Programmatically find out whether an app was installed from F-Droid

Hocuri · May 19, 2019, 10:22am

My own app, Superfreezz, has a mode in which it decides for itself whether an app gets frozen. Now, I thought that it might make sense not to freeze apps installed from F-Droid as they usually don’t run in the background too much. Is there any possibility to find out what apps are?

NicoAlt · May 19, 2019, 12:03pm

I know that F-Droid shows this kind of information but I don’t know how it’s implemented. You’d have to look at the source code to find out.

However, I found this reply on Stack Overflow which could be of interest for you:

Hocuri · May 19, 2019, 6:02pm

Concerning the Stackoverflow question:

Side-loaded apps will not contain a value.

F-Droid usually uses the “package installer” app to install an app, so I’m afraid that it counts as side-loaded here. Therefore, I do not know if an app was installed from F-Droid or another source.

I also thought about somehow looking at the signature but apps with reproducible builds are often signed with the key of the developer.

oF2pks · June 13, 2019, 9:18pm

Just added this (getInstallerPackageName) to my apps_Packages Info V12; the only working method for F-Droid detection is Stanley Stanley | F-Droid - Free and Open Source Android App Repository based on signature/cert exploration (will add it in V13…)

github.com

xgouchet/Stanley/blob/3b23762cc87275bc04ccb8fe8f84c33c015c1763/app/src/main/java/fr/xgouchet/packageexplorer/details/DetailsSource.kt#L260


      
          
          protected fun extractSignatures(emitter: ObservableEmitter<AppInfoViewModel>,
                                          packageInfo: PackageInfo) {
              val signatures: Array<Signature> = packageInfo.signatures ?: return
              if (signatures.isEmpty()) return
          
          
              emitter.apply {
                  onNext(AppInfoHeader(AppInfoType.INFO_TYPE_SIGNATURE, context.getString(R.string.header_type_signature), R.drawable.ic_category_signature))
          
                  for (signature in signatures) {
                      try {
                          val cert = X509Certificate.getInstance(signature.toByteArray())
                          val name = cert.subjectDN.name
                          val fingerprint = MessageDigest.getInstance("SHA-1").digest(cert.encoded).toHexString()
                          val humanName = cert.humanReadableName()
                          val subtitle = "$name\n\nSHA-1:$fingerprint"
                          onNext(AppInfoWithSubtitleAndAction(AppInfoType.INFO_TYPE_SIGNATURE, humanName, subtitle, subtitle, context.getString(R.string.action_more), cert))
                      } catch (e: CertificateException) {
                          onNext(AppInfoWithSubtitle(AppInfoType.INFO_TYPE_SIGNATURE, "(Unreadable signature)", signature.toCharsString(), null))
                      }

Hocuri · June 14, 2019, 6:57am

(Sorry, I hit “reply” too early, I deleted the other post)

Thanks for your reply!

I do not want that the users have to install an extra app (Stanley), but I guess that it is possible to copy-paste the important code to my app?
Do you have any solution for the case that the app was not signed with F-Droid’s key? (with reproducible builds, the developer can sign it with their own key)

Licaon_Kter · June 14, 2019, 8:00am

PackageManager has a way to find out what app (app id) installed an app
https://github.com/kriztan/Pix-Art-Messenger/blob/ab9e3a0085534325fc903691eba99e17c4b911b0/src/main/java/de/pixart/messenger/ui/UpdaterActivity.java#L133

oF2pks · June 16, 2019, 10:23pm

Seems you are both on Kotlin

you have signatures/sha in https://f-droid.org/repo/index-v1.jar /index-v1.json/packages/[?apkName]/[?n°Release]/signer/

Hocuri · June 27, 2019, 1:12pm

Thank you all so much for your replies!, and sorry for my late answer, I was very busy recently.

@Licaon_Kter Do you mean getInstallerPackageName? In that case, unfortunately, all F-Droid apps will count as “side-loaded”. That’s also the problem with @NicoAlt’s idea (I found the time to test it now) .

@oF2pks’s post brought me to an idea: Is there any simple text file of all F-Droid app package names online? Otherwise, I could also extract such a list from the json file you linked to.

Licaon_Kter · June 27, 2019, 1:48pm

Sideloaded is not important, what app installed them? You should be able to find out that using it.

Hocuri · June 28, 2019, 1:33pm

@Liacon_Kter, unfortunately, I did not understand what you mean. What I wanted to say is: If I install an app using F-Droid (without privileged extension) then it will count as side-loaded for the Android system.

Licaon_Kter · June 28, 2019, 1:43pm

The PackageManager code can identify WHICH application installed the APK.

Hocuri · June 29, 2019, 8:38am

I know, but if you install an F-Droid-app then F-Droid can’t install it by itself because it is not a system app and prompts you to “side-load” it (technically). At least on my device (Android 6). And then PackageManager does not remember that the app actually came from F-Droid.

Anyway, again: Do you mean getInstallerPackageName?

Licaon_Kter · June 29, 2019, 10:07am

That’s the thing, since Oreo apps can ask for the right to install APKs so on older versions you’ll only see sideloaded,

Hocuri · July 1, 2019, 2:06pm

Ah ok. But if this will work only from Oreo on, I can’t use it :-(.

So, I implemented another way that extracts the list of F-Droid apps from https://f-droid.org/repo/index-v1.jar (thanks @oF2pks). Of course the downside is that if an app is in F-Droid AND in Play Store but installed from Play Store then it will not be frozen.

Thank you all for your help!

k3b · July 17, 2019, 8:17am

Most apps from f-droid are signed with the same f-droid signing key. Maybe you can check this to distinguish. So your original question changes to “… an app was signed with F-Droid certificate”

It is only a 99,9% heuristics because

reproducable apps on f-droid are signed by the original author but currently there only a few of them.
f-droid compiled apps might have been downloaded from other sites.

system · September 15, 2019, 8:22am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.