Simple apk scanner

This introduces are very simple but quite effective (see what it caught in our current repo below) apk scanner after the build step. It currently looks only com.google.android.gms and com.google.firebase. These are the ones most likely to slip through the current scanner unnoticed because we allow the google maven repo and they come from there.

Limitations and extensions:

• Add more known nonfree namespaces.
• proguard used in obfuscate mode could probably fool the scanner
  • We could relatively easily add a warning upon detecting obfuscated class/package names (those will be in the form of a.b.c.d or similar) and bring upstream to move to not obfuscating the build or even enforce this for f-droid builds.
• This currently deliberately skips over 'referenced' classes. That means somewhere in the dependency chain there's probably a compileOnly dependency to a blacklisted package but this isn't actually shipped inside the apk, we could introduce a warning for this as well.
• Include the exodus scanner and warn on potential trackers: #566 (closed)

See also: fdroiddata#2070 (closed) https://forum.f-droid.org/t/java-dependencies-and-free-software/10098/6