[guardian-dev] strategy for lib to safely install F-Droid
Hans-Christoph Steiner
hans at guardianproject.info
Thu Jul 7 16:27:25 EDT 2016
Hans-Christoph Steiner:
>
> Hans-Christoph Steiner:
>>
>>
>> Adam Pritchard:
>>>>
>>>> Internet freedom tools like Psiphon, Tor/Orbot, Great Fire's FreeBrowser,
>>>> StoryMaker, and many more provide direct download links for installing apps
>>>> when Google Play is blocked, or the internet is otherwise filtered. If
>>>> users who download those do not have Google Play, they are left without a
>>>> reputable source of essential updates.
>>>
>>>
>>> This doesn't invalidate your point/idea, but for completeness: Psiphon's
>>> directly installed clients self-upgrade, with signature verification of the
>>> upgrade package. To avoid violating the Play Store ToS, the app detects
>>> whether it's a Play Store install or directly installed, and doesn't try to
>>> self-upgrade in the former case.
>>>
>>> Adam
>>
>> Thanks, that's definitely useful info! How long as that been in your
>> Google Play releases?
>>
>> .hc
>
> @commonsguy just pointed out this library to me, which already includes
> F-Droid support:
>
> https://github.com/javiersantos/AppUpdater
>
> I wonder if it does the right thing in terms of verifying what it
> downloads, or just leaves it up entirely to Android verifying the APK
> signature.
I dug into it a little bit, it just scrapes the various app webpages to
see if the version is newer. Seems a bit fragile. It then just
downloads the APK.
.hc
More information about the guardian-dev
mailing list