Where are the jars from some Xposed repositories?

[msdos]

I've become aware of Xposed Framework mainly because it's a dependency of XPrivacy. Everything seems to good to be true, and quoting yourself @rovo89, "with great power comes great risk".

That's why, for such a powerful framework, I'm planning to compile it myself all source code. I know this doesn't mean it's completely safe from a security perspective (Heartbleed was here in the past to show us that being open source doesn't mean it's secure), I know I can't audit all source code, but I'm trying to remove all the odds and minimize the risks.

For example, SuperSU was already closed source, but, somehow, people trusted chainfire: I wouldn't trust it before and much less now that it's sold to a strange company. How can I trust a binary that has root access if it's source it's not available?

Don't get me wrong, I'm not saying you're creating malicious apks, we can even decompile the apks, the source is not that obfuscated, but, in theory, you could. That's ihnerent to how binaries work specially when I'm giving it root access. We have the same issue when using binayy blobs in official firmwares specially in a NSA era, but it's different from using something from an official vendor that you can even take it to court and your framework that is taken as is.

Superficially reading the source code, specially from XposedInstaller, we can see some jars

286987   48 -rw-r--r--   1      47645 Jan 25 13:46 ./libs/libsuperuser-185868.jar
286985   32 -rw-r--r--   1      30181 Jan 25 13:46 ./libs/StickyListHeaders-d7f6fc.jar
286986  632 -rw-r--r--   1     644520 Jan 25 13:46 ./libs/android-support-v13.jar
287177 1160 -rw-r--r--   1    1184741 Jan 25 13:46 ./tools/signapk.jar
286973  100 -rw-r--r--   1      98482 Jan 25 13:46 ./assets/XposedBridge.jar
286983    4 -rw-r--r--   1       3191 Jan 25 13:46 ./lib/AndroidHiddenAPI.jar

That I know I can decompile them in a worst case scenario, but I would like to know:

• where they are from and, if possible, if you can document them being explicit where they are from (some have an origin in it's history like Sticky);
• pointing out which other compiled binaries (and zips with other files or binaries) you have in your repositories.

I believe more people may have the same doubts as me, so I thank you in advance if you can enlighten us in this matter. Anyways, congrats in having a module that has 8 million downloads in it's last version and couting.

I was inspired by this post that someone posted in xda forums. I even copied the jars example from there. Thanks. :)

[rovo89]

Well, I think most should be obvious:

• libsuperuser-185868.jar: created myself from https://github.com/Chainfire/libsuperuser/tree/185868fb527c3d4ba819c541d128403d60ebb12c
• StickyListHeaders-d7f6fc.jar: created myself from https://github.com/emilsjolander/StickyListHeaders/tree/d7f6fc457cab2723f61ec0e60ffb43f4eb106a3f
• android-support-v13.jar: official Google support library
• signapk.jar: compiled from AOSP: https://github.com/rovo89/XposedInstaller/commit/f2a4945ccfee1821eb188be89fe719a77ac73b41
• XposedBridge.jar: https://github.com/rovo89/XposedBridge
• AndroidHiddenAPI.jar: Not included in the builds, just there to reference one class that's hidden in the Android APIs

Other binaries would be BusyBox and of course the native binaries of the framework itself, all of which can be found in the GitHub repositories under my name. With some technical background, a proper Linux installation and some time, I think it's not too hard to compile all of them using the scripts in this repository.

Does that answer your questions?

[msdos]

...sorry if the way I'm asking seems a little bit rude since everything of your project has always been open, specially because english is not my first language.

zips (like Xposed-Installer-Recovery.zip) have a bash script that installs app_process - that needs to be compiled like is said in https://github.com/rovo89/XposedTools/blob/beed70570e2e815802d8d67726c7936e3ad8209d/README.md and is available in your repositories like you said.

I think I need to do my homework first instead of pointing fingers of doubt upon others. :) You can close the issue and I will be passing by again if I have more doubts.

Thanks for answering.

[rovo89]

It's OK 😉 Glad that I could clear up the doubts.