Reproducible Builds

[IzzySoft]

I don't know if this app is still actively maintained (as I cannot see any commit for about a year now) – but if it is, maybe you could help out here.

I've checked your app if its build is reproducible (see: Reproducible bulds, special client support and more in our repo), but while I was able to successfully generate the APK using ./gradlew assembleRelease, the differences to the one provided at your latest release were huge. Was that APK really built from the commit the tag points to? If so, did I miss some build options? And if not, which commit was it?

-------------------------------
--- /dev/fd/63  2024-07-09 23:22:08.619508280 +0200
+++ /dev/fd/62  2024-07-09 23:22:08.623508253 +0200
@@ -1,17 +1,17 @@
   META-INF/com/android/build/gradle/app-metadata.properties
   32-bit CRC value (hex):                         670a0005
   assets/dexopt/baseline.prof
-  32-bit CRC value (hex):                         3c0e6ba3
+  32-bit CRC value (hex):                         330bf6c6
   assets/dexopt/baseline.profm
-  32-bit CRC value (hex):                         28b52bef
+  32-bit CRC value (hex):                         dc661e3a
   classes.dex
-  32-bit CRC value (hex):                         01caa96b
+  32-bit CRC value (hex):                         30925fd3
   classes2.dex
-  32-bit CRC value (hex):                         1e761e59
+  32-bit CRC value (hex):                         10c8c8af
   DebugProbesKt.bin
   32-bit CRC value (hex):                         7cded4df
   META-INF/androidx.activity_activity-ktx.version
-  32-bit CRC value (hex):                         f6d036c7
+  32-bit CRC value (hex):                         fd7ea868
   META-INF/androidx.activity_activity.version
   32-bit CRC value (hex):                         caa0585a
   META-INF/androidx.annotation_annotation-experimental.version
@@ -24,8 +24,6 @@
   32-bit CRC value (hex):                         c356bda3
   META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version
   32-bit CRC value (hex):                         fd7ea868
-  META-INF/androidx.browser_browser.version
-  32-bit CRC value (hex):                         efcb0786
   META-INF/androidx.cardview_cardview.version
   32-bit CRC value (hex):                         fd7ea868
   META-INF/androidx.coordinatorlayout_coordinatorlayout.version
@@ -49,7 +47,7 @@
   META-INF/androidx.emoji2_emoji2.version
   32-bit CRC value (hex):                         577760e3
   META-INF/androidx.fragment_fragment-ktx.version
-  32-bit CRC value (hex):                         b991a000
+  32-bit CRC value (hex):                         45c2cf0d
   META-INF/androidx.fragment_fragment.version
   32-bit CRC value (hex):                         b991a000
   META-INF/androidx.interpolator_interpolator.version
@@ -62,16 +60,12 @@
   32-bit CRC value (hex):                         fd7ea868
   META-INF/androidx.lifecycle_lifecycle-extensions.version
…

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Looking forward to your reply!

[A-YATTA]

Hey @IzzySoft

The app is still maintained, a new version will be available soon with some additional features and bug fixes.

The release 1.5.2 was a hot fix and was based on dev branch main...dev.

Thanks for the hints, will check and fix that soon.

[IzzySoft]

Cool, and great, and glad to read! Please give me a ping once the release is available, so I check ASAP, yes? Thanks in advance!

[A-YATTA]

@IzzySoft Could you please check this release ? Thanks in advance!

[IzzySoft]

Hm, did you really build it from a clean tree at the commit the tag points to? The APK claims to have been built from 5902ec41d1aea68ecff8a5be53719f8729b4dd7e – which is two commits earlier. Building from the tag is not RB: you see the version-control-info.textproto which helped me finding the commit the APK was built from, and several PNGs differing.

