ApkTrack icon indicating copy to clipboard operation
ApkTrack copied to clipboard

Download and install latest APK

Open SecUpwN opened this issue 9 years ago • 28 comments

Hi @JusticeRage! First of all: Thanks for publishing your great app on my beloved F-Droid store! :+1: Since I am a privacy geek with a rooted phone digging into Android development myself (see my account here), I also enjoy having freed my phone from anything Google and already use Aptoide and of course F-Droid. Your app now enables me to check multiple stores for updates of all APKs, but I wonder why it cannot fetch and install the latest updates of free APKs yet? If it can't for legal reasons, please recommend me another open source app that can accomplish this task. Thank you for developing this!

SecUpwN avatar Jun 13 '15 17:06 SecUpwN

Hi! Not fetching APKs, even free APKs on F-Droid is a decision that I made at the very beginning. The rationale behind this is that downloading APKs over the network and installing them on a device has big security implications. For some update sources, a direct link to APKs is provided and the user is one click away from the update, which seems like a good compromise for me. This could be possible on F-Droid as well, but some work would be necessary because the URLs do not follow a specific pattern.

In the general case, however, I think it is a bad idea to automatically fetch updated APKs on Evozi.

JusticeRage avatar Jun 13 '15 17:06 JusticeRage

Not fetching APKs, even free APKs on F-Droid is a decision that I made at the very beginning.

Good to know, that implicates you're a programmer who has been thinking a lot about his app! ;-)

The rationale behind this is that downloading APKs over the network and installing them on a device has big security implications.

For unknown sources, I'm sure that is really the case. But fetching directly from Google via HTTPS?

For some update sources, a direct link to APKs is provided and the user is one click away from the update, which seems like a good compromise for me.

In my eyes, that is only partially right. Running your app now makes me feel like "Oh hey, new update! But WTF, how to get it if not available on Aptoide or F-Droid?" Preferred suggestion: Add download and installation as an advanced user option within the settings as well as a warning prompt before enabling?

SecUpwN avatar Jun 13 '15 17:06 SecUpwN

If I knew Google's URL scheme, I would definitely provide a direct link to their APKs inside the app, as it is done for WhatsApp, Nine Mail, etc. who provide official, HTTPS links.

That being said, I really don't want to perform automatic background downloads, this involves some file-system management (detecting that the app has been installed, remove downloaded APKs, etc.). As I said, a direct link to the latest APKs is provided whenever possible (but not for F-Droid yet), I think this is a good compromise.

JusticeRage avatar Jun 13 '15 18:06 JusticeRage

If I knew Google's URL scheme, I would definitely provide a direct link to their APKs inside the app, as it is done for WhatsApp, Nine Mail, etc. who provide official, HTTPS links.

Doesn't the source of the ApkDownloader and maybe apk-php-parser by @evozi provide some clues?

That being said, I really don't want to perform automatic background downloads, this involves some file-system management (detecting that the app has been installed, remove downloaded APKs, etc.)

Ok, I understand that. How about adding a button to manually initiate the download of the APK?

SecUpwN avatar Jun 13 '15 18:06 SecUpwN

I haven't had the time to look into Evozi's source yet :) The button you talk about already exists in ApkTrack. It replaces the search icon next to the app when a direct link is available (i.e. for ApkTrack's own updates and some built-in others).

JusticeRage avatar Jun 13 '15 20:06 JusticeRage

I haven't had the time to look into Evozi's source yet :)

Don't worry, I'll be patient until you did. Also, these projects might be useful, too:

The button you talk about already exists in ApkTrack. It replaces the search icon next to the app when a direct link is available (i.e. for ApkTrack's own updates and some built-in others).

Oh, didn't know that. Thanks for making me aware of it!

SecUpwN avatar Jun 13 '15 20:06 SecUpwN

I also thought about it and already looked in some sources. I think it should be possible to port some code from F-Droid to ApkTrack to download and install APKs.

The issue for downloading APKs from Google Play is, that you need an Google-Account for it, I don't know another solution. You also need an Google-Account to request the version from GPlay where version depends on device. This seems to be done for Evozi and other online Downloaders by them.

DJaeger avatar Jun 14 '15 06:06 DJaeger

@DJaeger, have you had a look at the projects I listed in my previous answer? I don't see any hardcoded accounts in these projects, but maybe I've just not looked thoroughly enough. Please verify.

I think it should be possible to port some code from F-Droid to ApkTrack to download and install APKs.

Do I misunderstand this, or is F-Droid able to grab APKs from GooglePlay? Would be new to me..

SecUpwN avatar Jun 14 '15 14:06 SecUpwN

Yes I had a look on these projects and much more. They all require a Google Account to download APKs (as this is a requirement by Google). This is supplied in different ways: Hardcoded in config file Hardcoded as static property in sources Attached as params to buildscript Configured in GUI

So for all the first it has to be in sources that F-Droid can build the app. Or a webservice is used (which can be FLOSS) where it is configured by supplier where the configuration is the only thing not in sources. Or allow the user to configure the account in GUI of the app.

As no one want to write credentials in source codes the only possible solutions are to deploy a webservice, where credentials are configured but not in sources or to require the user to configure them himself.

The first solution has the disadventage that no paid apps can be downloaded and the latter, that it requires the user to register and accept Googles terms of use. I think we should offer both possibilities.

That the user can choose to use a webservice (or how it is today oftern called "the cloud" ;-) ) or configure his own credentials.

But if a webservice is deployed for this app it should offer some more solutions than this. It could also offer a api for requesting version informations including those depending on devices and those which have to be summarized from different pages like F-Droid.


