57fe4ea74c39c230863d11cb5a3368532fd170dc56a65712a80e40423f31f429
Signer #1 certificate SHA-1 digest: 92b643549a4b01d3e7313a92f09299c8b16d5942
Signer #1 certificate MD5 digest: 167de684c7f298c88fb00955cfc38b04
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

And a last thing, while I'm here:

This Blob can easily be avoided with a tiny adjustment in your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance for your help!

PS: As the current APK is not suitable but still would be fetched on each update run, I've disabled updates for your app until this issue was solved. Will of course re-enable once the proper APK is available. Thanks for understanding!

[IzzySoft]

Any word? There will be no updates available before this is solved, @aritra-tech

PS: I have disabled updates for this app entirely now, so I won't get any reminders unless you answer here.

[aritra-tech]

Hey sorry, @IzzySoft didn't get the time to look into it.
I will look into this issue.

[IzzySoft]

didn't get the time to look into it.

yeah, time's a bitch… and no personal grudge there, I know that feeling (have some such issues here as well – luckily no "show-stoppers"). My "pressing" is just as it's a technical necessity.

I will look into this issue.

Thanks! Just give me a ping please then, as I do no longer get "reminders" when the still unchanged update was pulled once a month due to updates being disabled entirely now.

The main thing would be the signing. That solved, I could re-enable updates and those permissions would just be shown as warnings until solved/explained. So assuming you still can access your signing key (and having used the debug one was just an accident), if you could take those 5..10 minutes to re-sign and re-attach the APK, we'd be a big step forwards – and those permissions could be addressed separately (luckily there's no "crucial one" involved 😉).

[IzzySoft]

@aritra-tech any chance? Besides, I also wonder about the APK size having increased by factor 6 – or is that just debug stuff?

[IzzySoft]

@aritra-tech the APK at v1.10.3 is still a debug build. Further, it now seems to have a self-updater integrated, which is clearly against the IzzyOnDroid App Inclusion Policy.

Update checks at IzzyOnDroid have now been disabled since 2024-07-07, and I still see no chance to re-enable them. This all sums up quite heavily¹, and as it does not look like any solution is to be expected, we'll have to consider removing Notify from IzzyOnDroid. I'll set a due-date for that now. Should we not have found a solution until 2025-03-15, we'll have to remove Notify from IzzyOnDroid.

---

¹ _{proprietary libraries (GMS, Google Play Core, Play In-App Updates Library); self-updater (or what is Play In-App Updates Library used for?), debug build (debuggable flag is set), size increase, unexplained permissions (CAMERA, RECORD_AUDIO, storage) – and questions on all this being ignored.}

[IzzySoft]

@aritra-tech size is back to ~3 MB I see, and the self-updater gone again – but the signing key no longer matches. Current one:

Signer #1 certificate DN: C=560029, ST=Karnataka, L=Bengaluru, CN=Aritra Das
Signer #1 certificate SHA-256 digest: 84d01ce9670c142f23cb7ac5b8e02eddb31be03c2ff5dd20173b29ce0d0b1f9a
Signer #1 certificate SHA-1 digest: 4af1150e7a0e8941f0931dfd2c933b0a35da1bc3
Signer #1 certificate MD5 digest: 58df473d296ede4024a8f3fbb09e0603
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

until 1.8.3:

Signer #1 certificate DN: C=91, ST=West Bengal, L=Kolkata, CN=Aritra Das
Signer #1 certificate SHA-256 digest: 6b998202ca7ca7bf6376a70749c1cae6e07a2f34915eae9aea4fcd03c3c34555
Signer #1 certificate SHA-1 digest: d2cb4c287620894597f87efcd41c2330f5a37e25
Signer #1 certificate MD5 digest: dd8eba2a6b32170de31903de9fd03e6a
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

We will remove Notify now, as outlined before. Makes no sense to wait for an answer that never comes. Sad.