Mobile: F-Droid Support

Created on 10 Oct 2016  Â·  98Comments  Â·  Source: bitwarden/mobile

Any chance of adding this to F-droid?

question

Most helpful comment

15.6 is now available, so we're past that hurdle. We can look into submitting to F-Droid again soon.

All 98 comments

I am not sure if it is possible to support f droid (never heard of it until now, im an iOS user) with Xamarin. Anyone know? I couldn't find anything on it.

Here's their developer documentation.

https://f-droid.org/wiki/page/FAQ_-_App_Developers

I still do not really understand what you have to do to make the app work on f-droid? Is there some store I have to submit to?

Last time i looked you just needed to have a repo with reproducile build, and submit a message on the forum to say you want your app to be added.

@kspearrin if you'd just attach the .apk to your releases/, I could pick them up and add them to my repo, which is compatible with the F-Droid client. After the initial add, my auto-updater would fetch the next releases automatically within 24h usually. If your app finally makes it into the official F-Droid repo, and you want me to remove it from mine, just drop me a note.

@IzzySoft I'll start doing that with the next release which should be very soon (maybe tonight).

@IzzySoft When you say releases/, are you wanting me to create a releases/ directory inside the actual repo master branch root or are you wanting me to just attach the binary to the published release & tag (i.e. this page https://github.com/bitwarden/mobile/releases/tag/v1.0.0).

@kspearrin the latter is preferrable, as described here. And thanks a lot!

@kspearrin There you go: https://apt.izzysoft.de/fdroid/index/apk/com.x8bit.bitwarden

Once F-Droid itself picked up and your app made it into the main repo, just drop me a note if you want me to remove it from mine again (e.g. to avoid confusion, as F-Droid compiles from the source and signs with their own key, one cannot cross-update between the two).

PS: Please note that other than F-Droid, I don't keep an "archive" of old versions. My usual policy is to reserve about up to 20M per app – so apps with 6M or less have a history of 3 versions (aka "max history"). As the _bitwarden_ .apk is already 21M, my repo will just always have the latest version. But that should be fine: in those rare cases where someone might need an older version, that can be picked from releases/ here now :)

With the initial .apk added, updates should be picked up now within ~24h of their release (i.e. after you've created the tag and attached the file). Enjoy :)

PPS: Please note the VirusTotal link. Looks like a "false alert" (just triggered by 1/56 scanners), but just in case. Not that many hits if you search for it, and always only one and the same engine reporting it. If it were real, it'd rather look like this report :)

Great. Interesting about the virus alert. I have no idea what W32/VBNA.alxm is.

As far as my search went, it's supposed to be some worm usually shipping with Windows executables. IMHO a "false positive" caused by a too broad pattern matching on some signature. That's why I usually resubmit those .apk files for a rescan a few days later. Often clears the flag as the engine's signature database had been updated meanwhile.

@kspearrin bitwarden won't pass due to non-free dependencies. There are important differences between an open source app and a free/libre and open source app.
Inclusion Policy

I'm a little confused. What non-free dependencies do we have?

Google Analytics at least.

@kspearrin According to LibRadar (used with my repository to check what libraries are contained), I see e.g. Google Mobile Services. Guess that's what AppBrain's scanner reports as Google Cloud Messaging (GCM)

@Primokorn Google Analytics wasn't detected by either of the two. Are you sure?

Ok. I guess I misinterpreted the definition of free here.

Google Play Services is also required for other functionality in our app like sync push notifications (GCM).

Yes "free" doesn't mean "gratis" in this context
https://www.gnu.org/philosophy/free-sw.en.html

Closing since this doesn't seem possible.

@Primokorn Oh. Beat me. I was just wondering that neither AppBrain nor LibRadar mentioned that. Thanks for the pointer, need to update that in my repo description then (adding the AntiFeature).

Thanks for taking the time to look into this.

@kspearrin Any reason why you stopped attaching the .apk to the corresponding releases? Without that, I cannot keep it updated in my repo :smile_cat:

Just forgot. Updated now.

Thought so :smile_cat: Thanks, should be picked up then tonight.

We tried that too in the past and it really just works, if the app has functionality without the presence of the play store API for example...
if some things work but not everything it still can be submitted - but will get some "anti-feature" badges - which is ok...
...its a store for people who don't want to use a playstore account - are at least they want the ability to use the app without that...

Sorry for necrobumping this, but would it perhaps be possible to make a Libre build that goes into FDroid without the Google dependencies? I know Fasthub does this.

Especially now with Google crippling apps using accessibility features this might be something to look into...

