cleartext traffic?

[IzzySoft]

Running my scanner over today's release it reports:

! repo/com.m2049r.xmrwallet_33110.apk declares flag(s): usesCleartextTraffic
! repo/com.m2049r.xmrwallet_33110.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Can you please clarify what cleartext connections are established, and why those are needed? As for DEPENDENCY_INFO_BLOCK, that's easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

Oh, if you want to have a laugh, look at what the snake oil industry reports. They suspect the app could have to do with … Monero, by all means! 🤪

[IzzySoft]

Any chance to get this fixed (or explained), @m2049r? It's been more than half a year, and meanwhile the list is growing. From today's report:

! repo/com.m2049r.xmrwallet_40080.apk declares flag(s): usesCleartextTraffic
! repo/com.m2049r.xmrwallet_40080.apk declares sensitive permission(s): android.permission.BLUETOOTH_SCAN
! repo/com.m2049r.xmrwallet_40080.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Some clarification would be highly appreciated. Thanks in advance!

[IzzySoft]

@m2049r any word? None of the above are mentioned in your privacy policy, and no answer for more than half a year isn't exactly encouraging.