bitwarden / android

Bitwarden mobile app for Android.
https://bitwarden.com
GNU General Public License v3.0
6.53k stars 818 forks source link

F-Droid Support #6

Closed cwmke closed 5 years ago

cwmke commented 8 years ago

Any chance of adding this to F-droid?

kspearrin commented 8 years ago

I am not sure if it is possible to support f droid (never heard of it until now, im an iOS user) with Xamarin. Anyone know? I couldn't find anything on it.

cwmke commented 8 years ago

Here's their developer documentation.

https://f-droid.org/wiki/page/FAQ_-_App_Developers

kspearrin commented 8 years ago

I still do not really understand what you have to do to make the app work on f-droid? Is there some store I have to submit to?

nikaro commented 8 years ago

Last time i looked you just needed to have a repo with reproducile build, and submit a message on the forum to say you want your app to be added.

IzzySoft commented 8 years ago

@kspearrin if you'd just attach the .apk to your releases/, I could pick them up and add them to my repo, which is compatible with the F-Droid client. After the initial add, my auto-updater would fetch the next releases automatically within 24h usually. If your app finally makes it into the official F-Droid repo, and you want me to remove it from mine, just drop me a note.

kspearrin commented 8 years ago

@IzzySoft I'll start doing that with the next release which should be very soon (maybe tonight).

kspearrin commented 8 years ago

@IzzySoft When you say releases/, are you wanting me to create a releases/ directory inside the actual repo master branch root or are you wanting me to just attach the binary to the published release & tag (i.e. this page https://github.com/bitwarden/mobile/releases/tag/v1.0.0).

IzzySoft commented 8 years ago

@kspearrin the latter is preferrable, as described here. And thanks a lot!

kspearrin commented 8 years ago

@IzzySoft https://github.com/bitwarden/mobile/releases/tag/v1.1.0

IzzySoft commented 8 years ago

@kspearrin There you go: https://apt.izzysoft.de/fdroid/index/apk/com.x8bit.bitwarden

Once F-Droid itself picked up and your app made it into the main repo, just drop me a note if you want me to remove it from mine again (e.g. to avoid confusion, as F-Droid compiles from the source and signs with their own key, one cannot cross-update between the two).

PS: Please note that other than F-Droid, I don't keep an "archive" of old versions. My usual policy is to reserve about up to 20M per app – so apps with 6M or less have a history of 3 versions (aka "max history"). As the bitwarden .apk is already 21M, my repo will just always have the latest version. But that should be fine: in those rare cases where someone might need an older version, that can be picked from releases/ here now :)

With the initial .apk added, updates should be picked up now within ~24h of their release (i.e. after you've created the tag and attached the file). Enjoy :)

PPS: Please note the VirusTotal link. Looks like a "false alert" (just triggered by 1/56 scanners), but just in case. Not that many hits if you search for it, and always only one and the same engine reporting it. If it were real, it'd rather look like this report :)

kspearrin commented 8 years ago

Great. Interesting about the virus alert. I have no idea what W32/VBNA.alxm is.

IzzySoft commented 8 years ago

As far as my search went, it's supposed to be some worm usually shipping with Windows executables. IMHO a "false positive" caused by a too broad pattern matching on some signature. That's why I usually resubmit those .apk files for a rescan a few days later. Often clears the flag as the engine's signature database had been updated meanwhile.

kspearrin commented 7 years ago

Submitted again here: https://gitlab.com/fdroid/rfp/issues/114

walrus543 commented 7 years ago

@kspearrin bitwarden won't pass due to non-free dependencies. There are important differences between an open source app and a free/libre and open source app. Inclusion Policy

kspearrin commented 7 years ago

I'm a little confused. What non-free dependencies do we have?

walrus543 commented 7 years ago

Google Analytics at least.

IzzySoft commented 7 years ago

@kspearrin According to LibRadar (used with my repository to check what libraries are contained), I see e.g. Google Mobile Services. Guess that's what AppBrain's scanner reports as Google Cloud Messaging (GCM)

@Primokorn Google Analytics wasn't detected by either of the two. Are you sure?

walrus543 commented 7 years ago

@IzzySoft https://github.com/bitwarden/mobile/search?utf8=%E2%9C%93&q=analytics&type= https://f-droid.org/wiki/page/Antifeature:Tracking

And I'm not sure if HockeyApp is allowed.

kspearrin commented 7 years ago

Ok. I guess I misinterpreted the definition of free here.

Google Play Services is also required for other functionality in our app like sync push notifications (GCM).

walrus543 commented 7 years ago

Yes "free" doesn't mean "gratis" in this context https://www.gnu.org/philosophy/free-sw.en.html

kspearrin commented 7 years ago

Closing since this doesn't seem possible.

IzzySoft commented 7 years ago

@Primokorn Oh. Beat me. I was just wondering that neither AppBrain nor LibRadar mentioned that. Thanks for the pointer, need to update that in my repo description then (adding the AntiFeature).

cwmke commented 7 years ago

Thanks for taking the time to look into this.

IzzySoft commented 7 years ago

@kspearrin Any reason why you stopped attaching the .apk to the corresponding releases? Without that, I cannot keep it updated in my repo :smile_cat:

kspearrin commented 7 years ago

Just forgot. Updated now.

IzzySoft commented 7 years ago

Thought so :smile_cat: Thanks, should be picked up then tonight.

mr-gosh commented 7 years ago

We tried that too in the past and it really just works, if the app has functionality without the presence of the play store API for example... if some things work but not everything it still can be submitted - but will get some "anti-feature" badges - which is ok... ...its a store for people who don't want to use a playstore account - are at least they want the ability to use the app without that...

