Menu
In my experience, recompiling the source code for the same Android application won't produce the same binary every time. A reproducible build is very useful for developers, but I think the most important benefit from a reproducible build process is security. In open source Android apps, how we can verify produced binary (.apk) is really compiled from reviewed source code? Is there any way to generate reproducible builds from Android SDK or Java?
316
"Reproducible"/"deterministic" build refers to build processes where the compiler outputs a binary that is always identical, given identical input files/build system/chroot. (The article you linked to is actually talking about being able to build/run the same version of an app that a bug is filed against, which is something different. See this description of how Tor makes deterministic builds.)
Java packages seem to be very difficult to work with, since timestamps are present in many, many places. One thing you could try, in lieu of exact binary compatibility, is to decompile the two .apk's, and see if that decompiled output is identical.
107
The F-Droid project has been working on reproducible builds for Android for a couple years now. The Android-specific issues are tracked at https://f-droid.org/docs/Reproducible_Builds It is still a tricky process, especially if the app includes NDK code. If the app is only Java, then there are a few relatively easy steps that will get you there, like pre-crunching PNGs and committing them to git.
Google doesn't make it easy to reproduce APKs in the longer term, since they do a lot of random little changes, like:
Definitely check out diffoscope for viewing the differences between two builds. You can see lots of example output at https://verification.f-droid.org
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