  -rw-r--r--  0.0 unx       56 b-       52 defN 1981-01-01 01:01:02 b89973a3 META-INF/com/android/build/gradle/app-metadata.properties
- -rw-r--r--  0.0 unx      120 b-      118 defN 1981-01-01 01:01:02 8c4dd720 META-INF/version-control-info.textproto
+ -rw-r--r--  0.0 unx      120 b-      118 defN 1981-01-01 01:01:02 68ba5f0c META-INF/version-control-info.textproto
  -rw-r--r--  0.0 unx     3557 b-     3557 stor 1981-01-01 01:01:02 1c235398 assets/dexopt/baseline.prof
  -rw-r--r--  0.0 unx      323 b-      323 stor 1981-01-01 01:01:02 95a506d8 assets/dexopt/baseline.profm
  -rw-r--r--  0.0 unx  9059812 b-  3476246 defN 1981-01-01 01:01:02 82f6c4f8 classes.dex
@@ -234,7 +234,7 @@
  -rw----     0.0 fat      564 b-      319 defN 1981-01-01 01:01:02 8bf9a799 res/By.xml
  -rw----     0.0 fat      524 b-      254 defN 1981-01-01 01:01:02 28ec7605 res/By1.xml
  -rw----     0.0 fat    23068 b-     2227 defN 1981-01-01 01:01:02 366631f3 res/C1.json
- -rw----     0.0 fat     4541 b-     4541 stor 1981-01-01 01:01:02 8b58f452 res/CH.png
+ -rw----     0.0 fat     4540 b-     4540 stor 1981-01-01 01:01:02 0354a12f res/CH.png
  -rw----     0.0 fat      244 b-      244 stor 1981-01-01 01:01:02 bde23956 res/CK.9.png
  -rw----     0.0 fat      215 b-      215 stor 1981-01-01 01:01:02 c135d194 res/C_.9.png
  -rw----     0.0 fat      612 b-      333 defN 1981-01-01 01:01:02 808b4793 res/Cc.xml
@@ -872,7 +872,7 @@
  -rw----     0.0 fat      252 b-      252 stor 1981-01-01 01:01:02 c8900a8e res/o_.9.png
  -rw----     0.0 fat      651 b-      651 stor 1981-01-01 01:01:02 22f95d51 res/o_.png
  -rw----     0.0 fat      744 b-      346 defN 1981-01-01 01:01:02 8137a015 res/oa.xml
- -rw----     0.0 fat   238183 b-   238183 stor 1981-01-01 01:01:02 36623a07 res/oo.png
+ -rw----     0.0 fat   238181 b-   238181 stor 1981-01-01 01:01:02 272c10bb res/oo.png
  -rw----     0.0 fat      286 b-      286 stor 1981-01-01 01:01:02 22603145 res/op.9.png
  -rw----     0.0 fat     1748 b-      656 defN 1981-01-01 01:01:02 c723f3e0 res/p0.xml
  -rw----     0.0 fat      752 b-      376 defN 1981-01-01 01:01:02 7f660c8b res/pF.xml
@@ -961,7 +961,7 @@
  -rw----     0.0 fat      214 b-      214 stor 1981-01-01 01:01:02 6a5cd9b8 res/w_.png
  -rw----     0.0 fat    11237 b-    11237 stor 1981-01-01 01:01:02 80d73ca8 res/wb.png
  -rw----     0.0 fat      780 b-      780 stor 1981-01-01 01:01:02 b6d9a482 res/ww.png
- -rw----     0.0 fat   135591 b-   135591 stor 1981-01-01 01:01:02 68727e1d res/wz.png
+ -rw----     0.0 fat   135592 b-   135592 stor 1981-01-01 01:01:02 feed8dff res/wz.png
  -rw----     0.0 fat      212 b-      212 stor 1981-01-01 01:01:02 3bde0e3f res/x3.9.png

Interestingly, despite of the huge diff of the PR merged at the tag, building from the indicated commit yields the same results except for versionInfo. That leaves the PNGs. Could be PNGCrunching or vector drawables converted to PNG (both processes are non-deterministic). Depending on which one, one (or both) of the following fragments for your build.gradle could help:

android {
    // disable PNG crunching:
    aaptOptions {
        cruncherEnabled = false
    }
    // disable generating PNGs from vector drawables:
    defaultConfig {
        vectorDrawables.generatedDensities = []
    }
}

Could you give that a try, e.g. in a test branch, and then attach the resulting APK here (renamed to .zip so Github allows you to attach) while naming the commit it was built from? I'd give that another run then, before you head for a (maintenance) release with it.

