[guardian-dev] strategy for lib to safely install F-Droid

Hans-Christoph Steiner hans at guardianproject.info
Thu Jul 7 16:27:25 EDT 2016



Hans-Christoph Steiner:
> 
> Hans-Christoph Steiner:
>>
>>
>> Adam Pritchard:
>>>>
>>>> Internet freedom tools like Psiphon, Tor/Orbot, Great Fire's FreeBrowser,
>>>> StoryMaker, and many more provide direct download links for installing apps
>>>> when Google Play is blocked, or the internet is otherwise filtered.  If
>>>> users who download those do not have Google Play, they are left without a
>>>> reputable source of essential updates.
>>>
>>>
>>> This doesn't invalidate your point/idea, but for completeness: Psiphon's
>>> directly installed clients self-upgrade, with signature verification of the
>>> upgrade package. To avoid violating the Play Store ToS, the app detects
>>> whether it's a Play Store install or directly installed, and doesn't try to
>>> self-upgrade in the former case.
>>>
>>> Adam
>>
>> Thanks, that's definitely useful info!  How long as that been in your
>> Google Play releases?
>>
>> .hc
> 
> @commonsguy just pointed out this library to me, which already includes
> F-Droid support:
> 
> https://github.com/javiersantos/AppUpdater
> 
> I wonder if it does the right thing in terms of verifying what it
> downloads, or just leaves it up entirely to Android verifying the APK
> signature.

I dug into it a little bit, it just scrapes the various app webpages to
see if the version is newer.  Seems a bit fragile.  It then just
downloads the APK.

.hc


More information about the guardian-dev mailing list