exodus-android-app icon indicating copy to clipboard operation
exodus-android-app copied to clipboard

Published 20 hours ago verified publisher icon Exodus-Privacy

[FDroid] Unable to download reports and trackers on 3.0.0

Open Jean-BaptisteC opened this issue 1 year ago • 4 comments

When we have rework about API Key management has be doing, we do not have thinks on integration on FDroid.

With 3.0.0 version from Fdroid, it's not possible to download reports and trackers because API Key is not present in APK. But is it possible to download apk on Github.

Jean-BaptisteC avatar Sep 08 '22 18:09 Jean-BaptisteC

In my opinion it is completely pointless to try and hide the API key within the app. Anybody with a rooted phone and a custom CA certificate can see it in the traffic anyway.

In fact I tried it and the api key is 1b...20

I recommend just storing the api key in source code. You can implement rate-limiting on the api server if that is a concern

outis151 avatar Sep 11 '22 07:09 outis151

We search solutions to add API KEY on FDroid without store API KEY in manifest.yml(in Gitlab). We want secure API KEY to filter who as access on our API REST and limit copy of app. And everyone has not rooted phone with custom CA certificate.

Jean-BaptisteC avatar Sep 13 '22 16:09 Jean-BaptisteC

Unfortunately there is no way to limit who has access to the API key... It can be extracted either from the APK or from network analysis. Every measure to filter access needs to be implemented on the API backend server. Restrictions on copying the app also don't follow the spirit of the GPL license in my opinion.

outis151 avatar Sep 13 '22 16:09 outis151

Like @outis151 said and I also explained in my comments here https://github.com/Exodus-Privacy/exodus-android-app/issues/201#issuecomment-1240924664 and https://github.com/Exodus-Privacy/exodus-android-app/issues/201#issuecomment-1240930486, I don't think it is worth the effort trying to hide the api keys...

Any plan on how to fix the issue? Because as of now the f-droid version is really broken :/ Maybe even just a temporary fix with a temporary API key you could disable later...

Altonss avatar Sep 16 '22 15:09 Altonss

Any update on this issue? It's a pretty big problem that the app is broken on F-Droid... so even just a temporary fix would be good :) What about just putting the api key in clear text the F-Droid build? I could help if you need...

Altonss avatar Oct 23 '22 01:10 Altonss

Yes, it's planned to add API KEY on Fdroid Build soon, do you know if it's possible to start new build on Fdroid without create new version on Github ?

Jean-BaptisteC avatar Oct 23 '22 08:10 Jean-BaptisteC

do you know if it's possible to start new build on Fdroid without create new version on Github ?

I don't know, but I think it's not possible. I think you need to tag a new version to make a new Fdroid build. Maybe ping @Bubu

Altonss avatar Oct 23 '22 10:10 Altonss

Sorry, not involved in fdroid anymore.

Bubu avatar Oct 23 '22 10:10 Bubu

Sorry, not involved in fdroid anymore.

Oh sorry, I actually thought about @IzzySoft and confused you ^^

Altonss avatar Oct 23 '22 10:10 Altonss

And I cannot tag a new release here :stuck_out_tongue: Assuming that auto-update is set up, tagging is all that is needed.

IzzySoft avatar Oct 23 '22 10:10 IzzySoft