I'll re-open this as an option to look into for building the app without the Google library dependencies, albeit with some reduced functionality.

@kspearrin Which features couldn't be included without Google dependencies?

Push notifications is the main thing that will be missing.

I have now created a build that strips all Google and HockeyApp libs from the application while still maintaining a functional app. Push notifications for instant updates are now gone so you'll have to manually keep the app in sync (it should still automatically sync periodically though).

A special apk for F-Droid is now generated by our CI system and attached as artifacts to each build here:

https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

Anyone know of a tool (apk scanner?) I can use to verify that no Google or HockeyApp bits are still present in the F-Droid apk? Is there something the F-Droid people uses to verify all of this?

Then I guess we can now open the F-Droid repository request again.

@kspearrin As soon as those changes reflected in the APK on the releases/ that go to my repo, you could check this here (might not be complete – but it showed those libraries for previous builds). Unfortunately, current builds fail apkchecker:

DOES NOT VERIFY
ERROR: JAR signer BITWARDE.RSA: Failed to verify JAR signature META-INF/BITWARDE.RSA against META-INF/BITWARDE.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5.
ERROR:
repo/com.x8bit.bitwarden_1.14.1.apk:

which might be a show-stopper if you plan to go for "reproducible builds" (KnownVuln). In my repo I've configured to permit for MD5 and only have fdroidserver place the corresponding AntiFeature (it does that automatically then).

@IzzySoft any way I can easily run your tool without doing an official release?

@kspearrin Guess it will take a little to set that up. I use a combination of multiple tools to make sure I catch as many libraries as possible. LibRadar does the main part, but I further evaluate Smali output captured from ApkTool. Nothing you'd be likely to finish before your coffee gets very cold, sorry.

PS: thinking aloud, @kspearrin – if I had the file, I could run the check manually and just skip the "publish" step. Your app is in my repo anyhow, so everything is set up for it :wink:

@IzzySoft You can download the fdroid apk from here: https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

@kspearrin I've picked com.x8bit.bitwarden-fdroid-1270.apk. It still shows all those libs (Firebase, GMS, GA). Did you remove the components, or replace them by "stubs"?

They are suppose to be removed completely. Hmm...

Not according to the Smali output. Small excerpt:

./smali/com/google/android/gms/actions
./smali/com/google/android/gms/ads/identifier
./smali/com/google/android/gms/analytics/ecommerce
…
./smali/com/google/android/gms/tasks
./smali/com/google/firebase/analytics
./smali/com/google/firebase/auth

Does HockeyApp show?

@IzzySoft I see the problem. Thanks.

Let me know then when I should do another run, @kspearrin :wink:

@IzzySoft Can you please try the latest CI build now? https://ci.appveyor.com/project/bitwarden/mobile/build/artifacts

If size is an indicator, this already looks promising (lost some "weight"). Smali looks good, cannot see those dependencies anymore (any reason for those obfuscated md5 hashed library paths like smali/md500032558e65d65a9fc0bf95666812307?). Just one candidate is left according to my scanner bundle: GMS. As I cannot see that in the Smali output, it must be the call analysis done by LibRadar (those MD5-Paths could be obsuced GMS libs) – or a false positive.

TL;DR: I'd say you could approach an F-Droid maintainer now (at least if you know what those obscured paths are and they are not GMS). If there's really "a trace left", they are likely to find it. Or confirm it's clean.

@IzzySoft I'm not sure what all those md5 hashes are honestly. Not sure where the "GMS" flag is coming from. Can't locate anything myself in the APK.

Thanks.

I'm not sure what all those md5 hashes are honestly.

Glad to read it was not you intentionally then :wink: Maybe you could compare the list of libraries my scanner detected to the ones you know you're using – so we might guess the culprit? Such obfuscations often rise suspicions, so they are best avoided especially if one cannot explain them.

Not sure where the "GMS" flag is coming from.

Must be something inside those obfuscated parts, or we'd see it in the Smali output. Unfortunately you're not using Gradle, or I'd cross-check that myself (I'm not an Android dev, so I'm not familiar with all aspects of programming there). What my scanner-collection detects you can see in the "Libraries detected" section here. If there's anything you use that's not listed there, that might be the obfuscated part / the part where GMS is "suspected".

We're not intentionally doing any kind of obfuscation here so I am not sure where it could be hidden.

No, that was my conclusion, too. That's why I suggested if you might check the list of libraries shown in my repo and see which one is missing (i.e. not detected by my scanners), so we might get an idea what that could be. If only for curiosity.

