v2.2.4 added proprietary components

[IzzySoft]

v2.2.4 suddenly comes with Google Mobile Services and Google Play Core – rendering your app at least partially non-FOSS. Was that intended, or were they dragged in by some dependency? I tried to check that and took a look at your pubspec.yaml and android/app/build.gradle but couldn't find them mentioned there (however I found Firebase there, which would also be proprietary).

For now I've added the related anti-feature at IzzyOnDroid. But these two (and Firebase even more) are considered privacy issues – which do not go well with PII as usually found in a diary (you cannot control or even check what happens in those libraries as the source is not available – but being part of your app they have access to everything the app can access).

[SankethBK]

Hi @IzzySoft , I had replaced firebase with Appwrite and completely removed the google drive sync option. We haven't made any changes related to firebase in this release, I can see this entry implementation platform('com.google.firebase:firebase-bom:29.2.1') in android/app/build.gradle but it was there in earlier releases as well. I couldn't find firebase in pubspec.yaml, can you please share more details to resolve this.

If this implementation platform('com.google.firebase:firebase-bom:29.2.1') is causing the issue, i can create a new release without it.

[SankethBK]

I got it, we recently added in_app_review package, i guess that is causing the issue. I merged it to foss branch as well, i didn't think this would cause issue. I will create a new release without it today.

[IzzySoft]

Yepp, you found it! in_app_review needs Google Play Core, which in turn depends on GMS. If you could omit that from the FOSS branch that would be great… Oh, I see you already did that, thanks! 🤩

Apologies for me mixing things up there, I'm not that familiar with Flutter. Seems like I also looked at the wrong file: I didn't remember you were using branches for the different variants but assumed build flavors 🙈

[SankethBK]

Thanks for the help! I have created a new release by reverting this change

[IzzySoft]

Thanks! Just manually triggered an update to verify. Scanner reports

! repo/me.sankethbk.dairyapp_2021.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

That blob can easily be avoided by a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

---

OK, meanwhile the update is through: success, thanks! The proprietary parts are gone, so anti-feature removed even before it went live. Congrats, that was speed dating fixing! 🤩

Leaving the issue open for "that other proprietary blob". Feel free to close once the fix for that was implemented 😉

[SankethBK]

Hi, thanks a lot! I'll be releasing another version by next week, I'll certainly remove it.

[SankethBK]

I have added this in new release 2.2.6

[IzzySoft]

Thanks! Confirming: DEPENDENCY_INFO_BLOCK is gone.

Seems we have everything covered now, right, so we can close the issue? Or did I miss something?

[SankethBK]

Yes, everything seems done!