cleartext traffic

[IzzySoft]

Just wondering over what my scanner reported:

! repo/top.donmor.tiddloidlite_10.apk declares flag(s): usesCleartextTraffic
! repo/top.donmor.tiddloidlite_10.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

What cleartext connections are used by the app? The DEPENDENCY_INFO_BLOCK can easily be avoided btw:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

[donmor]

The usesCleartextTraffic is there before Lite is forked from Tiddloid. It was added to support non-SSL connections(HTTP) in LAN. It may be removed someday since it is not necessary for Lite to make non-SSL connections.

As for DEPENDENCY_INFO_BLOCK, yeah I'd get rid of it somehow. P.S.: It's not clear if F-Droid builds have this🤔

[IzzySoft]

• usesCleartextTraffic: if it's not needed it's of course better removed. If it's still needed/used for LAN only, I can add that as exception, please let me know then. Err, I've just added that now – should you remove it my scanner will let me know.
• DEPENDENCY_INFO_BLOCK: thanks! And F-Droid.org will have that with reproducible builds, but only if you have it – as with RB they'd ship your build. But we're talking about my repo here, which always takes your APKs 😉

I'll leave this issue open in case you need it for tracking usesCleartextTraffic – feel free to close if/when you don't (anymore).