F-Droid Support

[2F5jOQjSAn1W63tZ9iM8yPjXEORJUjgFVFNG3FD]

Any chance of adding this to F-droid?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I am not sure if it is possible to support f droid (never heard of it until now, im an iOS user) with Xamarin. Anyone know? I couldn't find anything on it.

[2F5jOQjSAn1W63tZ9iM8yPjXEORJUjgFVFNG3FD]

Here's their developer documentation.

https://f-droid.org/wiki/page/FAQ_-_App_Developers

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I still do not really understand what you have to do to make the app work on f-droid? Is there some store I have to submit to?

[mIvQ8R4wzuoyhI9m4b1YRo8t1UQlUwxAetMwgCp]

Last time i looked you just needed to have a repo with reproducile build, and submit a message on the forum to say you want your app to be added.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin if you'd just attach the .apk to your releases/, I could pick them up and add them to my repo, which is compatible with the F-Droid client. After the initial add, my auto-updater would fetch the next releases automatically within 24h usually. If your app finally makes it into the official F-Droid repo, and you want me to remove it from mine, just drop me a note.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft I'll start doing that with the next release which should be very soon (maybe tonight).

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft When you say releases/, are you wanting me to create a releases/ directory inside the actual repo master branch root or are you wanting me to just attach the binary to the published release & tag (i.e. this page https://github.com/bitwarden/mobile/releases/tag/v1.0.0).

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin the latter is preferrable, as described here. And thanks a lot!

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft https://github.com/bitwarden/mobile/releases/tag/v1.1.0

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin There you go: https://apt.izzysoft.de/fdroid/index/apk/com.x8bit.bitwarden

Once F-Droid itself picked up and your app made it into the main repo, just drop me a note if you want me to remove it from mine again (e.g. to avoid confusion, as F-Droid compiles from the source and signs with their own key, one cannot cross-update between the two).

PS: Please note that other than F-Droid, I don't keep an "archive" of old versions. My usual policy is to reserve about up to 20M per app – so apps with 6M or less have a history of 3 versions (aka "max history"). As the bitwarden .apk is already 21M, my repo will just always have the latest version. But that should be fine: in those rare cases where someone might need an older version, that can be picked from releases/ here now :)

With the initial .apk added, updates should be picked up now within ~24h of their release (i.e. after you've created the tag and attached the file). Enjoy :)

PPS: Please note the VirusTotal link. Looks like a "false alert" (just triggered by 1/56 scanners), but just in case. Not that many hits if you search for it, and always only one and the same engine reporting it. If it were real, it'd rather look like this report :)

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Great. Interesting about the virus alert. I have no idea what W32/VBNA.alxm is.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

As far as my search went, it's supposed to be some worm usually shipping with Windows executables. IMHO a "false positive" caused by a too broad pattern matching on some signature. That's why I usually resubmit those .apk files for a rescan a few days later. Often clears the flag as the engine's signature database had been updated meanwhile.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Submitted again here: https://gitlab.com/fdroid/rfp/issues/114

[EBoyVBvIIcBHUN4TKXbBJ1LIvOnwNEFp0jiZG1A]

@kspearrin bitwarden won't pass due to non-free dependencies. There are important differences between an open source app and a free/libre and open source app. Inclusion Policy

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I'm a little confused. What non-free dependencies do we have?

[EBoyVBvIIcBHUN4TKXbBJ1LIvOnwNEFp0jiZG1A]

Google Analytics at least.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin According to LibRadar (used with my repository to check what libraries are contained), I see e.g. Google Mobile Services. Guess that's what AppBrain's scanner reports as Google Cloud Messaging (GCM)

@Primokorn Google Analytics wasn't detected by either of the two. Are you sure?

[EBoyVBvIIcBHUN4TKXbBJ1LIvOnwNEFp0jiZG1A]

@IzzySoft https://github.com/bitwarden/mobile/search?utf8=%E2%9C%93&q=analytics&type= https://f-droid.org/wiki/page/Antifeature:Tracking

And I'm not sure if HockeyApp is allowed.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Ok. I guess I misinterpreted the definition of free here.

Google Play Services is also required for other functionality in our app like sync push notifications (GCM).

[EBoyVBvIIcBHUN4TKXbBJ1LIvOnwNEFp0jiZG1A]

Yes "free" doesn't mean "gratis" in this context https://www.gnu.org/philosophy/free-sw.en.html

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Closing since this doesn't seem possible.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@Primokorn Oh. Beat me. I was just wondering that neither AppBrain nor LibRadar mentioned that. Thanks for the pointer, need to update that in my repo description then (adding the AntiFeature).

[2F5jOQjSAn1W63tZ9iM8yPjXEORJUjgFVFNG3FD]

Thanks for taking the time to look into this.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin Any reason why you stopped attaching the .apk to the corresponding releases? Without that, I cannot keep it updated in my repo :smile_cat:

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Just forgot. Updated now.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

Thought so :smile_cat: Thanks, should be picked up then tonight.

[iHjnUitTJaewnxrLeb4AsQ0mW3ARPkFYKVkyGSU]

We tried that too in the past and it really just works, if the app has functionality without the presence of the play store API for example... if some things work but not everything it still can be submitted - but will get some "anti-feature" badges - which is ok... ...its a store for people who don't want to use a playstore account - are at least they want the ability to use the app without that...

[AO1eCMNM0cCYHXbdGfBWUagNEXGFsa5lm6UFYIM]

Sorry for necrobumping this, but would it perhaps be possible to make a Libre build that goes into FDroid without the Google dependencies? I know Fasthub does this.

