Skip to content

build.gradle: set android.dependenciesInfo.includeInApk = false#3069

Open
SomberNight wants to merge 1 commit intokivy:developfrom
SomberNight:202410_gradle_dependency_info_block
Open

build.gradle: set android.dependenciesInfo.includeInApk = false#3069
SomberNight wants to merge 1 commit intokivy:developfrom
SomberNight:202410_gradle_dependency_info_block

Conversation

@SomberNight
Copy link
Contributor

@SomberNight SomberNight commented Oct 10, 2024

This was requested by f-droid devs to publish an app.
ref https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15858#note_2150822234

see https://android.izzysoft.de/articles/named/iod-scan-apkchecks#blobs

BLOBs in APK signing blocks
APK signing blocks are where signing details are stored in.
[...]
DEPENDENCY_INFO_BLOCK: This is supposed to be a binary representation of build dependencies inserted by Google itself, or also by Android Studio and IntelliJ IDEA (plus probably also some other development tools), when an APK is being signed. But it is also encrypted using a public key owned by Google, so one cannot really verify what else might have been placed there. This means when found (which is very often) I reach out to the corresponding developers, suggesting them to use apksigner for signing instead, which does not add this block – or to make sure Android Studio resp. IntelliJ IDEA will not include them (see below). Apkverifier includes a short comment in its code, a.o. „The data is compressed, encrypted by a Google Play signing key...“ (source)
So this in essence is a „blob“ without transparency. As it’s encrypted using a Google Play public key, it cannot be decrypted without the corresponding private key – so except for Google, no one can say for sure which other bits might have been added along.

@SomberNight
build.gradle: set android.dependenciesInfo.includeInApk = false
a1e5710 
This was requested by f-droid devs to publish an app.
ref https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15858#note_2150822234

-

see https://android.izzysoft.de/articles/named/iod-scan-apkchecks#blobs

> BLOBs in APK signing blocks
> APK signing blocks are where signing details are stored in.
> [...]
> DEPENDENCY_INFO_BLOCK: This is supposed to be a binary representation of build dependencies inserted by Google itself, or also by Android Studio and IntelliJ IDEA (plus probably also some other development tools), when an APK is being signed. But it is also encrypted using a public key owned by Google, so one cannot really verify what else might have been placed there. This means when found (which is very often) I reach out to the corresponding developers, suggesting them to use apksigner for signing instead, which does not add this block – or to make sure Android Studio resp. IntelliJ IDEA will not include them (see below). Apkverifier includes a short comment in its code, a.o. „The data is compressed, encrypted by a Google Play signing key...“ (source)
> So this in essence is a „blob“ without transparency. As it’s encrypted using a Google Play public key, it cannot be decrypted without the corresponding private key – so except for Google, no one can say for sure which other bits might have been added along.
@SomberNight SomberNight mentioned this pull request Oct 10, 2024
Closed
@kuzeyron kuzeyron added the core-providers Core code that's not a recipe label Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core-providers Core code that's not a recipe

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SomberNight @kuzeyron