Question on permissions

[IzzySoft]

Your recent release just triggered a couple of warnings with the IzzyOnDroid scanners:

! repo/com.piwigo.piwigo_ng_230.apk declares flag(s): usesCleartextTraffic
! repo/com.piwigo.piwigo_ng_230.apk declares sensitive permission(s):
  android.permission.READ_EXTERNAL_STORAGE
  android.permission.READ_MEDIA_IMAGES 
  android.permission.READ_MEDIA_VIDEO
  android.permission.READ_MEDIA_AUDIO
  android.permission.CAMERA
! repo/com.piwigo.piwigo_ng_230.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

usesCleartextTraffic is rather clear (locally self-hosted instances without SSL). CAMERA is a bit unclear: the app description does not mention anything about taking photos. All in between I can mostly guess (even if you use Storage Access Framework, up to Android-9 the permissions needed are quite a mess) – but a confirmation would be appreciated.

As for DEPENDENCY_INFO_BLOCK, that can easily be avoided with a minor adjustment in your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

So far I've added to your app's "green list":