Certificate issue

[IzzySoft]

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

[IzzySoft]

@TheAlphaApp any word?

[TheAlphaApp]

I'm currently swamped with tasks. However, I have plans to give this app a refresh. I'll delve into it and should have some updates for the app with a release key within a week. Thank you.

[IzzySoft]

Thanks a lot! And yeah, a wide-spread thing that with those swamps… A week is totally fine, even if it's "a good week" or so 😉

[TheAlphaApp]

I am pleased to announce the release of a new version, accompanied by a signed APK. I believe this update addresses the reported issue; however, if further action is required, please advise accordingly.

[IzzySoft]

Thanks! And that looks good:

$ iod repo get com.example.flutter_riverpod_todo_app
com.example.flutter_riverpod_todo_app: looking for 'https://api.github.com/repos/TheAlphaApp/flutter_riverpod_todo_app/releases'
com.example.flutter_riverpod_todo_app: checking tag 'v1.2.6'
com.example.flutter_riverpod_todo_app: lastRelNo set to '1.2.6', checking for files
com.example.flutter_riverpod_todo_app: Upstream file date (2024-02-29 20:34) is newer than ours (2022-05-31 09:43).
com.example.flutter_riverpod_todo_app: returning ['1.2.6','https://github.com/TheAlphaApp/flutter_riverpod_todo_app/releases/download/v1.2.6/app-armeabi-v7a-release.apk',1709235275]
com.example.flutter_riverpod_todo_app: 1.2.5/1.2.6, https://github.com/TheAlphaApp/flutter_riverpod_todo_app/releases: https://github.com/TheAlphaApp/flutter_riverpod_todo_app/releases/download/v1.2.6/app-armeabi-v7a-release.apk
- Grabbing update for com.example.flutter_riverpod_todo_app: OK
- Checking 'repo/com.example.flutter_riverpod_todo_app_1004.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
! repo/com.example.flutter_riverpod_todo_app_1004.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE
! repo/com.example.flutter_riverpod_todo_app_1004.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
com.example.flutter_riverpod_todo_app: check if repo contains FUNDING.yml
com.example.flutter_riverpod_todo_app: looking for 'https://api.github.com/repos/TheAlphaApp/flutter_riverpod_todo_app/contents/.github'
com.example.flutter_riverpod_todo_app: Github reports "Not Found" for https://api.github.com/repos/TheAlphaApp/flutter_riverpod_todo_app/contents/.github
com.example.flutter_riverpod_todo_app: looking for 'https://api.github.com/repos/TheAlphaApp/flutter_riverpod_todo_app/contents/'
com.example.flutter_riverpod_todo_app: looking for 'https://api.github.com/repos/TheAlphaApp/.github/contents/'
com.example.flutter_riverpod_todo_app: Github reports "Not Found" for https://api.github.com/repos/TheAlphaApp/.github/contents/
com.example.flutter_riverpod_todo_app: no FUNDING.yml detected.
com.example.flutter_riverpod_todo_app: no Fastlane configured, skipping Fastlane check.

Now let's look at the two lines with the exclamation marks: storage access is for export/import I guess. If it's just a single (or a few) file(s), maybe you could switch to using SAF (Storage Access Framework) instead? Then if one wants to export, Android's file picker would pop up to pick a location, which gives the app access to that. So no extra storage permissions required. Supported since Android 5, which would match your minSdk. For now I've put those two (read+write) to your app's allow list with the explanation they are needed for backup/restore, so no warnings will pop up anymore for these.

As for DEPENDENCY_INFO_BLOCK, that's easy to avoid:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

---

I've pinned your new (release) certificate now and added a "release note" informing readers they have to uninstall and reinstall in order to upgrade from 1.2.5 and earlier. The older versions (signed with the debug key) will be removed in about a month, and then their signing key as well.

Oh, should you wonder about

no Fastlane configured, skipping Fastlane check.

please see my Fastlane Cheat Sheet. A useful thing: you have app description and graphics here in your repo so you can make sure they match the latest release – and my updater pulls them along when pulling a new release. If you want I can send you a PR with a starter kit with what is set up here currently. As for FUNDING.yml, should that be interesting for you: FUNDING.yml