[Feature Request] F-droid in sources filter

[Zerokami]

F-Droid apps show up as sideloaded apps and there isn't an easy way to know if the app is from F-Droid.

Since F-Droid is the only source for FOSS exclusive apps, it might be nice to add a Filter for F-Droid and filter the F-Droid signed apps.

[MartinStyk]

Hi, thank you for opening the issue. I will take a look and see what can be done here.

[MartinStyk]

Hi @Logmytech , unfortunately there is no way to distinguish F-droid apps (at least I am not aware of any).
Only thing that can be used to find the source of application is a package that installed it. This package differs between app stores. However, F-droid downloads an application and shows prompt to install it using standard package installer. Because of that, it is impossible to distinguish these apps.

[Zerokami]

But the signature of APK Analyzer shows F-droid.

So, F-Droid actually signs these APKS. So we can check the signatures in the APK, maybe?

[MartinStyk]

Yeah, it signs it. But in that case, I would need all keys used for signing apps in F-droid market. I can not rely on name in signature, becasue anyone can create signing key with name F-droid. I would need to match against the public key.
I do not think it is a good idea to do it, because it will not be reliable...
wdyt?

[Zerokami]

I think if F-droid uses a single signature for signing all apps like play does it, you should implement it.

I think that's what F-Droid should do, but I'm not sure that's what it does.

App detective actually shows F-Droid icons for F-droid apps. So, it might be using a single signature.

BTW can multiple people sign a single app. Like dev, store etc?

https://forum.f-droid.org/t/recognising-f-droid-apps-from-apk-signature/1867

Issuer: CN=Ciaran Gultnieks, OU=Unknown, O=Unknown, L=Wetherby, ST=Unknown, C=UK
Serial number: 4c49cd00
Valid from: Fri Jul 23 13:10:24 EDT 2010 until: Tue Dec 08 12:10:24 EST 2037
Certificate fingerprints:

  MD5:  17:C5:5C:62:80:56:E1:93:E9:56:44:E9:89:79:27:86
  SHA1: 05:F2:E6:59:28:08:89:81:B3:17:FC:9A:6D:BF:E0:4B:0F:A1:3B:4E
  SHA256: 43:23:8D:51:2C:1E:5E:B2:D6:56:9F:4A:3A:FB:F5:52:34:18:B8:2E:0A:3E:D1:55:27:70:AB:B9:A9:C9:CC:AB```

[IzzySoft]

@MartinStyk you can tell the installation source by the corresponding attribute (-i parameter to pm); in the package dump, the field is called installerPackageName. Playstore has two different "sources" here, FDroid just one (org.fdroid.fdroid if I remember correctly), Aptoide has its own as well (as will all other market apps, I suspect). Just create a dump and grep for installerPackageName, sort, and uniq 😉

[MartinStyk]

@Logmytech @IzzySoft,
I get the installation source using the {{PackageManager}}'s method {{getInstallerPackageName}} [1]. It is basically the same as described in @IzzySoft's comment.
However, when I test it, for F-droid apps I always get installer package {{com.google.android.packageinstaller}}, which is default Android installer.

I suppose it is because F-Droid app downloads an apk file, but let default android installer to install the package.

Am I missing something here?
Thank you for your help 👍

[1]https://github.com/MartinStyk/AndroidApkAnalyzer/blob/master/app/src/main/java/sk/styk/martin/apkanalyzer/model/detail/AppSource.java#L34

[IzzySoft]

What I do in my tool Adebar is parsing the package list returned by dumpsys package (starting at ^Packages: and stopping at ^Shared users:). And Adebar reports the correct installer. The Android installer certainly is invoked the same way pm is (a la pm install -i <installer_package_name> …).

I'm no Android dev, so I don't know any corresponding Java APIs, sorry. If you want to cross-check with my Shell code, see the function getAppDetails() in lib/packagedata.lib.