Known, still there:

  • Android Support v4 (Development Framework)
  • Xamarin (Development Framework)
  • Mono for Android (Development Framework)
  • Android Design Support Library (Utility)
  • Android Support v7 (Development Framework)
  • Samsung Mobile SDK Pass (Fingerprint) (Utility)
  • FFImageLoading (Utility)

Unknown, presumed still there:

  • SlidingMenu (UI Component)
  • Pdftron PDF Widget (Utility)
  • The Open Toolkit Library (Utility)

Removed (or at least should be):

  • Google Mobile Services (Development Framework)
  • Firebase (Utility)
  • HockeyApp (Utility)

No idea what those three unknown libs are or why they show up in your scanner.

Thanks! Those are the ones listed at my site, so that partly confirmes the detector did right. But did it miss any library you know to use?

Is there a update on this? What's the current status?

@jtrees Waiting for Visual Studio v15.6 which will include the needed updates to fix the key issue mentioned by @IzzySoft . Once that is resolved we will re-open our submission for F-Droid. Likely sometime in the next month or two.

True: makes no sense to reopen without that being solved first. Good plan thus :wink:

15.6 is now available, so we're past that hurdle. We can look into submitting to F-Droid again soon.

Anyone want to test the new F-Droid release candidate? https://github.com/bitwarden/mobile/releases/latest

Let me know if any issues.

Just found this thread. We're installing Bitwarden today so I'd be happy to test the client on my CopperheadOS phone once we get it up and running.

Just downloaded will be testing this and let you know any issues.

Logged in, set and used PIN, set and used quick tile, set Oreo autofill and tested in duckduckgo privacy browser all fine so far.

I tried it out and didn't really do anything advanced (except for unlocking via fingerprint, which works :+1:) but at first glance everything appears to be working.

I'm really impressed at how quickly you took care of this. Look forward to downloading this from F-Droid.

I have re-opened the request on F-Droid's issue tracker here: https://gitlab.com/fdroid/rfp/issues/114

I am not sure if there is some kind of voting that occurs to get attention to these type of requests, but you can find it there now.

I've noticed you include an *fdroid*apk in the releases section now. How is that different to the other? Analyzing it, it still yells "GMS, GA, Firebase". No way to get it into the main repo that way.

Ooops: See the F-Droid bot just scanned your repo 4 minutes ago and found "0 problems" – hey, null problemo sounds good to me! So how does your *fdroid* build differ from that? :confused:

The fdroid builds in the releases page are the result of all the past discussion and tests that were part of this issue, which included removing Google and Hockeyapp libraries.

@IzzySoft , I see that your f-droid repository packages the regular apk (which would be the same as the play store/yalp version), and not the f-droid variant. Any reason for that ?

@pgera Yes. I have no build environment (nor experience), so I just take the APK files provided by the projects. Main intention is to make it easier for end-users to find, install and keep them up-to-date. And in many cases, to have them available that way until they found their way into the official F-Droid repo.

to have them available that way until they found their way into the official F-Droid repo.

I meant preferring com.x8bit.bitwarden.apk over com.x8bit.bitwarden-fdroid.apk, both of which are included under releases in this repo. So I thought the *-fdroid.apk would be more in line with your goals.

Funny. My script explicitly specifies the fdroid file. Are you sure it's the wrong one in my repo? Don't get confused by the file names: APK files are always renamed here to <package_name>_<version>.apk. Replacing it manually now; please let me know if the same happens on the next update, then I'll have to investigate deeper.

Though I wonder what difference it makes: even the -fdroid one comes with GA, Firebase and other trackers. @kspearrin ? That way it never makes its way to the official repo. And honestly, the package size is at 150% of the limit I usually set. That together with the trackers makes me think whether I shall keep it in my repo or not. When I added it about 2 years ago it was exactly on the limit, and only had 1 tracker. Now my scanner shows 3+.

Fdroid build has GA, Firebase, and HockeyApp removed. Nto sure what other "trackers" you are seeing.

Strange. Smali says:

~
...
./smali/com/google/android/gms/ads/identifier:
./smali/com/google/android/gms/analytics/ecommerce:
...
./smali/com/google/firebase/analytics:
...
./smali/net/hockeyapp/android/adapters:
./smali/net/hockeyapp/android/listeners:
...
~

Sure you mean "removed" – and not just "disabled", @kspearrin? Just asking, no accusations :innocent:

Well, I attempted to remove them completely. Maybe it didn't work. They are definitely disabled though. How do you get that output?

It's a by-product of LibRadar (I'm using the V1 branch), which uses Apktool for this. From the code, the command seems to be

apktool decode -r <apkfile> -o <output-directory>

Above list basically is an excerpt of the recursive ls of the output directory.

What else needs to be done for this?

What else needs to be done for this?

It seems that the F-Droid build servers can't build Xamarin Apps yet, so that probably needs to happen first.

@izzySoft could you add bitwarden to your repo, please? Seems it missing right now.

@rakshazi Nope: I've had it there and explicitly removed it. No bad feelings: but a password manager that comes with (proprietary) trackers is a no-go. And Bitwarden comes with more than one, unfortunately (when I last checked it were at least 4, see above). Though @kspearrin wrote they are disabled, the libraries are still present and thus show up in the details. With them being proprietary it's impossible to ensure nothing of their functionality remained active (and no, I don't suspect "bad intentions" from Bitwarden devs – I just don't trust the proprietary remains).

Further, apart from exceeding the size limit of my repo (20M per app – Bitwarden has 30M+), there're no longer APK files attached to the latest release, so I could not even fetch them would all else fit.

We include HockeyApp (for crash reporting) and Firebase Messaging (for live sync push notifications) libraries in the apps. HockeyApp is open source: https://github.com/bitstadium/HockeySDK-Xamarin . Parts of Firebase are open source, but I am not sure if their messaging SDK is. I am not sure what other alternatives exist to handle push notifications to the app, which is a critical function for keeping vaults in sync.

As for the app size, v2.0, which is in beta is reporting at about 28MB now. When distributed on Google Play, it is about 14MB.

Well, f-droid main repo has very strict requirements about such things, but you can create your own repo (like bromite, nanodroid, etc) and serve apks from github pages.
About push notifications - you can create your own push server, like guys from Telegram FOSS Team did - they used non-google server and it does not require any gms components for really smooth work (I use telegram foss as main messenger without gapps at all).

If someone is familiar with how to host your own FDroid server, I'd be happy to look into setting one up.

Sorry, never did it before, but found some docs and examples.

  1. Official f-droid tool: https://gitlab.com/fdroid/repomaker but it requires separate webserver to run
  2. Unofficial Firefox repo: https://gitlab.com/rfc2822/fdroid-firefox you can contact repo author with MR/PR to add bitwarden to that repo or fork it and maintain yourself. The best part of it - daily scheduled ci job that downloads new releases of apps and saves to own fdroid repo, served by gitlab pages (same as github pages)

@kspearrin added MR to rfc2822: https://gitlab.com/rfc2822/fdroid-firefox/merge_requests/8
Please, attach fdroid version of bitwarden to latest release, because ci job failed: https://gitlab.com/rakshazi/fdroid-firefox/-/jobs/226804803

@rakshazi Done.

ok, it downloaded correctly in last job, so we need to wait for repo owner to merge it.

@kspearrin if you prefer GUI, see my article Your own F-Droid Repository with Repomaker. I do not (yet) have one for setting up your own F-Droid Server in the "traditional way", though there should be one in F-Droid docs. That one could be integrated with CI as it can be controlled by command line. Basically, Repomaker includes the required binaries etc. as well (as it uses them as backend). @rakshazi Repomaker is not the "official F-Droid tool" (that would be fdroidserver) – and it does not require setting up a web server (it uses other means for hosting the repo, e.g. Github/GitLab).

As for the dependencies: Firebase Messaging is not open source (or it would be allowed by F-Droid main repo), AFAIK it requires (parts of) GMS. Crash reporting: So what for is GA included? And Google Ads? HockeyApp IMHO is still considered "Tracking", which I do not accept in my repo if it applies to an app dealing with sensitive information (not sure if F-Droid itself would permit it and just label it with the Tracking AntiFeature). Concerning the size: I make exceptions for that, and would make them for Bitwarden if the other issues can be considered "solved".

We don't use Google Analytics or Google Ads. Google Analytics was removed from the app earlier this year. Google Ads has never been used.

@rakshazi I had a go at running our own FDroid server via GitHub pages this evening. I was able to get something working as a test. See https://github.com/bitwarden/fdroid

https://bitwarden.github.io/fdroid/fdroid/repo?fingerprint=BC54EA6FD1CD5175BCCCC47C561C5726E1C3ED7E686B6DB4B18BAC843A3EFE6C

Seems to work in my test.

@izzySoft thank you for explanation
@kspearrin yep, it works like a charm, thank you!
Could you update readme and website with this repo information, please? You can use repo URL with fingerprint for button "Get it on F-Droid"

This repo is just for testing. I’ll work on getting something together for production now.

