Re: Android apps on Debian

To: debian-user@lists.debian.org
Subject: Re: Android apps on Debian
From: Bijan Soleymani <bijan@psq.com>
Date: Sat, 29 Jan 2022 17:39:05 -0500
Message-id: <[🔎] 89947185-3c38-0e52-797f-a5eafb16a970@psq.com>
In-reply-to: <[🔎] f9ce1fda-7fe8-9352-f377-96f5be504537@psq.com>
References: <[🔎] 87ee4qxun8.fsf@sugarbit.com> <[🔎] 453be4264d4eb905f36b729f04898b2965e0453c.camel@gmail.com> <[🔎] 87a6fexsx1.fsf@sugarbit.com> <[🔎] MubQBUB--3-2@tutanota.com> <[🔎] 871r0qxoo5.fsf@sugarbit.com> <[🔎] f9ce1fda-7fe8-9352-f377-96f5be504537@psq.com>

On 2022-01-29 17:25, Bijan Soleymani wrote:

On 2022-01-29 15:38, John Hasler wrote:
Apkpure has the Starlink app but as I had never heard of them (No reason
to, not having an Android phone) I didn't download it immediately.  Are
they reliable?
I don't know if they modify the apks they host but as far as I know theoriginal apk (from the play store) will be signed by the apppublisher/writer. So if they haven't removed that you can just verifythe signature is from the publisher, etc.

Just as a follow up, I downloaded the Starlink xapk file from apkpure,unzipped it and ran:

apksigner verify --verbose --print-certs "com.starlink.mobile.apk"

This gives:
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1

Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc.,L=Mountain View, ST=California, C=USSigner #1 certificate SHA-256 digest:cdfba780576f7a4800e2a609726f83f053b51bae6a239003abc16b7f75e9f588

Signer #1 certificate SHA-1 digest: c2b34a5ac1267e5d377eef89d0eb96fcddc1c9f1
Signer #1 certificate MD5 digest: eb2004799f4685bb04e49de3d8ed3f39
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 4096

Signer #1 public key SHA-256 digest:a5fd4be5d047beae966c4a68cfa06951a8700e610d84f28b68ab1620a7eca434

Signer #1 public key SHA-1 digest: 324a6a9aa7e418d33bd98a0f81a0ae946d0dde71
Signer #1 public key MD5 digest: a30fdb38ff1050c59800bf83a94a4eb5

With a few files in the META-INF directory not being signed or notverifying.

I think the reason it is signed by Google is that the app uses Play appsigning, where google signs the app on their servers on your behalf.That way if you lose your private key, you can change it on your end,without breaking app upgrades.


Also the main 64 bit binary apk:

config.arm64_v8a.apk checks out as does the English language config:config.en.apk

The only files that won't be signed will be those files from theMETA-INF directory as well as the manifest.json from the top level xapkfile.


Bijan

Reply to:

Follow-Ups:
- Re: Android apps on Debian
  - From: John Hasler <john@sugarbit.com>
- Re: Android apps on Debian
  - From: Ash Joubert <ash@transient.nz>

References:
- Android apps on Debian
  - From: John Hasler <john@sugarbit.com>
- Re: Android apps on Debian
  - From: didier gaumet <didier.gaumet@gmail.com>
- Re: Android apps on Debian
  - From: John Hasler <john@sugarbit.com>
- Re: Android apps on Debian
  - From: local10 <local10@tutanota.com>
- Re: Android apps on Debian
  - From: John Hasler <john@sugarbit.com>
- Re: Android apps on Debian
  - From: Bijan Soleymani <bijan@psq.com>

Prev by Date: Re: Android apps on Debian
Next by Date: Re: SD Memory Card (was The Raspberry Pi that Took a Day Off.)
Previous by thread: Re: Android apps on Debian
Next by thread: Re: Android apps on Debian
Index(es):
- Date
- Thread