Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] F-droid in sources filter #11

Open
Zerokami opened this issue Dec 30, 2017 · 8 comments
Open

[Feature Request] F-droid in sources filter #11

Zerokami opened this issue Dec 30, 2017 · 8 comments
Assignees

Comments

@Zerokami
Copy link

Zerokami commented Dec 30, 2017

F-Droid apps show up as sideloaded apps and there isn't an easy way to know if the app is from F-Droid.

Since F-Droid is the only source for FOSS exclusive apps, it might be nice to add a Filter for F-Droid and filter the F-Droid signed apps.

@Zerokami Zerokami changed the title F-droid in sources filter [Feature Request] F-droid in sources filter Dec 30, 2017
@MartinStyk MartinStyk self-assigned this Jan 2, 2018
@MartinStyk
Copy link
Owner

Hi, thank you for opening the issue. I will take a look and see what can be done here.

@MartinStyk
Copy link
Owner

Hi @Logmytech , unfortunately there is no way to distinguish F-droid apps (at least I am not aware of any).
Only thing that can be used to find the source of application is a package that installed it. This package differs between app stores. However, F-droid downloads an application and shows prompt to install it using standard package installer. Because of that, it is impossible to distinguish these apps.

@Zerokami
Copy link
Author

Zerokami commented Jan 4, 2018

But the signature of APK Analyzer shows F-droid.

So, F-Droid actually signs these APKS. So we can check the signatures in the APK, maybe?

@MartinStyk
Copy link
Owner

Yeah, it signs it. But in that case, I would need all keys used for signing apps in F-droid market. I can not rely on name in signature, becasue anyone can create signing key with name F-droid. I would need to match against the public key.
I do not think it is a good idea to do it, because it will not be reliable...
wdyt?

@Zerokami
Copy link
Author

Zerokami commented Jan 6, 2018

I think if F-droid uses a single signature for signing all apps like play does it, you should implement it.

I think that's what F-Droid should do, but I'm not sure that's what it does.

App detective actually shows F-Droid icons for F-droid apps. So, it might be using a single signature.

BTW can multiple people sign a single app. Like dev, store etc?

https://forum.f-droid.org/t/recognising-f-droid-apps-from-apk-signature/1867

Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
Serial number: 4c49cd00
Valid from: Fri Jul 23 13:10:24 EDT 2010 until: Tue Dec 08 12:10:24 EST 2037
Certificate fingerprints:

  MD5:  17:C5:5C:62:80:56:E1:93:E9:56:44:E9:89:79:27:86
  SHA1: 05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E
  SHA256: 43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB```

@IzzySoft
Copy link

@MartinStyk you can tell the installation source by the corresponding attribute (-i parameter to pm); in the package dump, the field is called installerPackageName. Playstore has two different "sources" here, FDroid just one (org.fdroid.fdroid if I remember correctly), Aptoide has its own as well (as will all other market apps, I suspect). Just create a dump and grep for installerPackageName, sort, and uniq 😉

@MartinStyk
Copy link
Owner

@Logmytech @IzzySoft,
I get the installation source using the {{PackageManager}}'s method {{getInstallerPackageName}} [1]. It is basically the same as described in @IzzySoft's comment.
However, when I test it, for F-droid apps I always get installer package {{com.google.android.packageinstaller}}, which is default Android installer.

I suppose it is because F-Droid app downloads an apk file, but let default android installer to install the package.

Am I missing something here?
Thank you for your help 👍

[1]https://github.com/MartinStyk/AndroidApkAnalyzer/blob/master/app/src/main/java/sk/styk/martin/apkanalyzer/model/detail/AppSource.java#L34

@IzzySoft
Copy link

What I do in my tool Adebar is parsing the package list returned by dumpsys package (starting at ^Packages: and stopping at ^Shared users:). And Adebar reports the correct installer. The Android installer certainly is invoked the same way pm is (a la pm install -i <installer_package_name> …).

I'm no Android dev, so I don't know any corresponding Java APIs, sorry. If you want to cross-check with my Shell code, see the function getAppDetails() in lib/packagedata.lib.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants