search

ukhsa-collaboration / COVID-19-app-Android-BETA

Source code of the Beta of the NHS COVID-19 Android app
https://covid19.nhs.uk/
MIT License
776 stars 149 forks source link

Enable proguard/R8 #17

Closed ubikapps closed 4 years ago

ubikapps commented 4 years ago

Describe the bug app/build.gradle has minifyEnabled set to false for release builds. Also no shrinkResources = true setting.

To Reproduce Steps to reproduce the behaviour:

  1. Build a release apk
  2. Notice that the apk file is an absolute unit and therefore less likely to be installed on people's phones

Expected behaviour minifyEnabled set to true and shrinkResources set to true. APK is smaller and code obfuscated for security

Additional context Whitelist classes and packages in the app/proguard-rules.pro that need to be left unobfuscated for the app to work.

stephenheron commented 4 years ago

I would prefer if proguard/R8 was not enabled. This is a privacy sensitive app and it is useful to be able to decompile the live app and compare it to the source code to ensure nothing has changed between the open sourced code and the live APK.

r3m0t commented 4 years ago

Is this an automated message @ubikapps ?

ubikapps commented 4 years ago

Is this an automated message @ubikapps ?

Nope, I'm real

dam5s commented 4 years ago

"APK is smaller and code obfuscated for security"

No. Obfuscation does absolutely nothing for security.

SonOfBowser commented 4 years ago

A compromise could be to set proguard in strip only mode (no optimisation/ renaming). Of course, this'll only help if the bulk of the APK size is from unused Java/ Kotlin code.

edent commented 4 years ago

Thanks for this. We want to make the final APK as small as possible - but not at the expense of trust.

edent commented 4 years ago

I'm pasting this message in every active GitHub issue, so you may receive duplicate notifications.

Today, I'm happy to announce that NHSX has released the full git commit history for the Isle of Wight Beta apps.

As discussed, we have redacted API keys, sensitive domain names, and some of the developers' personal details. I am still waiting on final approval to publish the server-side code.

I would like to personally thank the community for your comments, bug reports, and vulnerability disclosures. They all went into helping the development process.

The beta trial of this app has now ended and we've moved to the next phase of app development. It is our intention to publish the source code of future apps as the binaries are released to the public.

Once again, thank you for being part of this.

Terence Eden Head of Open Technology - NHSX