krypton-android
krypton-android copied to clipboard
kryptco
Alternative to Play Store
There are users that don't use Google Play. This includes users in China, Free Software purists (e.g. Replicant), security conscious users (CopperheadOS) and minimalists who use after market Android Distributions without "Google Apps" (e.g. LineageOS).
To reach those users Krypronite should be distributed via the F-Droid Free Software Repository.
And until it's available there, the .apk file could be attached to the corresponding releases/ maybe? I could then make it available via my repo – either until it hits the official one, or even until after that happened.
Sure! For the short term, I just added the latest apk here: https://github.com/kryptco/kryptonite-android/releases
We'll check out F-Droid soon, thanks for the pointer to it.
@kcking Thanks, find it here now for use with the F-Droid client (feel free to point there for an alternative to GPlay). New versions will automatically be available within about 24h of your attaching them to a new release.
For the official F-Droid repo, I see a few issues: AWS and a bunch of Google Services (which, besides, are a show-stopper for me to trust an app with private and/or sensitive information – I don't want my keys end up in the cloud; even if I trusted you, you've got no control over those proprietary components. Not going to launch a debate now, just mentioning :stuck_out_tongue_winking_eye:)
Thanks for adding Kryptonite!
The goal is to treat AWS and Google as untrusted communication channels, and we have currently achieved this network-wise (everything sent through their servers is encrypted and signed using the session keys exchanged during pairing).
Still that leaves the source code of their android clients:
- AWS: Gradle pulls binaries from repository. I would prefer to switch to compiling a submodule from source i.e.: https://github.com/aws/aws-sdk-android (same with our other open-source dependencies)
- Google Play Services: closed source, finding an alternative for push notifications with an open-source client would be desirable for phones that don't use Google Play services.
I'll add both of these as issues that you can follow if you like
Thanks for the details, Kevin! Good to see you're aware of it and even take possible precautions. Those "blobs" are exactly what I meant: we cannot be sure what happens in there. So thumbs up for your engagement, and – how would one say? "good riddance" for those blobs?
As indicated, so long you add an APK to each new release, it will be updated in my repo – unless you indicate you don't want that anymore.
I'd like to be able to use krypton and to install it from the F-Droid appstore (because I don't use the Play Store).
In order to be published on F-Droid, one constraint is that the app has to be built by F-Droid. There is guide to help: Submitting to F-Droid: Quick Start Guide.
(thanks @hex-m, post edited)
Thank you @oupala but your link points to the (not really translated) french version of the document. The english version is different in some parts. The contribution guide in the repository is helpful too.
There are multiple show-stoppers for that currently:
implementation 'com.google.android.gms:play-services-base:15.0.1'
GMS is not accepted at F-Droid. Neither are those:
implementation 'com.google.firebase:firebase-messaging:17.3.1'
implementation 'com.google.firebase:firebase-core:16.0.3'
implementation 'com.crashlytics.sdk.android:crashlytics:2.9.5'
and I'm not sure about these:
implementation 'com.amazonaws:aws-android-sdk-core:2.2.22'
implementation 'com.amazonaws:aws-android-sdk-sqs:2.2.22'
implementation 'com.amazonaws:aws-android-sdk-sns:2.2.22'
I even had to remove the app from my repo recently because of "too many trackers/proprietary-elements", unfortunately (for my inclusion criteria, please see here). So in the current state, it's definitely not meeting F-Droids inclusion citeria. That could however be achieved e.g. by establishing a build flavor that comes without those obstacles, providing clean FOSS for F-Droid while still being able to have those trackers in the Playstore version.