Request: Google Play signed download alternative

[countrygeek]

I was about to suggest this before reading the infamous issue 53. It is sad to see that FDroid and WhisperSystems could not work together, I truly enjoy both projects. Needless to say a google alternative is required - google more and more frequently involves itself in privacy violations. I am opening this ticket in hopes that an alternative of some sort is made.

Possibilities: 1) WhisperSystems creates it's own official FDroid repository, as did GuardianProject: https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/

2) WhisperSystems provides an APK somewhere out there for people to download with simple instructions on how to verify it's not been tampered with.

In the event this is not done users not wanting Google will have to compile it from source, which although can be done, is a major inconvenience especially to newbies. Just for reference, there seems to be a large interest in migrating away from google. e,g, the NoGAPPS project: http://forum.xda-developers.com/showthread.php?s=a7bf27eb98e3bcefb7e58fb46d09710b&t=1715375

I hope you all come up with a resolution. Thanks and keep up the great work! :)

[rdsqc22]

Actually, I disagree.

6 hours ago, I thought as you did- I have been setting up my phone without any Gapps, and when the time came to install Textsecure, it was nowhere to be found. I was frustrated at the least, and went to their website to complain. I found the many existing posts and threads on teh issue, and read them.

And, moxie0's reasoning made sense to me. Furthermore, despite having never built an android APK before in my life, I cloned the git repository and went from start to having a working, signed app in about 20 minutes. It was a great learning experience for me, and frankly, if you're the sort of person who's trying to have an Android phone without Gapps, you're probably computer competent enough to figure out how to spend a quarter hour building the APK, especially considering the quite thorough documentation. Not to mention, again, if you're building a phone without Gapps, then you're probably somewhat security-conscious and building your own apps from source is something you should know how to do anyway.

It would be nice if the source had some sort of in-app notification of when the main branch is updated, so that I don't have to necessarily subscribe to the git through email. But I don't begrudge the choice to not distribute the apk.

[SafwatHalaby]

@rdsqc22, My post was based on the (true) assumption that most people are too lazy to build from source, even if they're enough security aware to use Cyanogenmod + F-droid.

I never built an APK in my life too, and I think I will try this, I have no other option.

This is slightly off-topic, but I'm wondering: How would push notifications work if I build from source and I have no Playstore?

Edit: One proof of the claim in my first paragraph is the fact that many people ARE using F-droid instead of building from source.

[rdsqc22]

I suspect that if you go that route, you (like me) will be surprised at how easy it is. Let me know if you need a hand.

Push notifications? I have a pebble and pushing notifications to the pebble works fine- is that what you mean? Or are you referring to something else, like Pushbullet?

[SafwatHalaby]

Perhaps we could provide an automated build script as an alternative? Which basically downloads Android SDK Bundle, clones the repository, etc...

And then executes everything in https://github.com/WhisperSystems/TextSecure/blob/master/BUILDING.md

Edit: I know it's a "lazy path", but people are like that.

[SafwatHalaby]

Regarding Push notifications, I assumed that Textsecure relies on Google's Push service. Is that incorrect?

[rdsqc22]

Not a bad idea, considering that a) it doesn't require root, and b) should only be ~10 commands long.

Heck, I could write it myself, except I'm not sure how to install Android Support Repository and the correct version of Build-tools from command line.

As far as push notifications go, I misunderstood you at first- you are correct, Push does not currently work without Gapps. I believe that once Websocket support is complete, this will be fixed.

[mvdan]

For what is worth, what you are doing of building your own self-signed APKs from source is precisely what F-Droid could automate for you.

[SafwatHalaby]

That's completely true, but it's a viable alternative as long as F-droid and Textsecure will not cooperate. I still believe F-droid is the way to go.

[SafwatHalaby]

@rdsqc22: My build was successful, but I have no idea where the resulting APK is. Any clue? My assumption is that an APK should be the result, is that correct?

[rdsqc22]

I believe that the reasoning here is that since Fdroid forces you to allow unknown app installations, that itself is a larger security risk than Gapps, in the hands of someone who does not know what they are doing. By forcing one to build their own app, this selects for the people who know what they are doing to be the ones to open that hole.

I believe I read somewhere that they would happily put it on Fdroid if it did not require unknown apps to be allowed.

@wiseoldman95 Your APK will be in ./TextSecure/build/apk/ You will have to self-sign TextSecure-release-unsigned.apk to install it.

[mvdan]

@wiseoldman95: If you think of F-Droid as the main repository, sure. But I meant it as the software, with which you can set up a repo on your own. Even without a repo, you can use 'fdroid build' and 'fdroid install' to automate it.

@rdsqc22: True that "unknown sources" is required now, but a fix for that is currently in the works.

[kaimi]

I cloned the git repository and went from start to having a working, signed app in about 20 minutes. It was a great learning experience for me, and frankly, if you're the sort of person who's trying to have an Android phone without Gapps, you're probably computer competent enough to figure out how to spend a quarter hour building the APK, especially considering the quite thorough documentation.

My main problem with that approach is having to rebuild the app with every release, aka updating hassle.

I believe that the reasoning here is that since Fdroid forces you to allow unknown app installations

You have to allow that in order to install self-built APKs as well.

[SafwatHalaby]

True, I don't see the logic in abstaining from F-droid. It's leading to 3 possibilities, 2 of which are less secure, and the last one is less convenient:

1. Using another app.
2. Getting it from an unofficial source (And highly likely getting a malware) Lots of these can be found: https://www.google.com/#q=textsecure+apk
3. Building from source.

[jensschulz]

How about using things like NoGAPPS, GooglePlayDownloader or MicroG?

http://forum.xda-developers.com/showthread.php?t=1715375 http://codingteam.net/project/googleplaydownloader/download https://github.com/microg/

I recently tried the Blankstore from NoGAPPS and it works like a charm. Does anyone have experience with the other two mentioned above?

----- Ursprüngliche Mail ----- Von: "wiseoldman95" notifications@github.com An: "WhisperSystems/TextSecure" TextSecure@noreply.github.com CC: "jensschulz" j.c.schulz@gmx.net Gesendet: Dienstag, 6. Mai 2014 13:26:45 Betreff: Re: [TextSecure] Request: Google Play signed download alternative (#127)

True, I don't see the logic in abstaining from F-droid. It's leading to 3 possibilities, 2 of which are less secure, and the last one is less convenient:

1. Using another app. 
2. Getting it from an unofficial source (And highly likely getting a malware) Lots of these can be found: https://www.google.com/#q=textsecure+apk 
3. Building from source. 

— Reply to this email directly or view it on GitHub .

[Strubbl]

+1

[SafwatHalaby]

@jensschulz: Some people do not trust Google Play though.

[dalb8]

@wiseoldman95 I haven't used Blank Store but at least with Raccoon or the APK Downloader app there is simple way of downloading an APK from Google Play without giving the Play Store strong permissions to install whatever it wants on the device. These apps work well as long as you use an Android ID corresponding to similar capabilities to those of the device you currently use.

At least Google leave the signatures alone, unlike Amazon.

[SecUpwN]

Since no Open Source download alternative to the shitty PlayStore exists, I strongly recommend everyone to use the awesome APK Downloader - just paste the Package name or Google Play URL and directly download the latest APK to your device. Sad to see that TextSecure, an Open Source App, has not (yet) made it into a much more Open Source friendly store like Fdroid. Still hoping for this to come.

[SafwatHalaby]

Are the APK's distributed by Google digitally signed by the developers?

[SecUpwN]

@wiseoldman95, yes, as to my knowledge they must be.

[cjeanneret]

Heya! just a small remark: why don't you create an f-droid compatible repository we can add to f-droid client app? This would:

• allow you to still sign the apk with your key
• allow people to get updates automagically
• allow people who don't use gapps at all to have a convenient way to get OWS apks, without all the toolchain/build process

my 2cents.

[rdsqc22]

@cjeanneret The reason for this is Fdroid forces you to allow apps from other sources, which opens up a huge number of possible security problems.

[cjeanneret]

@rdsqc22 true, still offering this possibility would be nice, and keeps the app signature.

anyway, going to build some APK, as there are some updates for TS, Flock and others ;).

[eighthave]

@rdsqc22 that is no longer true. You can install FDroid as a system app, or let it use root, and it no longer requires "Unknown Sources" to be allowed. This is true starting with FDroid 0.69-test, and will be included in the upcoming 0.71 stable release (any day now).

[patcon]

That's awesome @eighthave! Thanks! didn't realize.

[countrygeek]

Would anyone mind posting the latest version of TextSecure? I'm currently running cynanogen without gapps and didn't feel like installing them to upgrade. Thanks!

[Wikinaut]

@countrygeek Do you have a Linux box? Then you could build it by yourself (it's not too complicated). Pls. contact me by mail if you need help (your github account has no e-mail address connected for direct feedback).

[agrajaghh]

@countrygeek Without gapps you can't use push messages, you'll be only able to send encrypted and unencrypted SMS

[Wikinaut]

@agrajaghh @countrygeek You can use TextSecure without having an Google Play account. For some reasons, I can use my self-built version on all my phones and tablets without any problem.

My devices however have Google Play Store installed, but as said, without an associated account ‒ the devices are not running CyanogenMod.

[agrajaghh]

I think you don't need an google play account, but you need the google play services to be installed for push messages...

[Wikinaut]

@agrajaghh wrote

I think you don't need an google play account, but you need the google play services to be installed for push messages...

@countrygeek : yes

[generalmanager]

Currently TS doesn't work without gapps because it uses GCM as a push network. Take a look at #1000 to monitor the progress on websockets.

On 24. August 2014 15:47:06 MESZ, countrygeek notifications@github.com wrote:

Would anyone mind posting the latest version of TextSecure? I'm currently running cynanogen without gapps and didn't feel like installing them to upgrade. Thanks!

---

Reply to this email directly or view it on GitHub: https://github.com/WhisperSystems/TextSecure/issues/127#issuecomment-53193588

[patcon]

Thanks for the pointer on that thread @generalmanager :)

@countrygeek While it's not particularly helpful here, I find this helpful for getting apk's for essentials not yet on F-Droid. (You can install with adb install /path/to/app.apk if you have USB debugging set up.)

http://apps.evozi.com/apk-downloader/

[countrygeek]

@patcon : Thanks, I actually had tried using that but the site was down - appears up again now. It's definately the easiest way, vs. trying to get the ADT bundle up and running just to run TextSecure without Gapps. I have an unlimited data plan so I don't care about SMS charges. :)

[Zeriuno]

I find it worrying that, to escape Google surveillance and profiling, some are ready to install an apk downloaded from a service that don't really offer security garantuees and that could compromise your device.

I think it really calls for a priority revision.

Find a way to do a checksum at least!

[Wikinaut]

@Zeriuno this could be done by @Moxie on the release page https://github.com/WhisperSystems/TextSecure/releases see this → example https://github.com/schildbach/bitcoin-wallet/releases

Moxie could simply additionally publish ‒ parallel to the publication in Google Play Store ‒ the release apks and their corresponding signature files in the TextSecure https://github.com/WhisperSystems/TextSecure/releases page. Currently, there is only the source code. But there's no room for discussion, because AFAIK, he wants a secure channel for automatic updates, and only Google Play Store can do.

[Wikinaut]

@Zeriuno I published checksums for versions < 2.0.8 on my TextSecure Wiki page https://github.com/Wikinaut/TextSecure/wiki/History-of-changes

This not-so-well-known gpg command/option lists all avaliable message digests: gpg --print-md "*" org.thoughtcrime.securesms.apk

[Zeriuno]

@Wikinaut: good!

[cyl-us]

Where there is no transparency, there cannot be any hope of either security or privacy. Seeing a privacy application depend on nonfree software to function is therefor a very sad thing to me, as its dependences undermine its purpose. A system is only as secure/private as its least secure/private component, so anything that has Google Play Services installed is already compromised.

You also mention that a user has to enable third-party application installation to install outside the Google Play Store. While I'm not sure it will sway you, it's worth noting that for us Replicant users, we have to have that box unchecked to install anything outside of F-Droid's repository, meaning that by not offering it on F-Droid, you require us to enable third-party application installation.

[SecUpwN]

@jtrig, maybe it's time to move on to more open alternatives like Tinfoil-SMS?

[rdsqc22]

@SecUpwN No, because that's also not on Fdroid. Google Play only, so it's no better.

[SecUpwN]

@rdsqc22, the developer of that App is extremely open to open source. Feel free to open up an Issue on his GitHub for that, I am sure this App will be available there sooner than you think.

[rdsqc22]

@SecUpwN It looks like it used to be on Fdroid, but then got removed because the developer started using non-free binary blobs. https://f-droid.org/wiki/page/com.tinfoil.sms

[justjanne]

Source, what is still limiting progress with this issue?

• F-Droid allows nonfree apps, but will display a bold warning against them I seem to be mistaken here, but this still holds: (And TextSecure is implementing sockets instead of GCM anyway),
• F-Droid now allows to distribute a developer-signed version of the app, if the build is reproducable by their build server,
• F-Droid now allows installation of apps without enabling third-party support

In other words, every single of @moxie0’s complaints has been fixed, so why is this still not happening?

[fwalch]

In other words, every single of @moxie0’s complaints has been fixed, so why is this still not happening?

Maybe just because no-one told him yet ;-)

I guess distributing TextSecure on F-Droid while Google Play Services are still required for it to run doesn't make too much sense. You could check out #1000 resp. the fork at https://github.com/JavaJens/TextSecure to help with that.

[haffenloher]

F-Droid now allows to distribute a developer-signed version of the app, if the build is reproducable by their build server

Interesting. Could you point me to some information / docs on how this is supposed to work?

In other words, every single of moxie0’s complaints has been fixed

I don't think there is a solution for automated crash reporting without Google Play yet.

[fwalch]

@brumsoel See https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds. For background on reproducible builds in general, see e.g. this talk at the 31C3 (slides on this page).

[eighthave]

The reproducible build stuff is quite new and still a bit raw, but it does work. I'm happy to help get TextSecure integrated using this process for anyone who wants to take it on.

As for automated crash reporting without Google Play, you can use ACRA then choose which backend you want it to upload to.

[moxie0]

This is now available here: https://signal.org/android/apk/

I don't recommend that people do this, but we've set this up as a harm reduction strategy since people are already running random APKs signed by other random people instead.