Question on permissions

[IzzySoft]

My scanner just reported on your latest release:

! repo/com.tomfong.simpleqr_4010000.apk declares sensitive permission(s):
  android.permission.READ_MEDIA_IMAGES android.permission.READ_EXTERNAL_STORAGE
  android.permission.READ_CONTACTS android.permission.WRITE_CONTACTS android.permission.CAMERA
! repo/com.tomfong.simpleqr_4010000.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Could you please clarify what those permissions are needed for? Camera is clear (QR code scanning). Storage read access also, thanks to the app description (import QR codes from images). I assume read/write contacts is to create/import QR codes with contact information?

As for the DEPENDENCY_INFO_BLOCK, that can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

[tomfong]

For permissions, the purposes stated by you are all correct.

For BLOB, one of the dependencies supports reading BLOB value after update, but the app doesn't use the function.

[IzzySoft]

For permissions, the purposes stated by you are all correct.

Thanks! Updated that on my end then:

For BLOB, one of the dependencies supports reading BLOB value after update, but the app doesn't use the function.

May I hen ask you to exclude it at least for the APK? As only Google can decode that BLOB, it's not useful in the FOSS ecosystem anyway.