App is not reproducible, many diffs when comparing apks

[emanuelb]

I Build latest commit for version 4.9.1 https://github.com/breadwallet/breadwallet-android/commit/a6b8add794ced98b2ea77c3dcecaadd7a91dfdd7

git clone --depth 1 https://github.com/breadwallet/breadwallet-android
cd breadwallet-android/

with 2 containers (1 alpine based, 1 debian based):

Containerfile.alpine:

FROM frolvlad/alpine-glibc

RUN set -ex; \
    apk update; \
    apk add --no-cache \
        openjdk8; \
    adduser -D appuser;

USER appuser

COPY --chown=appuser:root . /app/brd/

ENV ANDROID_SDK_ROOT="/app/sdk" \
    ANDROID_HOME="/app/sdk"

WORKDIR /app/brd/

RUN set -ex; \
    mkdir -p "/app/sdk/licenses"; \
    printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/app/sdk/licenses/android-sdk-license"; \
    ./gradlew assembleRelease

Containerfile.debian:

FROM debian:sid-slim

RUN set -ex; \
    mkdir -p /usr/share/man/man1/; \
    apt-get update; \
    apt-get install --yes --no-install-recommends openjdk-11-jdk; \
    rm -rf /var/lib/apt/lists/*; \
    useradd -ms /bin/bash appuser;

USER appuser

ENV ANDROID_HOME=/app/sdk/ \
    ANDROID_SDK_ROOT="/app/sdk"

COPY --chown=appuser:root . /app/brd/

WORKDIR /app/brd/

RUN set -ex; \
    mkdir -p "/app/sdk/licenses"; \
    printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/app/sdk/licenses/android-sdk-license"; \
    ./gradlew assembleRelease

build with:

podman build --rm -t brd_build_apk -f Containerfile.alpine .
podman build --rm -t brd_build_apk -f Containerfile.debian .

Comparing them & to the apk from google-play, result in difference in many files.

• many diffs in .png files, probably cause build process optimize the PNG, which should be avoided, see disabling cruncherEnabled at: https://f-droid.org/en/docs/Reproducible_Builds/#png-crushcrunch or maybe other setting like vectorDrawables.useSupportLibrary = true, etc..
• strings.xml contain additional elements in google-play:

  <string name="com.crashlytics.android.build_id">00000000000000000000000000000000</string>
  <string name="default_web_client_id">12373551790-2fasqr00f8cnk1cj523fto4bdd5i8l36.apps.googleusercontent.com</string>
  <string name="firebase_database_url">https://brd-android.firebaseio.com</string>
  <string name="gcm_defaultSenderId">12373551790</string>
  <string name="google_api_key">AIzaSyAmyWh446kBhQ4osuGuEJJTb2jMjJ8QjKU</string>
  <string name="google_app_id">1:12373551790:android:8e3bb25773656e99551b3f</string>
  <string name="google_crash_reporting_api_key">AIzaSyAmyWh446kBhQ4osuGuEJJTb2jMjJ8QjKU</string>
  <string name="google_storage_bucket">brd-android.appspot.com</string>
  <string name="project_id">brd-android</string>

• more diffs in classes3.dex/classes2.dex/classes.dex files
• diff in resources.arsc

see also related issue about this topic: https://github.com/breadwallet/breadwallet-android/issues/117

[Giszmo]

They closed the other issue. I have little hope they will fix it.

As a solution to the concern about projects that fork this one and leave in the api keys, OP left me a message in Twitter I'm not sure he meant the following but the correct approach would probably be to:

1. Change the applicationId to something generic
2. Add a non-default branch for BRD releases where the applicationId is changed back to the BRD-ish com.breadwallet
3. Add the keys on that non-default branch, together with legal threats towards projects that use those API keys. That warning would best fit next to the applicationId.

[DrewCarlson]

Thanks for your interest in the project. As mentioned in the issue you linked, we do not plan to change the production build environment or disable features that improve the user experience. While we do our best to maintain the ability for anyone to build the BRD mobile applications locally, it is intended for personal use and not to replicate production builds. Currently Play Store APKs are produced from a M1 Mac and this is not something the development team can change.