MD5 hash of release version and this version mismatch.

[VivekYadav7272]

I tried reverse engineering the release build and removed any files that were user-specific (like .properties) so all files should be the same. Also, both the apps were tested in the (same) Android Simulator so none gathered any additional outside data that might change its size or content. Despite this, the MD5 hashes come out to be different, so it may be that the open-sourced version is different from the one that is actually in our phones. Especially considering the fact that the actual repo for Aarogya Setu is different, and this one is solely for open-source purposes. Very suspicious as this could mean they are potentially hiding any privacy-invading code from us.

[vinaybedre]

@VivekYadav7272 Do you know a MD5 hash when generated with 1 security cert and other will be different? Do you have cert which was used to sign by NIC?

[aravindvnair99]

Related to and/or possible duplicate of #186 and/or #278

[anivar]

Related to https://github.com/nic-delhi/AarogyaSetu_Android/issues/36 too

[mohsin]

@VivekYadav7272 Given that the ProGuard rules are also specified in this repository, one could do a reverse engineer of the apk from the play store and diff it with a locally built apk to find the code differences alone.

I'm not going to perform the process mostly coz it's time consuming and I don't really care--it's a government app so I expect it to be sub-par quality and also invade user's privacy by design as per my purview. However, I can write down the steps for you to do this on your own:

1. Use adb or better yet "AirDroid web" to connect to your device where the app is installed and download the APK using the download feature.
2. Use dex2jar to convert the APK to a JAR file (use one of the nightly builds which works best for kotlin-based APKs).
3. Now use JD-GUI or any other Jar decompiler/viewer.
4. Use the Save All feature to save the whole thing as a ZIP.

Do the same above steps to your APK generated from this repository. You will get a similar ZIP. Now extract both and pass them over a nice GUI-based diff tool. I'd recommend Meld as their folder comparison would be good for this.

This diff itself should be more than sufficient to find the extra "invasive" code. But if you want to go further and reverse engineer the code exactly to source then you can use this repository's source code as a reference and manually replace the ProGuard obfuscated class members and names with the real name across the two unzipped folders to get back the original source code.

Alternatively, to do this automatically using a program than manually, just include the generate mapping.txt option to your local copy of the source code and get the generated mapping file during the build process. Now use this mapping file and run the retrace program on the decompiled i.e. jar'd Play Store APK to get the de-obfuscated APK than manually doing it by hand--although I've never done this using the retrace tool so far so I'm not very confident if this automatic way will work for certain--theoretically possible, practically never tested 😅).

[tachyons]

@SaifurRahmanMohsin

Refer https://github.com/nic-delhi/AarogyaSetu_Android/issues/432#issuecomment-638634816

[tachyons]

@Raahul-Singh Please don't be an another troll here , Thanks