Replying to Avatar 134355345

nostr:npub1gm7tuvr9atc6u7q3gevjfeyfyvmrlul4y67k7u7hcxztz67ceexs078rf6

I just downloaded the APK file from Play Store Console (the APK file that Google generated from the .AAB file I uploaded to Play Store) and compared it with the signed APK file I generated with my Intellij IDE, using the same keystore, key index and code commit.

I used the SHA256 hash and both APKs have different hashes

I cannot think of an easy way of verifying that the app published on Play Store is the same build that I would obtain by building the source code. Am I correct in the logic?
Avatar
134355345 2y ago 💬 1

nostr:npub1gm7tuvr9atc6u7q3gevjfeyfyvmrlul4y67k7u7hcxztz67ceexs078rf6. Maybe one option would be to just publish apps in places where signed .APK can be uploaded.

Reply to this note

Please Login to reply.

Discussion

Avatar
Leo Wandersleb 2y ago

With WalletScrutiny.com we focus on impact. As much as "Just build it yourself. It's easy" isn't a good excuse for stealing from the 99.9% of users that will not compile it themselves, offering alternative downloads doesn't fix much. So if you offer the apk on your project's website for download, most users would be more vulnerable due to phishing attacks than if you figure it out with one repository - Google Play Store.

There is one alternative though: Fdroid. If your project is open source, you can publish it via fdroid and benefit from fdroid checking for reproducible builds.