Unification of Google Play Store (Yalp/Aurora) and F-Droid

[MuntashirAkon]

In App Manager, our goal, as always, is to unify features and remove the burden of using another application.

Currently, we've included Aurora Store, APK Updater and F-Droid in various pages so that the user can easily open the apps as if they are part of the app. However, this model doesn't work very well since App Manager, like any other package managers, should be the source to download, install and update applications. In order to achieve that and reduce burden on the main app, I propose another extension that merges both Google Play Store and F-Droid.

Features

• Download or install APK files (along with update checking ability on app info page)
• Display descriptions, changelogs and exodus report (and when the download is complete, display our favourite what's new)
• Automatic handling of architecture and version codes
• Similar apps section (when enabled)

Privacy features

• Orbot integration
• Google Play Store disabled by default

Obstacles

• For Google Play Store, we need a token dispenser server which doesn't go with our model. So, whether we can actually support Google Play Store is still hanging in the air. However, if we implement such feature, a custom field will be added where the users can insert custom dispenser server such as Aurora's.
• APK Mirror, APK Pure are alternatives but they may not be used because the former doesn't allow direct download of APK files and the latter is unreliable.

[MuntashirAkon]

Designing a unified API

Number of supported services

App Manager has to support at least the following services:

1. GitHub
2. Google Play Store
3. F-Droid repositories

The following services should also be considered:

1. Graphene OS' Apps repository
2. APK Pure

Priorities of the services

Unification of multiple services in Android is troublesome due to many issues such as mismatched signing certificate, trusting the APK sources and so on. Priority of services should be decided on the basis of privacy, security, availability and trust. However, App Manager will note the installation source and will not switch or fallback to the next available service automatically. This has to be so much restricted that on the event of running into installation issues, presumably due to signing certificate, App Manager will ask the user to reinstall the app with the new signature instead of falling back to the next service. This, in general, ensures the safety of the user, and makes the multiplicity of services transparent to the system.

Here's an outline of how the priorities might work for different services:

• GitHub subscriptions will, naturally, be the top priority because GitHub, with proper channel, can be trusted (and it is already presumed that by following the repository, the user trusts the developer). However, the user needs to configure the repositories meaning unless App Manager community delivers the configurations, this feature will be mostly remain unused.

• Certain F-Droid repositories will get the next priority. Each F-Droid repository is considered a separate service due to the nature of the repositories and will be prioritised accordingly. Example of repositories that will be prioritised:

  • Bitwarden repository
  • NewPipe repository
  • Bromite repository
  • UnGoogled Chromium repository
  • Collabora office repository
  • Session repository
  • Briar repository

  As can be seen, the repositories are prioritised because they are official and trusted, just like GitHub, and may be more privacy respecting that the Google Play Store version.

• Graphene OS Apps' repository. (Prevents overlapping with Google Play as described above) Currently, there are no other repositories that uses this scheme.
• Google Play Store, if enabled, will get the next priority. This is prioritised over the official F-Droid repository for the following reasons (sorted on the basis of importance in descending order):
  1. Updates are available just as the developer pushes them
  2. It enforces the use of safer permissions and target SDK (although it is understandable that certain tools may require lesser target SDK due to their usage)
  3. Use of up to date signing schemes unlike F-Droid
• The rest of the F-Droid repositories will get the next priorities. The repositories are sorted on the basis of the key reasons described above.
  1. IzzyOnDroid (This falls below Google Play Store because the apps found on Google Play Store/GitHub could be identical)
  2. F-Droid official
  3. Guardian project
  4. Calyx OS
  5. Divest OS

Priorities could be dynamic for certain platforms. For Graphene OS, Graphene OS' Apps repository will get higher priority. For Calyx OS, Calyx OS' F-Droid repository will get higher priority. In any case, the source of the APK will always be visible to the user so that the user may be aware of it.

One might ask why App Manager will not be supporting the addition of custom F-Droid repositories. The reasons are as follows (sorted on the basis of importance in ascending order):

1. Addition of repositories is rarely used by a regular user. Many users aren't even aware of the existence of this feature.
2. Most users are incapable of doing enough research to understand the catches of adding a repository. To be specific, they fail to recognise how trustable a repository might be.
3. We intend to support certificate pinning which is built statically with the app itself.

Notice that this is now the searching takes place. This can easily be bypassed by supplying separate build flavours for each platform. But this is up to the developer. For example, one might choose to append .play and .fdroid to the package name for Google Play and F-Droid respectively.

Alpha/Beta/Stable

Support for beta and stable is determined by the following:

• If the API supports it, then it is used directly.
• Application of heuristics i.e. version name/app label containing alpha, beta, rc, pre, etc.

Split APK

A wide range of APK files are supported in accordance with API (all except F-Droid supports split APK). Formats include APK, APKS, XAPK, APKM or a collection of APK files. APKs are selected based on the device configuration as usual. But the user may be prompted to select the APKs to install if enabled.

Automatic updates

App Manager would check for updates and update apps automatically using heuristics by default. Per-app auto-update can be disabled like any other clients. Example of application of heuristics: Prompt user via notification if the user jumps version code by a significant number (the number may also be determined heuristically) or updates to a major release (if the app follows semantic versioning).

