AndroidApkAnalyzer
AndroidApkAnalyzer copied to clipboard
MartinStyk
[Feature Request] F-droid in sources filter
F-Droid apps show up as sideloaded apps and there isn't an easy way to know if the app is from F-Droid.
Since F-Droid is the only source for FOSS exclusive apps, it might be nice to add a Filter for F-Droid and filter the F-Droid signed apps.
Hi, thank you for opening the issue. I will take a look and see what can be done here.
Hi @Logmytech , unfortunately there is no way to distinguish F-droid apps (at least I am not aware of any). Only thing that can be used to find the source of application is a package that installed it. This package differs between app stores. However, F-droid downloads an application and shows prompt to install it using standard package installer. Because of that, it is impossible to distinguish these apps.
But the signature of APK Analyzer shows F-droid.
So, F-Droid actually signs these APKS. So we can check the signatures in the APK, maybe?
Yeah, it signs it. But in that case, I would need all keys used for signing apps in F-droid market. I can not rely on name in signature, becasue anyone can create signing key with name F-droid. I would need to match against the public key. I do not think it is a good idea to do it, because it will not be reliable... wdyt?
I think if F-droid uses a single signature for signing all apps like play does it, you should implement it.
I think that's what F-Droid should do, but I'm not sure that's what it does.
App detective actually shows F-Droid icons for F-droid apps. So, it might be using a single signature.
BTW can multiple people sign a single app. Like dev, store etc?
https://forum.f-droid.org/t/recognising-f-droid-apps-from-apk-signature/1867
Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
Serial number: 4c49cd00
Valid from: Fri Jul 23 13:10:24 EDT 2010 until: Tue Dec 08 12:10:24 EST 2037
Certificate fingerprints:
MD5: 17:C5:5C:62:80:56:E1:93:E9:56:44:E9:89:79:27:86
SHA1: 05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E
SHA256: 43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB```
@MartinStyk you can tell the installation source by the corresponding attribute (-i parameter to pm); in the package dump, the field is called installerPackageName. Playstore has two different "sources" here, FDroid just one (org.fdroid.fdroid if I remember correctly), Aptoide has its own as well (as will all other market apps, I suspect). Just create a dump and grep for installerPackageName, sort, and uniq :wink:
@Logmytech @IzzySoft, I get the installation source using the {{PackageManager}}'s method {{getInstallerPackageName}} [1]. It is basically the same as described in @IzzySoft's comment. However, when I test it, for F-droid apps I always get installer package {{com.google.android.packageinstaller}}, which is default Android installer.
I suppose it is because F-Droid app downloads an apk file, but let default android installer to install the package.
Am I missing something here? Thank you for your help 👍
[1]https://github.com/MartinStyk/AndroidApkAnalyzer/blob/master/app/src/main/java/sk/styk/martin/apkanalyzer/model/detail/AppSource.java#L34
What I do in my tool Adebar is parsing the package list returned by dumpsys package (starting at ^Packages: and stopping at ^Shared users:). And Adebar reports the correct installer. The Android installer certainly is invoked the same way pm is (a la pm install -i <installer_package_name> …).
I'm no Android dev, so I don't know any corresponding Java APIs, sorry. If you want to cross-check with my Shell code, see the function getAppDetails() in lib/packagedata.lib.