(Solved) - Clarification regarding ApiInterface.kt discrepancies 🔑

[i-rme]

Hi, It would be interesting to clarify the reason why they are fewer API methods on the source code released here: https://github.com/RadarCOVID/radar-covid-android/blob/master/app/src/main/java/es/gob/radarcovid/datamanager/api/ApiInterface.kt

Than in the Play Store version: https://github.com/josemoyab/radar-covid/blob/8acb96f8ccd979f03db3c6dbfdf162d66ad6ac5a/sources/p003f/p004a/p005a/p006a/p008b/C0436a.java

I am particularly interested in the removal of the method /kpi/kpi and RequestKPI that are live on the Play Store version: https://github.com/josemoyab/radar-covid/blob/8acb96f8ccd979f03db3c6dbfdf162d66ad6ac5a/sources/p002es/gob/radarcovid/models/request/RequestKpi.java

Thanks!

[JuanFMontesinos]

Hi @i-rme , What are the missing APIs used for? Any idea?

[i-rme]

This differences could be related to the test done in La Gomera, but should be confirmed if they are not active on the current Play Store version.

More differences in the features folder.

Released Version: https://github.com/RadarCOVID/radar-covid-android/tree/master/app/src/main/java/es/gob/radarcovid/features

Play Store Version: https://github.com/josemoyab/radar-covid/tree/8acb96f8ccd979f03db3c6dbfdf162d66ad6ac5a/sources/p002es/gob/radarcovid/features

[j-rivero]

This differences could be related to the test done in La Gomera, but should be confirmed if they are not active on the current Play Store version.

To help everyone and clarify the situation we might need to know: Is the current code in github the one generating the app that is currently in play store? If it is not, can that code version be uploaded somewhere for auditing or can the app in the store be updated to the current code version? Going open source means for me that people should not need to spend time investigating differences or reverse engineering the code.

[i-rme]

This differences could be related to the test done in La Gomera, but should be confirmed if they are not active on the current Play Store version.

To help everyone and clarify the situation we might need to know: Is the current code in github the one generating the app that is currently in play store? If it is not, can that code version be uploaded somewhere for auditing or can the app in the store be updated to the current code version? Going open source means for me that people should not need to spend time investigating differences or reverse engineering the code.

As far as I can tell, the Play Store one (Actualizada 7 de agosto de 2020, Versión actual 1.0) is the same decompiled 11 days ago and available on github (versionCode 5, versionName 1.0, uploaded 11 days ago).

Anyone can get the latest version from the Play Store and double check it.

Maybe the released source code is for a future version that is still pending review.

[spanishkangaroo]

@i-rme @j-rivero as you both said, it looks like they released a different version. In fact, as per the comment on this commit, it looks like the test in La Gomera had "something", now unused, regarding PKI stuff. Let @iCesofT or his team clarify this matter. Anyway @i-rme, never trust the relationship between versionName and any other class or app's resource. In fact, many development teams release a version X and keep adding features without modifying versioName or versionCode, that is changed by some other tool in the pipeline, review process, etc. just before the final release to production, so many different actual versions of the app share the same version.

[linuxct]

In fact, many development teams release a version X and keep adding features without modifying versioName or versionCode, that is changed by some other tool in the pipeline, review process, etc. just before the final release to production, so many different actual versions of the app share the same version.

@spanishkangaroo Just for the record, current production and beta testing channel's application code that are live on the Play Store right now are exactly the same, and both contain as of 2020/09/09 the /kpi/kpi, /questionnaire/questions and /questionnaire/answers endpoints, just as described in this issue. What you comment is definitely good to note, but is not happening in this situation.

You can check this yourself by enrolling in the Open Beta, uninstalling and reinstalling the application, and then pull it from your device to check its contents.

adb shell
$ pm path es.gob.radarcovid

adb pull /path/that/you/got/from/pm/base.apk

(repeat as needed with as many split APKs found).

[spanishkangaroo]

In fact, many development teams release a version X and keep adding features without modifying versioName or versionCode, that is changed by some other tool in the pipeline, review process, etc. just before the final release to production, so many different actual versions of the app share the same version.

@spanishkangaroo Just for the record, current production and beta testing channel's application code that are live on the Play Store right now are exactly the same, and both contain as of 2020/09/09 the /kpi/kpi, /questionnaire/questions and /questionnaire/answers endpoints, just as described in this issue. What you comment is definitely good to note, but is not happening in this situation.

You can check this yourself by enrolling in the Open Beta, uninstalling and reinstalling the application, and then pull it from your device to check its contents.

adb shell
$ pm path es.gob.radarcovid

adb pull /path/that/you/got/from/pm/base.apk

(repeat as needed with as many split APKs found).

Sorry, my bad. Probably I didn't make myself clear. Maybe the released source code is some kind of "in-development" version, that is -of course- not the current production build and not even the current beta build. Something like an alpha or "developers work-in-progress" version. What do you think @linuxct?

[i-rme]

I've just checked and the Play Store app is still different from the Github app.

Why?

[j-rivero]

There is a new version in the Play Store 1.0.6. There is also a release in this repository tagged 1.0.6-6. Hopefully the app version correspond to the release code. Could someone from the developer team confirm that this is the case, please?

[linuxct]

This issue can be closed as latest version up on the Play Store showcases no KPI or Questionnaire related endpoints.

@spanishkangaroo, You were right, the released code (version 1.0-5) was part of a seemingly in-development/prior version, as it can be seen with the changes made to production today. Props to the development team for sticking to the released open-source code and even not running Proguard through this version, although I personally consider using Proguard in production is fine.

[i-rme]

As said on the comments above, I can confirm that the unexpected KPI methods and api endpoints are no longer present on the Play Store release 1.0.6.

The issue is solved and will be closed in the following days.