tl;dr: I'm wondering if there's anyway for me to ensure that the source code I (re)viewed on GitHub for an open-source project was actually used to build the APK I'm downloading from Google Play?
Let's say I want to find an app for encrypting files on my local Android device. There are several apps available when googling, many open-source. As I'm going to encrypt sensitive information, I'd like to ensure it's done correctly (and without bad intent), so I review the source code for the app. All looks okay, so I download the app from Google Play and start using it.
If the developer of the app wanted to, they could just offline modify the source code (in a "private build step", so to say), and inject whatever they want (send the unencrypted file content somewhere, fake-encrypt the files, whatever), build the APK and upload that APK to Google Play instead.
Is there anyway to verify the APK actually came from the source code?
Related
I know that I can let users download apks from my server but...
What I need is a technique to implement a modular app with features that I can add and remove such as the Play Feature Delivery from Android App Bundles.
At the same time I can't use Google Play Store.
I read that:"App Bundle format is open source, so other stores can adopt it"
So I think I could implement my own store but how can I implement the Play Feature Delivery?
I read also about:
apk split
apk Expansion Files
over-the-air programming
native app over HTTP
Do you have any idea where I can start?
UPDATE 1
I can't put +1 but thanks to Rediska I can elaborate the question.
With bundletool I can generate an APK Set archive containing APKs for all possible devices.
How do I automate the installation of new features from the client point of view?
Can I use Play Core lib or another lib?
UPDATE 2
From here I found Evolve.
Evolve is a library for Android Developers that lets them deploy new
versions of an app without going through Google Play or asking users
to download an update. It works by using reflection and dynamic
bytecode generation to "trick" Android into running new code.
Now, this opens to ideas but also security risks.
There is bundletool - a utility for handling .aab files. It is open source, and it does have the ability to generate APK files based on specs.
They have sent me a finished .APK . What other files do I need to request so that somebody else can develop it further in future?
Depending on your contract with the developer, you could also need the source code of the application.
If you ever want to switch to another company or developer, in order for them to continue where the others left, they will need the source code of your app. Without the source code, you cannot make any changes to app and publish new versions of it to the Play Store.
For completeness, mentioning what people said in the comments:
the build files of your project (e.g. Gradle configs)
the signing key used to publish the app on the Play Store
HTH
I have an application using which anyone can share the apk of the app itself. The APK will be generated using PackageManager class like this:
File file = new File(packageManager
.getApplicationInfo(packagename, PackageManager.GET_META_DATA)
.publicSourceDir
)
I need to track (deep link or some other way), who installs the app and who sent the referral? At first, it seemed infeasible to me. Then I came to know that chinese apps like Helo and WeLike actually do so. I gave it a try.
When we share the application from inside of it (have no idea how they generate APK, but the method is probably the same since I have checked they are not getting the APK from remote server and APK size is 40 MB and App Size is 40 MB so they mustn't be storing the APK in the package itself), the person who installs that APK is given the referral prize and relevant information like who referred is shown.
How is this possible? I would like to know any possible way.
In short, how can I track APK installs just with an APK file and no link (but includes generating APK from app ofcourse).
Not sure how Help and WeLike are doing it.
But it seems what you are looking for is Firebase invites, which has been deprecated but firebase dynamic links should have the same functionality (as mentioned in the firebase invite page).
I think most easiest solution to share the APK is by downloading the modified(including the user specific referral tacking code) version of the APK in background, once ready then user can share the version easily without waiting for it.
So you can say, user have the app installed.
user use the app normally, meanwhile you can download the modified APK with
user identifier
Once downloaded, the APK can be shared any number of times with the user
tracking.
Alternatively you can prepare the APK within the App, that may take more effort and complexity.
I am trying to setup my own Server to host apk files which will be available for installs and updates in the client App.
On new version update of apk, only the updated part should get downloaded at the client end. I am able to generate a patch file using "bsdiff" at the server end. But at the client, how should I merge the patch file with the original apk and install the update.
Based on your question, it looks like you are looking for some kind of patching system. Normally Google play store takes of managing this. When you upload a new version of APK, it only download the difference on client's device which saves data for customers. However the merging of this done on Mobile itself.
Since you are not using google play store, the only way available could be a patching system like AndFix. Some more options can be found on this SO. Most of them require some code changes.
You can also follow the concept of expansion files described by Google. You should be able to mimic the approach.
Note: Google play policy discourages this approaches if you are distributing it though Google play store and not utilizing Google Play's update mechanism. You need to be careful in case you are planning to distribute your app through play store in later stages
There are many "open source" apps like K-9 mail on the android app store. If I compile and build the source code myself, I can be sure that the resulting apk, will indeed do what the source code says it will do.
But how can I verify, that the apk submitted to the store is actually the result of compiling the same source ? What is to stop the makers of k9 of inserting malicious code in the version submitted to the app store ? I don't see any hash, or other way of verifying the source.
(K-9 is just an example).
Compare the contents of the APKs: the one you pull off the device (that you got from the Play Store or wherever) and the one that you compiled yourself. If the compiled classes differ, then there may be cause for deeper investigation. It's possible the differences come from differences in compilers, bytecode converters, or obfuscator settings. Or, it's possible that the differences are indicative of "malicious code". That work is up to you.
Or, use a store like F-Droid that compiles from source itself.
Or, just use the version that you compiled from source yourself.