Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build.gradle: set android.dependenciesInfo.includeInApk = false #3069

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

build.gradle: set android.dependenciesInfo.includeInApk = false #3069

wants to merge 1 commit into from

Conversation

SomberNight
Copy link
Contributor

This was requested by f-droid devs to publish an app.
ref https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15858#note_2150822234

see https://android.izzysoft.de/articles/named/iod-scan-apkchecks#blobs

BLOBs in APK signing blocks
APK signing blocks are where signing details are stored in.
[...]
DEPENDENCY_INFO_BLOCK: This is supposed to be a binary representation of build dependencies inserted by Google itself, or also by Android Studio and IntelliJ IDEA (plus probably also some other development tools), when an APK is being signed. But it is also encrypted using a public key owned by Google, so one cannot really verify what else might have been placed there. This means when found (which is very often) I reach out to the corresponding developers, suggesting them to use apksigner for signing instead, which does not add this block – or to make sure Android Studio resp. IntelliJ IDEA will not include them (see below). Apkverifier includes a short comment in its code, a.o. „The data is compressed, encrypted by a Google Play signing key...“ (source)
So this in essence is a „blob“ without transparency. As it’s encrypted using a Google Play public key, it cannot be decrypted without the corresponding private key – so except for Google, no one can say for sure which other bits might have been added along.

@SomberNight
build.gradle: set android.dependenciesInfo.includeInApk = false
a1e5710 
This was requested by f-droid devs to publish an app.
ref https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15858#note_2150822234

-

see https://android.izzysoft.de/articles/named/iod-scan-apkchecks#blobs

> BLOBs in APK signing blocks
> APK signing blocks are where signing details are stored in.
> [...]
> DEPENDENCY_INFO_BLOCK: This is supposed to be a binary representation of build dependencies inserted by Google itself, or also by Android Studio and IntelliJ IDEA (plus probably also some other development tools), when an APK is being signed. But it is also encrypted using a public key owned by Google, so one cannot really verify what else might have been placed there. This means when found (which is very often) I reach out to the corresponding developers, suggesting them to use apksigner for signing instead, which does not add this block – or to make sure Android Studio resp. IntelliJ IDEA will not include them (see below). Apkverifier includes a short comment in its code, a.o. „The data is compressed, encrypted by a Google Play signing key...“ (source)
> So this in essence is a „blob“ without transparency. As it’s encrypted using a Google Play public key, it cannot be decrypted without the corresponding private key – so except for Google, no one can say for sure which other bits might have been added along.
@SomberNight SomberNight mentioned this pull request Oct 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@SomberNight