OK, waiting for it :)
Please, update that issue with new information when it will be available

@IzzySoft Would you mind running your scanning tool on the latest 2.0.x releases to see if they still pick up any traces of Google of HockeyApp libraries on the fdroid apks? I tried implementing some more cleanup operations when building for FDroid and I think I might have resolved the issue.

Looks good:

  • Xamarin (Development Framework)
  • Mono for Android (Development Framework)
  • SlidingMenu (UI Component)
  • Google Mobile Services (Development Framework)
  • Pdftron PDF Widget (Utility)
  • Android Design Support Library (Utility)
  • Android Support v13 (Development Framework)
  • Android Support v4 (Development Framework)
  • Android Support v7 (Development Framework)
  • Androidx Core (Utility)
  • Google Material Design (Utility)
  • Samsung Mobile SDK Pass (Fingerprint) (Utility)
  • Java.Interop (Utility)
  • FFImageLoading (Utility)
  • The Open Toolkit Library (Utility)

Re-established it in my repo, taking effect with the next sync tomorrow. As before, I'll just keep one version (as usually the per-app limit is 20M and Bitwarden already exceeds that with a single APK). Shall I link to your repo (e.g. for "older versions")?

If you have some more (non-framed) screenshots you wish to have added, please let me know (or if someone else wants to provide them). Considering the minimal screen estate on mobile devices, in my repo I don't want to waste it by "framings" but rather give users a chance to see details :wink:

Thanks a lot, @kspearrin!

@IzzySoft You can download framed and unframed screenshots from here: https://github.com/bitwarden/brand/tree/master/screenshots


Closing this issue now.

Users can get Bitwarden on F-Droid through our F-Droid repo here: https://mobileapp.bitwarden.com/fdroid/

Or use another repo, such as @IzzySoft's.

Thanks again! Will pick some from there and add them on my end. Besides: just added your repo to my Unofficial (and incomplete) list of F-Droid repositories :wink:

App with screenshots should show up here again tomorrow.

Successfully installed 2.0.3. I hope you will soon find replacement solution for background sync.

added to my own repo, too: https://fdroid.rakshazi.me (source: https://gitlab.com/rakshazi/fdroid ), daily updates

Thanks to all involved people to make this project more FOSS.
I see this ticket has been closed, but hope there is still effort being made to get it onto the real F-Droid repo. I don't consider it a good solution to just use another repo. If the original F-Droid repo rejects the project, it means that there are potential security/privacy issues and they should be taken care of.

If you read the issue discussion, you can find that the only problem with fdroid main repo is xamarin. Fdroid build server does not support it. BTW, check the related issue on fdroid gitlab.

SUMMARY UPDATE

(This is a handy TL;DR for those who do not want to read this entire thread.)

For those late to the party, the current bitwarden F-Droid status is being discussed on GitLab.

As of this posting, Xamarin dependency is holding up bitwarden from being included directly in the main F-Droid repository.

However, the F-Droid version of bitwarden is currently easily available by any one of several simple methods:

  1. Adding the official bitwarden repo to F-Droid. See here.
  2. Manually downloading and installing the latest F-Droid bitwarden release from GitHub. See here.
  3. Adding a user-supplied F-Droid repository, such as:

The differences between the F-Droid build and the Google Play store build are twofold:

  1. The Google Play store version includes HockeyApp for crash reporting; the F-Droid version does not.
  2. The Google Play store version includes Firebase Messaging libraries for live sync push notifications; the F-Droid version does not. In the F-Droid version, you manually sync when you want.

_Neither_ version now includes Google Analytics. Earlier versions of the Google Play store version did include it. Many thanks to Kyle for removing it.

For @kspearrin and @ALL:
Question: Have there been any issue reports (such as syncing issues) as a result of using the F-Droid version?

@setyb, it works: https://fdroid.rakshazi.me/
May be you confused with 404 on qr click? That's url for f-droid client only: https://fdroid.rakshazi.me/repo?fingerprint=80BF9EC0BCCED7DA2C9B272FA9B53A30E5B79282CFD629BDE14AB1FF1658C02E, seems client didn't handle that link

Regarding issues on F-Droid version: literally nothing. Usign it for several months, works perfectly

@rakshazi Thanks Nikita. I updated my post above to reflect your response. Please verify I got it correct.

Also, thank you for your report on the bitwarden F-Droid version. Hopefully @kspearrin and others will concur.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

simondemartini picture simondemartini  Â·  3Comments

carlylemiii picture carlylemiii  Â·  9Comments

RomRider picture RomRider  Â·  7Comments

paulheising picture paulheising  Â·  8Comments

jyavenard picture jyavenard  Â·  6Comments