NanoSector commented 7 years ago

Sorry for necrobumping this, but would it perhaps be possible to make a Libre build that goes into FDroid without the Google dependencies? I know Fasthub does this.

Especially now with Google crippling apps using accessibility features this might be something to look into...

kspearrin commented 6 years ago

I'll re-open this as an option to look into for building the app without the Google library dependencies, albeit with some reduced functionality.

walrus543 commented 6 years ago

@kspearrin Which features couldn't be included without Google dependencies?

kspearrin commented 6 years ago

Push notifications is the main thing that will be missing.

kspearrin commented 6 years ago

I have now created a build that strips all Google and HockeyApp libs from the application while still maintaining a functional app. Push notifications for instant updates are now gone so you'll have to manually keep the app in sync (it should still automatically sync periodically though).

A special apk for F-Droid is now generated by our CI system and attached as artifacts to each build here:

https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

Anyone know of a tool (apk scanner?) I can use to verify that no Google or HockeyApp bits are still present in the F-Droid apk? Is there something the F-Droid people uses to verify all of this?

Then I guess we can now open the F-Droid repository request again.

IzzySoft commented 6 years ago

@kspearrin As soon as those changes reflected in the APK on the releases/ that go to my repo, you could check this here (might not be complete – but it showed those libraries for previous builds). Unfortunately, current builds fail apkchecker:

DOES NOT VERIFY
ERROR: JAR signer BITWARDE.RSA: Failed to verify JAR signature META-INF/BITWARDE.RSA against META-INF/BITWARDE.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5.
ERROR:
repo/com.x8bit.bitwarden_1.14.1.apk:

which might be a show-stopper if you plan to go for "reproducible builds" (KnownVuln). In my repo I've configured to permit for MD5 and only have fdroidserver place the corresponding AntiFeature (it does that automatically then).

kspearrin commented 6 years ago

@IzzySoft any way I can easily run your tool without doing an official release?

IzzySoft commented 6 years ago

@kspearrin Guess it will take a little to set that up. I use a combination of multiple tools to make sure I catch as many libraries as possible. LibRadar does the main part, but I further evaluate Smali output captured from ApkTool. Nothing you'd be likely to finish before your coffee gets very cold, sorry.

IzzySoft commented 6 years ago

PS: thinking aloud, @kspearrin – if I had the file, I could run the check manually and just skip the "publish" step. Your app is in my repo anyhow, so everything is set up for it :wink:

kspearrin commented 6 years ago

@IzzySoft You can download the fdroid apk from here: https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

IzzySoft commented 6 years ago

@kspearrin I've picked com.x8bit.bitwarden-fdroid-1270.apk. It still shows all those libs (Firebase, GMS, GA). Did you remove the components, or replace them by "stubs"?

kspearrin commented 6 years ago

They are suppose to be removed completely. Hmm...

IzzySoft commented 6 years ago

Not according to the Smali output. Small excerpt:

./smali/com/google/android/gms/actions
./smali/com/google/android/gms/ads/identifier
./smali/com/google/android/gms/analytics/ecommerce
…
./smali/com/google/android/gms/tasks
./smali/com/google/firebase/analytics
./smali/com/google/firebase/auth
kspearrin commented 6 years ago

Does HockeyApp show?

kspearrin commented 6 years ago

@IzzySoft I see the problem. Thanks.

IzzySoft commented 6 years ago

Let me know then when I should do another run, @kspearrin :wink:

kspearrin commented 6 years ago

@IzzySoft Can you please try the latest CI build now? https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

IzzySoft commented 6 years ago

If size is an indicator, this already looks promising (lost some "weight"). Smali looks good, cannot see those dependencies anymore (any reason for those obfuscated md5 hashed library paths like smali/md500032558e65d65a9fc0bf95666812307?). Just one candidate is left according to my scanner bundle: GMS. As I cannot see that in the Smali output, it must be the call analysis done by LibRadar (those MD5-Paths could be obsuced GMS libs) – or a false positive.

TL;DR: I'd say you could approach an F-Droid maintainer now (at least if you know what those obscured paths are and they are not GMS). If there's really "a trace left", they are likely to find it. Or confirm it's clean.

kspearrin commented 6 years ago

@IzzySoft I'm not sure what all those md5 hashes are honestly. Not sure where the "GMS" flag is coming from. Can't locate anything myself in the APK.

Thanks.

IzzySoft commented 6 years ago

I'm not sure what all those md5 hashes are honestly.

Glad to read it was not you intentionally then :wink: Maybe you could compare the list of libraries my scanner detected to the ones you know you're using – so we might guess the culprit? Such obfuscations often rise suspicions, so they are best avoided especially if one cannot explain them.

Not sure where the "GMS" flag is coming from.

Must be something inside those obfuscated parts, or we'd see it in the Smali output. Unfortunately you're not using Gradle, or I'd cross-check that myself (I'm not an Android dev, so I'm not familiar with all aspects of programming there). What my scanner-collection detects you can see in the "Libraries detected" section here. If there's anything you use that's not listed there, that might be the obfuscated part / the part where GMS is "suspected".

kspearrin commented 6 years ago

We're not intentionally doing any kind of obfuscation here so I am not sure where it could be hidden.

IzzySoft commented 6 years ago

No, that was my conclusion, too. That's why I suggested if you might check the list of libraries shown in my repo and see which one is missing (i.e. not detected by my scanners), so we might get an idea what that could be. If only for curiosity.

kspearrin commented 6 years ago

Known, still there:

Unknown, presumed still there:

Removed (or at least should be):

No idea what those three unknown libs are or why they show up in your scanner.