My scanner received a few additional checks in January, and on today's update reported:

! repo/deltazero.amarok.foss_76.apk declares sensitive permission(s):
 android.permission.READ_EXTERNAL_STORAGE android.permission.MANAGE_EXTERNAL_STORAGE
 android.permission.QUERY_ALL_PACKAGES android.permission.SYSTEM_ALERT_WINDOW

While I was able to "assign" most of those permissions to their corresponding usage, I couldn't see what SYSTEM_ALERT_WINDOW is needed for. Could you please clarify?

As for that DEPENDENCY_INFO_BLOCK, that's easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Hi @IzzySoft 👏

I couldn't see what SYSTEM_ALERT_WINDOW is needed for. Could you please clarify?

SYSTEM_ALERT_WINDOW enables the display of a system-wide panic button.

We request this permission at runtime through a dialog that explains the need for it. And definitely, it's optional - the permission can be bypassed if the panic button isn't enabled.

As for that DEPENDENCY_INFO_BLOCK, that's easy to get rid of

Sure! I'll add the code snippet in the upcoming release.

Thanks! Added SYSTEM_ALERT_WINDOW to the allow-list as well then, accompanied by your explanation, effective immediately if you want to check for yourself 😉

I'll add the code snippet in the upcoming release.

Thanks!

LGTM! Closing the issue now.