Good news for Element. The lesson here for anyone involved in Android development is to make Google Play one of multiple distribution channels. My priorities for distribution have been:
1) Google Play
2) My own website
that's going to change to:
1) My own website
3) Google Play
@oppen Glad it's solved! And I agree with your priority list.
F-Droid is actually a pretty decent repo, especially if you access it through some other application like Aurora Droid
@Sandra they've got that side of things sorted for sure. I trust a website more than I trust app developers though (I audited an app last week that used some low quality library from GitHub via Jitpack.io - it was a CREDIT CARD view...). The risk/trust is all relative. I'll look into generating a hash for website builds at least (an .apk hash checker would be a nice project actually...)
@oppen I feel like how in the heck can I verify what gets put into a rando website APK including github rel pages? Is there something I’m missing?
@Sandra all .apks are self-signed by the developer, so you can at least compare the key from the download with the key from a store version (or they might publish the public key hash). There's scope here for defining a semi-standard method for out-of-store installs (something that a service could be built around)
From a store version! So I am dependent on checking a store. I have zero reason to instead pick some rando APK; being able to check a hopefully cryptographically secure hash makes it less awful but not better.
That’s why I really liked Debian; centrally compiled but in a transparent and examined way.
@Sandra yes, there's no great solution, it's not a model Google have any reason to improve (in fact they're making moves to deprecate self-signing entirely and have already put some scary sounding modals in front of the user when side-loading. You can always build from source of course. APKMirror verify the keys for all uploads so you can get apks there (but they earn money from ads and again the site _feels_ a little dodgy).
@Sandra this is what /e/ os did actually. They forked another store (that had a ready-made stock of scraped .apks from Google Play) but took the extra step of verifying the signatures with the Play Store version. I found that part of /e/ slightly shady, but logic is sound.
@Sandra @oppen I just wrote an article on how to figure out what's put inside an APK: https://android.izzysoft.de/articles/named/app-modules-2?lang=en
@oppen how do you distribute from your site, technically? (Asking as I'm going to have my own app ready in a few months.)
@isagalaev just link to the .apk and make sure the server serves it as application/vnd.android.package-archive
@oppen are users (still) required to do something to their phones to enable installing that? Sorry, I haven't looked into this side of Android for ages :-)
@isagalaev I think that's improved actually. Rather than check 'allow installs from unknown sources' (or whatever it was) hidden away in the OS settings, there's a simple modal when an app downloads an .apk for the first time where the user needs to give permission (it'll still scare some users but at least it's an easy flow).
@oppen yeah, I saw that they got blocked on Google Play and was like what? I've gotten their client through F-Droid for ages.
I'm trying to do less and less with Google Play, but there are a few things I can only get through there unfortunately.
@easrng yeah, I might try that again at some point. It was just too much work at the moment with everything else I've got going on
Merveilles is a community project aimed at the establishment of new ways of speaking, seeing and organizing information — A culture that seeks augmentation through the arts of engineering and design. A warm welcome to any like-minded people who feel these ideals resonate with them.