[IzzySoft]

PS, while being here, the scanner asked for some clarification:

! repo/ch.ictrust.pobya_13.apk declares sensitive permission(s):
  android.permission.REQUEST_DELETE_PACKAGES android.permission.QUERY_ALL_PACKAGES
  android.permission.READ_EXTERNAL_STORAGE
! repo/ch.ictrust.pobya_13.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Package permissions are clear (find apps to scan, remove infected ones). What about the extra storage permissions?

As for DEPENDENCY_INFO_BLOCK, that's easy to avoid with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Thanks in advance!

[A-YATTA]

Indeed the APK is built from 5902ec4.

The storage permissions are needed for scanning the APKs. The app uncompress the APKs of installed applications in the external storage and look for HDB and NDB signatures in ClamAV Virus Database.

I will try that on a new branch and with the build.gradle options from both comments.

[A-YATTA]

Could you please check this build based on the branch IzzySoftRecommendations : Test.zip

PS: Thanks for the link! Very helpful even if I haven't read everything yet.

[IzzySoft]

Looks much better! However, one of the PNGs remained:

  -rw----     0.0 fat    23068 b-     2227 defN 1981-01-01 01:01:02 366631f3 res/C1.json
- -rw----     0.0 fat     4541 b-     4541 stor 1981-01-01 01:01:02 8b58f452 res/CH.png
+ -rw----     0.0 fat     4540 b-     4540 stor 1981-01-01 01:01:02 0354a12f res/CH.png
  -rw----     0.0 fat      244 b-      244 stor 1981-01-01 01:01:02 bde23956 res/CK.9.png

Is that generated at build time still?

[A-YATTA]

Yes. The hash of the file CH.png (image bellow) does not match an existing file in the app folders.

Hash: 3e1545d8943d3698d9f57bbe3ae793505b11f1ffbf84899c63d56cc040b7122e

[IzzySoft]

If you can find where that comes from and avoid having it generated at build time, the app should become RB. I've decompiled the APK and found the counterpart in res/drawable-xxxhdpi/ic_launcher_foreground.png, next to a bunch of graphics named abc_*.png (abc_btn_*, abc_scrubber*, abc_tab_indicator* …) in case that rings a bell?

Edit: found it referenced in res/values/public.xml:

<public type="drawable" name="ic_launcher_foreground" id="0x7f0800a0" />
<public type="drawable" name="abc_ab_share_pack_mtrl_alpha" id="0x7f080029" />
<public type="drawable" name="abc_btn_check_to_on_mtrl_000" id="0x7f08002e" />

(and more of the abcs)

Edit2: wild thought, but as there is no ic_launcher_foreground.xml in the mipmap-anydpi-v26, could it be the build generates the "missing resource"? I've searched the repo, and the only references are these. All 3 hits have

<foreground android:drawable="@mipmap/ic_launcher_foreground"/>

But not being an Android dev myself, I might be on the wrong track there…

[BRBsoup]

@IzzySoft Android scene legend - "But not even an Android Dev" 🙌

[IzzySoft]

Can't have it all :rofl:

[A-YATTA]

There are some resources (drawables, mipmaps) that come from the dependencies. The file CH.png is from the dependency : com.github.owl-93:DeterminateProgressView:v1.0 . and abcs are from Appcompat drawable-hdpi.

A task in build.gradle that excludes unused resources like drawables and mipmaps folders from dependencies need to be added.

[IzzySoft]

Glad you found the culprit – great! If you give me a ping when that task was added (and a commit with a corresponding APK to test with is available), I'll run another test build here.

[A-YATTA]

@IzzySoft Could you please check the attached APK based on the branch IzzySoftRecommendations? 🤞

issue18.zip

[IzzySoft]

Success!

    "upstream_signed_apk_sha256": "9fcbc2662b08382c02efca19924af3eaa4b3640627380234b5ecb19382a77eac",
    "signature_copied_apk_sha256": "9fcbc2662b08382c02efca19924af3eaa4b3640627380234b5ecb19382a77eac"

Hashes match, so RB succeeded, congrats! Please let me know when the next release is available, so I'll establish it as RB here. Thanks a lot!!!

[A-YATTA]

Glad to hear that! Noted. Thanks to you for your help and contributions !

[IzzySoft]

Gladly! Looking forward to your ping then :smiley: