lberrymage
commented
2 months ago There are significant complications to having accurate download counters as a consequence of Accrescent having no accounts. Namely, there must be some sort of abuse protection mechanism to prevent an attacker from tricking Accrescent's servers into thinking an app has been downloaded thousands of times simply by sending multiple requests. Rate limiting based on IP is an option, but it's not perfect, especially if we were to be attacked by a botnet which already has thousands of IPs at its disposal.
Thankfully, I think we can use the Android attestation API for this. Upon each download the Accrescent client performs, it can generate a temporary attestation and send it off to a server for validation performed with Google's key attestation library. If the validation passes, i.e., if the server confirms that the request 1) is verified with a hardware-backend key, 2) came from a Verified or approved SelfSigned OS, and 3) came from an official build of Accrescent (i.e. with the same app ID and signature), then the install/update can be counted. Otherwise installation will proceed as normal, but the install won't be counted on Accrescent's servers.
Whenever this feature is implemented, it would be wise to discuss this approach with the GrapheneOS developers since they're familiar with Android's key attestation and how to use its APIs properly.
We should keep track of download counts for all apps. This could be done with a simple microservice on each repository server which increments a counter for each download made and can return the total number of downloads for a given app. This number will eventually be retrievable to be displayed by the developer console and included in the per-app repository metadata.
Initially we only need to support total download counts. However, per-month download counts are a must to eventually have a more dynamic value.