Yes you misunderstood this. I only mean the code to install a apk which is already available with system or su permissions.

DJaeger avatar Jun 15 '15 10:06 DJaeger

I think I will try to develope a webservice for this app, which supplies an api at some time

DJaeger avatar Aug 04 '15 10:08 DJaeger

That would be very nice to have!

JusticeRage avatar Aug 05 '15 00:08 JusticeRage

No, sorry.

DJaeger avatar Nov 19 '15 01:11 DJaeger

Hi @timofonic. My position on the topic has slightly evolved following very interesting conversations I had with an android hacker at the latest Hack in the Box conference. In the very long term, I will try to reverse-engineer the Play Store's protocol in order to obtain (free) APKs directly from Google's servers, which I find acceptable from a security standpoint.

However, this is obviously a lot of work and it may be a while before I begin working on this (months, maybe a whole year).

JusticeRage avatar Nov 19 '15 21:11 JusticeRage

In the very long term, I will try to reverse-engineer the Play Store's protocol in order to obtain (free) APKs directly from Google's servers, which I find acceptable from a security standpoint.

If ApkTrack had this feature, it would be for sure the number one app fetching APKs and updates! ;-)

SecUpwN avatar Nov 19 '15 21:11 SecUpwN

The latest beta version can now do this wherever direct links to APKs can be found (so for F-Droid and Xposed apps).

JusticeRage avatar Nov 30 '15 02:11 JusticeRage

The latest beta version can now do this wherever direct links to APKs can be found

Awesome! I guess an update of ApkTrack via F-Droid should work?

SecUpwN avatar Nov 30 '15 23:11 SecUpwN

F-Droid does not build beta releases. Right now, it's only available in the APKs I distribute, but if things go well (i.e. no bugs are reported), I'll make a stable release in a week or so.

JusticeRage avatar Nov 30 '15 23:11 JusticeRage

I'll make a stable release in a week or so.

Perfect, just take your time, I'll be patient. :+1:

SecUpwN avatar Dec 01 '15 06:12 SecUpwN

@JusticeRage what about just exporting a list of apks that need updating? Or automatically creating this file on sdcard? It could be a csv, a xml, a yaml, a json file, the simplest thing you can get.

At least this way you can help people that want to automate upgrades: having this list, I can send it to my owncloud instance, and set a bash script that iterates through all apks that need upgrading and download using a 3rd party script. So, if I installed "Meme Generator Free" from https://play.google.com/store/apps/details?id=com.zombodroid.MemeGenerator&hl=pt_BR, your file would contain "com.zombodroid.MemeGenerator" in a line and it would be easier to download the apks. What do you think? At least this is easier than reverse-engineering google play. :)

msdos avatar Mar 11 '16 19:03 msdos

I may work on this in the future, but this will not be top priority! What kind of third party script are you using to download APKs?

JusticeRage avatar Mar 17 '16 14:03 JusticeRage

That's not a CLI

https://codingteam.net/project/googleplaydownloader/download

But some of it's dependencies are. The idea is to use them somehow in the future, or something like this one https://github.com/yan12125/google-play-downloader (haven't tested it).

I think this is feasible and not so complicated as reverse engineering google play itself. But as you said, not top priority, that's fine.

msdos avatar Mar 23 '16 22:03 msdos

The AppBrain proxy has been updated to retrieve APKs from APKMirror when possible. Cases where no universal APK is available (architecture-dependent releases, i.e. x86, arm-eabi, etc.) are not supported for now, as the proxy wouldn't know which one to provide to the client.

JusticeRage avatar Jan 02 '17 21:01 JusticeRage

F-Droid does not build beta releases. [...]

While I have no knowledge about the specifics of the build process at F-Droid, software authors do release beta versions there. In the F-Droid client app they are shown as the topmost release, but are not marked with the hollow star indicating the most recent stable release (see screenshot below for an example). The F-Droid client app provides Settings > Unstable updates with which users can select, if they want beta releases to be offered as regular updates. If this setting is switched off (which is its default, IIRC, and my personal preference), one can still tap on any release of an app available at F-Droid, hence manually installing those beta releases (as I did with Sokoban 1.14 shown below). Edit: It is also possible to promote such an "unstable release" to a stable one (visually in the F-Droid client by that hollow star being moved), later on. I have seen this happening a couple of times (although not many software authors seem to use this feature). Edit 2: Issue #50 is related to this topic (unstable / beta vs. stable / recommended releases) and provides some further technical details. Edit 3: The F-Droid Build Metadata Reference describes how this is achieved in its section 7.33 "Current Version". I will open a different thread / issue for this in order to untangle this convoluted thread / issue here.

I am mentioning this, as releasing beta versions on F-Droid will likely provide many more testers, resulting in much more test coverage on various Android versions etc.

  • Example screenshot:
    screenshot_20171105_001

Olf0 avatar Nov 04 '17 23:11 Olf0

What kind of third party script are you using to download APKs?

gplaycli is now working flawlessly.

msdos avatar Nov 05 '17 04:11 msdos

gplaycli is now working flawlessly.

This supposedly addresses this Python program: https://github.com/matlink/gplaycli

Olf0 avatar Nov 05 '17 06:11 Olf0

Thanks for all of your work with this. Any chance that an automated background install via system privileges (or root privileges) could become part of ApkTrack in the future?

m-boyd avatar Dec 16 '17 19:12 m-boyd

It could in theory, but this isn't something I can work on as I don't own a phone I can root... Contributions are welcome on this issue.

JusticeRage avatar Dec 17 '17 09:12 JusticeRage