Cleartext Traffic about familygem HOT 2 OPEN

Hi Izzy!

android:usesCleartextTraffic="true" was introduced with b53593c (4 years ago).
Removing it, the line

problems connecting to geonames server http://api.geonames.org
java.io.IOException: Cleartext HTTP traffic to api.geonames.org not permitted

So the answer is: needed by GeoNames to display place suggestions.

At the moment a "non-PlayStore-release" of Family Gem is not a thing.
There is only one release and it compromises with Google's empire.

BIND_GET_INSTALL_REFERRER_SERVICE permission is not requested by Family Gem's AndroidManifest, but probably added to the APK by the InstallReferrerClient used in TreesActivity.
Its purpose is to retrieve a shared tree ID from the Play Store in case the app is installed clicking "Get it on Google Play" on the sharing page. If the app gets this ID, it proposes to download the shared tree.
So it's needed to simplify the import of a shared tree by a new user.

vending.BILLING is probably needed to purchase Family Gem Premium through the Google's BillingClient.
It would be nice to know how many users there are who want to avoid Google and would like an alternative payment system.

I suppose there is no problem on removing that dependenciesInfo from the APK.
But doesn't Google requires these dependency metadata in the AAB I upload to the Play Store?

from familygem.

was introduced with b53593c (4 years ago).

Eh, it's the code in my scanner that was added in January, so it only started finding and reporting these things now 🤣

problems connecting to geonames server http://api.geonames.org/

Ah. And yeah, they have an invalid certificate when you try https there. OK, while that's not really good it probably cannot be helped – unless someone telly geonames.org to get a proper cert – or an alternative to that API shows up. Or… read on their forums:

Https requests should be sent to secure.geonames.org instead of api.geonames.org.

Could you give that a try, please? Page looks very much the same, and you could have your (apps) security improved 😃

BIND_GET_INSTALL_REFERRER_SERVICE and `vending.BILLING are declared by their corresponding libraries, yeah. And needed by them I guess. If it's not asked too much, you could also consider a build flavor coming without those libs so I'd pick that APK then. Most folks using my repo will not use PlayServices anyway, so you'd not lose anything there (no install referrers here, and billing won't work without the PlayStore app).

I suppose there is no problem on removing that dependenciesInfo from the APK.

Not at all, right.

But doesn't Google requires these dependency metadata in the AAB I upload to the Play Store?

I'm not sure. But for my repo (or any other F-Droid repo), the AABs are not used. So you could of course just remove it from the APKs but leave it in the AABs – simply skip the includeInBundle = false then:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
    }
}

from familygem.