Especially now with Google crippling apps using accessibility features this might be something to look into...

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I'll re-open this as an option to look into for building the app without the Google library dependencies, albeit with some reduced functionality.

[EBoyVBvIIcBHUN4TKXbBJ1LIvOnwNEFp0jiZG1A]

@kspearrin Which features couldn't be included without Google dependencies?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Push notifications is the main thing that will be missing.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

I have now created a build that strips all Google and HockeyApp libs from the application while still maintaining a functional app. Push notifications for instant updates are now gone so you'll have to manually keep the app in sync (it should still automatically sync periodically though).

A special apk for F-Droid is now generated by our CI system and attached as artifacts to each build here:

https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

Anyone know of a tool (apk scanner?) I can use to verify that no Google or HockeyApp bits are still present in the F-Droid apk? Is there something the F-Droid people uses to verify all of this?

Then I guess we can now open the F-Droid repository request again.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin As soon as those changes reflected in the APK on the releases/ that go to my repo, you could check this here (might not be complete – but it showed those libraries for previous builds). Unfortunately, current builds fail apkchecker:

DOES NOT VERIFY
ERROR: JAR signer BITWARDE.RSA: Failed to verify JAR signature META-INF/BITWARDE.RSA against META-INF/BITWARDE.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5.
ERROR:
repo/com.x8bit.bitwarden_1.14.1.apk:

which might be a show-stopper if you plan to go for "reproducible builds" (KnownVuln). In my repo I've configured to permit for MD5 and only have fdroidserver place the corresponding AntiFeature (it does that automatically then).

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft any way I can easily run your tool without doing an official release?

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin Guess it will take a little to set that up. I use a combination of multiple tools to make sure I catch as many libraries as possible. LibRadar does the main part, but I further evaluate Smali output captured from ApkTool. Nothing you'd be likely to finish before your coffee gets very cold, sorry.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

PS: thinking aloud, @kspearrin – if I had the file, I could run the check manually and just skip the "publish" step. Your app is in my repo anyhow, so everything is set up for it :wink:

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft You can download the fdroid apk from here: https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

@kspearrin I've picked com.x8bit.bitwarden-fdroid-1270.apk. It still shows all those libs (Firebase, GMS, GA). Did you remove the components, or replace them by "stubs"?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

They are suppose to be removed completely. Hmm...

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

Not according to the Smali output. Small excerpt:

./smali/com/google/android/gms/actions
./smali/com/google/android/gms/ads/identifier
./smali/com/google/android/gms/analytics/ecommerce
…
./smali/com/google/android/gms/tasks
./smali/com/google/firebase/analytics
./smali/com/google/firebase/auth

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Does HockeyApp show?

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft I see the problem. Thanks.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

Let me know then when I should do another run, @kspearrin :wink:

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft Can you please try the latest CI build now? https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

If size is an indicator, this already looks promising (lost some "weight"). Smali looks good, cannot see those dependencies anymore (any reason for those obfuscated md5 hashed library paths like smali/md500032558e65d65a9fc0bf95666812307?). Just one candidate is left according to my scanner bundle: GMS. As I cannot see that in the Smali output, it must be the call analysis done by LibRadar (those MD5-Paths could be obsuced GMS libs) – or a false positive.

TL;DR: I'd say you could approach an F-Droid maintainer now (at least if you know what those obscured paths are and they are not GMS). If there's really "a trace left", they are likely to find it. Or confirm it's clean.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

@IzzySoft I'm not sure what all those md5 hashes are honestly. Not sure where the "GMS" flag is coming from. Can't locate anything myself in the APK.

Thanks.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

I'm not sure what all those md5 hashes are honestly.

Glad to read it was not you intentionally then :wink: Maybe you could compare the list of libraries my scanner detected to the ones you know you're using – so we might guess the culprit? Such obfuscations often rise suspicions, so they are best avoided especially if one cannot explain them.

Not sure where the "GMS" flag is coming from.

Must be something inside those obfuscated parts, or we'd see it in the Smali output. Unfortunately you're not using Gradle, or I'd cross-check that myself (I'm not an Android dev, so I'm not familiar with all aspects of programming there). What my scanner-collection detects you can see in the "Libraries detected" section here. If there's anything you use that's not listed there, that might be the obfuscated part / the part where GMS is "suspected".

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

We're not intentionally doing any kind of obfuscation here so I am not sure where it could be hidden.

[DXkcjJDHWO1G8tnq9NqWqVXVZMcXNu8yYuBHsx9]

No, that was my conclusion, too. That's why I suggested if you might check the list of libraries shown in my repo and see which one is missing (i.e. not detected by my scanners), so we might get an idea what that could be. If only for curiosity.

[pPmnBRRYhIemiuiy3VBYULJIzQyZaEvWMbCPH1P]

Known, still there:

• Android Support v4 (Development Framework)
• Xamarin (Development Framework)
• Mono for Android (Development Framework)
• Android Design Support Library (Utility)
• Android Support v7 (Development Framework)
• Samsung Mobile SDK Pass (Fingerprint) (Utility)
• FFImageLoading (Utility)

Unknown, presumed still there:

• SlidingMenu (UI Component)
• Pdftron PDF Widget (Utility)
• The Open Toolkit Library (Utility)

Removed (or at least should be):

• Google Mobile Services (Development Framework)
• Firebase (Utility)
• HockeyApp (Utility)

No idea what those three unknown libs are or why they show up in your scanner.