App recommendations

How recommendations will be generated is still a big issue. We cannot obviously trust automated, unaudited and biased algorithms. Community recommendations/lists would be the most beneficial as our main focus is on privacy, but practicality of such approach is largely unknown.

[Jrchintu]

Thanks muntashir for this nice guide, can you please explain how the app description and other things like changlog url etc will be decided. Like will it be based on the same priority as of apk files provider. Since there may be case that same app may have diffrent description based on diffrent source and maybe some may lack enough information.

[MuntashirAkon]

can you please explain how the app description and other things like changlog url etc will be decided.

Metadata will be taken from the corresponding service. For example, in GitHub, the description might be retrieved from the README file (as it was done in the Magisk Manager) and changelog will be whatever the author wrote in the release section. For F-Droid formatted-repositories, they all have descriptions, changelogs, etc. as does Google Play Store. We are not going to support Graphene OS' Apps repository for now because it is still incomplete.

Here, we only use one source at a time for each APK which prevents any possible clashes that can be seen frequently in F-Droid with multiple repositories (which I do not believe to be a good model). In addition, we can add a section under the description if the app has been located in other services as well as the ability to load its description from those services. In the latter case, however, the installation button will be disabled until the user decided to add it as an exception.

maybe some may lack enough information.

This is always a possibility. But there's nothing I can do about it. If it's on GitHub, asking the developer would suffice but for others, it will not be as straightforward.

[Jrchintu]

can you please explain how the app description and other things like changlog url etc will be decided.

Metadata will be taken from the corresponding service. For example, in GitHub, the description might be retrieved from the README file (as it was done in the Magisk Manager) and changelog will be whatever the author wrote in the release section. For F-Droid formatted-repositories, they all have descriptions, changelogs, etc. as does Google Play Store. We are not going to support Graphene OS' Apps repository for now because it is still incomplete.

Here, we only use one source at a time for each APK which prevents any possible clashes that can be seen frequently in F-Droid with multiple repositories (which I do not believe to be a good model). In addition, we can add a section under the description if the app has been located in other services as well as the ability to load its description from those services. In the latter case, however, the installation button will be disabled until the user decided to add it as an exception.

maybe some may lack enough information.

This is always a possibility. But there's nothing I can do about it. If it's on GitHub, asking the developer would suffice but for others, it will not be as straightforward.

thanks, this looks very valid. Also one more thing about aurora store tokenizer, afaik the source side code is not open source (i had asked about same in their group on telegram, will update here if i got it). So are you going to reimplement it, or maybe will seek support from aurora store team.

EDIT: TOKEN-DISPENSER https://github.com/whyorean/token-dispenser AAS aastoken grabber https://github.com/whyorean/AASTokenGrabber

[MuntashirAkon]

So are you going to reimplement it, or maybe will seek support from aurora store team.

Our implementation will be based on AuroraOSS's GPlayApi library, we will only reuse the bits that are essential for us.

[S7venLights]

https://accressent.app

https://github.com/ImranR98/Obtanium

and a method of using Octodroid and watching github for releases

May be useful for this project.

[MuntashirAkon]

https://accressent.app

https://github.com/ImranR98/Obtanium

None of the links exit.

[S7venLights]

Sorry misspelt before:

https://github.com/ImranR98/Obtainium Pulls updates directly from github, gitlab and more.

https://github.com/accrescent/accrescent New secure app store

Octodroid: https://github.com/slapperwan/gh4a/releases Android Github client

[shuvashish76]

Additional suggestion: Integrate with Export app list #122 to import/install apps.

In the future, the XML file may also be imported to App Manager.

Similar to chromium web store show box to fill copied data & option to import file. Data includes everything (name, id, source etc) required to download apps.

Use case: - Backup/download app list to another device or share app list to friends with apps from specific sources.

Optionally AM should allow installing All apps in background but for users safety by default they'll have to click install for each app one by one. In case of mismatch of data & installation failure, clear Error message should be shown for those specific apps.

[Obegg]

There are some apps that have built-in updater like SmartTube or ReVanced Manager, surely it will be possible to have built-in updater in AppManager without Google Play Store, right? Obviously using Google Play Store would be nice, but I do have to mention that there are some apps that have built-in updater.

[MuntashirAkon]

There are some apps that have built-in updater like SmartTube or ReVanced Manager, surely it will be possible to have built-in updater in AppManager without Google Play Store, right? Obviously using Google Play Store would be nice, but I do have to mention that there are some apps that have built-in updater.

I think you're talking about #931. This issue is about updating apps other than App Manager.

[TPS]

@MuntashirAkon Pls keep an eye on https://gitlab.com/AuroraOSS/AuroraStore/-/issues/663. This is preventing GPlay access for many until thoroughly fixed.

[TPS]

Also, please see https://github.com/rumboalla/apkupdater, which provides quite a bit of this.

[TPS]

In https://github.com/MuntashirAkon/AppManager/issues/464#issuecomment-1115871354 §1.2, do you mean it will handle custom F-droid repos, as well as the default 1s?