MartinStyk
commented
6 years ago Hi, thank you for opening the issue. I will take a look and see what can be done here.
Open Zerokami opened 6 years ago
MartinStyk
commented
6 years ago Hi, thank you for opening the issue. I will take a look and see what can be done here.
MartinStyk
commented
6 years ago Hi @Logmytech , unfortunately there is no way to distinguish F-droid apps (at least I am not aware of any). Only thing that can be used to find the source of application is a package that installed it. This package differs between app stores. However, F-droid downloads an application and shows prompt to install it using standard package installer. Because of that, it is impossible to distinguish these apps.
Zerokami
commented
6 years ago But the signature of APK Analyzer shows F-droid.
So, F-Droid actually signs these APKS. So we can check the signatures in the APK, maybe?
MartinStyk
commented
6 years ago Yeah, it signs it. But in that case, I would need all keys used for signing apps in F-droid market. I can not rely on name in signature, becasue anyone can create signing key with name F-droid. I would need to match against the public key. I do not think it is a good idea to do it, because it will not be reliable... wdyt?
Zerokami
commented
6 years ago I think if F-droid uses a single signature for signing all apps like play does it, you should implement it.
I think that's what F-Droid should do, but I'm not sure that's what it does.
App detective actually shows F-Droid icons for F-droid apps. So, it might be using a single signature.
BTW can multiple people sign a single app. Like dev, store etc?
https://forum.f-droid.org/t/recognising-f-droid-apps-from-apk-signature/1867
Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
Serial number: 4c49cd00
Valid from: Fri Jul 23 13:10:24 EDT 2010 until: Tue Dec 08 12:10:24 EST 2037
Certificate fingerprints:
MD5: 17:C5:5C:62:80:56:E1:93:E9:56:44:E9:89:79:27:86
SHA1: 05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E
SHA256: 43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB```
IzzySoft
commented
6 years ago @MartinStyk you can tell the installation source by the corresponding attribute (-i parameter to pm); in the package dump, the field is called installerPackageName. Playstore has two different "sources" here, FDroid just one (org.fdroid.fdroid if I remember correctly), Aptoide has its own as well (as will all other market apps, I suspect). Just create a dump and grep for installerPackageName, sort, and uniq :wink:
MartinStyk
commented
6 years ago @Logmytech @IzzySoft, I get the installation source using the {{PackageManager}}'s method {{getInstallerPackageName}} [1]. It is basically the same as described in @IzzySoft's comment. However, when I test it, for F-droid apps I always get installer package {{com.google.android.packageinstaller}}, which is default Android installer.
I suppose it is because F-Droid app downloads an apk file, but let default android installer to install the package.
Am I missing something here? Thank you for your help 👍
IzzySoft
commented
6 years ago What I do in my tool Adebar is parsing the package list returned by dumpsys package (starting at ^Packages: and stopping at ^Shared users:). And Adebar reports the correct installer. The Android installer certainly is invoked the same way pm is (a la pm install -i <installer_package_name> …).
I'm no Android dev, so I don't know any corresponding Java APIs, sorry. If you want to cross-check with my Shell code, see the function getAppDetails() in lib/packagedata.lib.
F-Droid apps show up as sideloaded apps and there isn't an easy way to know if the app is from F-Droid.
Since F-Droid is the only source for FOSS exclusive apps, it might be nice to add a Filter for F-Droid and filter the F-Droid signed apps.