sentry-java icon indicating copy to clipboard operation
sentry-java copied to clipboard
verified publisher icon getsentry

isSideLoaded issue tag on Android not working as expected

Open Nohus opened this issue 3 years ago • 17 comments

The isSideLoaded tag for Android displays false even for sideloaded apps (apps installed directly from the APK):

image

Here the installerStore tag shows the app was installed by com.android.packageinstaller, which is the system app used when installing an APK manually, and yet isSideLoaded shows false.

@marandaneto identified the Android documentation is misleading here: https://developer.android.com/reference/android/content/pm/PackageManager#getInstallerPackageName(java.lang.String) It says "Retrieve the package name of the application that installed a package. This identifies which market the package came from." The first sentence is true, the second is not, since not all installer apps are "markets".

Ultimately I don't think the isSideLoaded tag is useful even with this fixed, since it's not really defined what "sideloaded" means. Even when the app is actually installed from a market, there are shady market apps that rehost apps copied from Google Play. And apps installed from them are definitely "installed from a store/market", but the information useful for the app developer is that it was installed from an unofficial source, even though it was not technically "sideloaded" (or was it? where is the line?).

What I would propose as the actual fix:

  • Remove the isSideLoaded tag: it doesn't provide any information not already visible in the installerStore tag
  • Rename installerStore to installer: it's not always a store
  • Use the red highlight (as visible in isSideLoaded: false on the screenshot) on the installer tag, when it doesn't contain one of the reputable stores (Google Play, Samsung Galaxy Store, Amazon Appstore)
  • Show the installer as none when none

Nohus avatar Feb 11 '22 16:02 Nohus

While I agree that my proposed solution is an enhancement going further than the original issue, this issue is still a bug: isSideLoaded shows false for sideloaded apps.

Nohus avatar Feb 11 '22 18:02 Nohus

Thanks for raising this. We'll dig into the incorrect value for isSideLoaded further and update this issue

bruno-garcia avatar Feb 11 '22 21:02 bruno-garcia

This issue also affects the React Native/Expo Sentry packages.

bradjones1 avatar Jun 10 '22 02:06 bradjones1

so isSideLoaded working as expected or not?

nienienienie avatar Jul 19 '22 13:07 nienienienie

so isSideLoaded working as expected or not?

It seems not. We have plans on looking into this but didn't get to it yet, @nienienienie.

philipphofmann avatar Jul 20 '22 09:07 philipphofmann

@Nohus is this still an issue for you? In case it is please provide a repro and we're happy to look into this again.

markushi avatar Jul 19 '23 14:07 markushi

Yes, this bug is still present and the reproduction steps are still as in the original comment: download an APK, install it, and when an issue is reported to Sentry it shows as not sideloaded, even though it is.

I'm not sure why was this closed if there is no resolution.

Nohus avatar Jul 20 '23 02:07 Nohus

Libs do the same as us: https://github.com/javiersantos/PiracyChecker/blob/4ebafd4890593a09a2b978ed38e6dc7dc6ce79e1/library/src/main/java/com/github/javiersantos/piracychecker/utils/LibraryUtils.kt#L93-L104

The difference is that they also account for the known stores, eg https://github.com/javiersantos/PiracyChecker/blob/4ebafd4890593a09a2b978ed38e6dc7dc6ce79e1/library/src/main/java/com/github/javiersantos/piracychecker/enums/InstallerID.kt#L6-L9

Testing locally, getInstallerPackageName always returns null if it's installed via adb. getInstallSourceInfo requires INSTALL_PACKAGES permission so not really useful (I guess?).

I guess what we can do here is to special case com.android.packageinstaller and consider it as isSideLoaded=true in this case instead of only null, maybe we'll find out more package names, we can fix 1 by 1.

The best idea would be to use something like https://github.com/javiersantos/PiracyChecker#verify-google-play-licensing-lvl but this does not work everywhere (eg China) anyway.

marandaneto avatar Jul 20 '23 12:07 marandaneto

I just did adb push from the computer to the emulator, installed the app via the file explorer, and still getting installerStore=true correctly.

@Nohus how do you reproduce this problem?

installing an APK manually

Can you tell me how you install the APK?

marandaneto avatar Jul 20 '23 12:07 marandaneto

The linked approach from PiracyChecker looks to be what I suggested above; having a list of valid stores and consider everything else sideloaded. That makes sense to me.

I installed the app from Chrome's Downloads list, which started the package installer. Alternatively you can install any unofficial app store like ApkPure and install from there. It has rehosted copies of apps from Google Play.

On Thu, 20 Jul 2023, 14:29 Manoel Aranda Neto, @.***> wrote:

I just did adb push from the computer to the emulator, installed the app via the file explorer, and still getting installerStore=true correctly.

@Nohus https://github.com/Nohus how do you reproduce this problem?

installing an APK manually

Can you tell me how you install the APK?

— Reply to this email directly, view it on GitHub https://github.com/getsentry/sentry-java/issues/1906#issuecomment-1643837778, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUNLQA7CC26YTWIXDV6U4DXREQAZANCNFSM5OEYWE2Q . You are receiving this because you were mentioned.Message ID: @.***>

Nohus avatar Jul 20 '23 22:07 Nohus

I guess what we can do here is to special case com.android.packageinstaller and consider it as isSideLoaded=true

That wouldn't account for all the other apps that can install stolen copies of apps like ApkPure or ApkMirror, or backup apps restoring apps from a backup (reinstalling a backed up APK).

On Fri, 21 Jul 2023, 00:22 Marcin Wisniowski, @.***> wrote:

The linked approach from PiracyChecker looks to be what I suggested above; having a list of valid stores and consider everything else sideloaded. That makes sense to me.

I installed the app from Chrome's Downloads list, which started the package installer. Alternatively you can install any unofficial app store like ApkPure and install from there. It has rehosted copies of apps from Google Play.

On Thu, 20 Jul 2023, 14:29 Manoel Aranda Neto, @.***> wrote:

I just did adb push from the computer to the emulator, installed the app via the file explorer, and still getting installerStore=true correctly.

@Nohus https://github.com/Nohus how do you reproduce this problem?

installing an APK manually

Can you tell me how you install the APK?

— Reply to this email directly, view it on GitHub https://github.com/getsentry/sentry-java/issues/1906#issuecomment-1643837778, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUNLQA7CC26YTWIXDV6U4DXREQAZANCNFSM5OEYWE2Q . You are receiving this because you were mentioned.Message ID: @.***>

Nohus avatar Jul 20 '23 22:07 Nohus

Gotcha, I will leave the Android team to handle this then, thanks for the feedback @Nohus

marandaneto avatar Jul 24 '23 07:07 marandaneto

@romtsn @markushi @stefanosiano please double check if the priority is still p2 or not.

marandaneto avatar Jul 24 '23 07:07 marandaneto

Possible solutions:

  1. Remove the isSideLoaded tag and keep the store name only. The backend will infer if it was sideloaded or not.
  2. Allowlist other store names on the SDK side

stefanosiano avatar Jul 26 '23 14:07 stefanosiano

Solution 1 means doing the change on the SDK in v7 and thus making this p1

kahest avatar Jul 26 '23 14:07 kahest

Let's go for solution 2, as it should be easier to maintain and wouldn't cause a breaking change (e.g. considering self-hosted).

markushi avatar Aug 02 '23 14:08 markushi

related: https://github.com/getsentry/sentry-java/issues/3026

kahest avatar Nov 08 '23 15:11 kahest