"Verified Apps" app for Android pre-release

I am testing a way to check apps and make submissions easier. If anyone wants to take a peek and send feedback.

14 Likes

Over the course of a week I have now tripled the amount of app verification apps on my phone :joy: Great work @jonah and @RoundSalmon4

1 Like

Better use 'em to verify each other lol

1 Like

4 Likes

Nice. Congrats.

To comply with soupslurpr/AppVerifier’s ISC license, (think) will have attributed them / mention this in the distributed version of the software (the app).

1 Like

I am a stickler about licensing lol

I even attribute ourselves since the dataset has different contributors :stuck_out_tongue:

2 Likes

If an app is not in the database, you’ll have the option to open a pre-filled GitHub submission issue in your browser.

This is a bit off topic, but I’m curious if there’s any privsec difference between opening in the browser vs that in-app browser thing that some apps do. I had to uninstall Ente apps on my GrapheneOS Dumbphone setup because it essentially allowed youtube and other access within the Ente app after clicking on some documentation links in the app, while 99% of other apps fail gracefully saying that they found no app to open a link.

2 Likes

I would think the big difference is that if the app uses webview it would need network permissions.

2 Likes

This looks great so far. Very simple and clean. Can you post the hash here so we have a second verification source aside from the repository?

It seems like this is essentially AppVerifier but linked to a different (larger) database? If so, I don’t really see any drawbacks assuming that PG’s verification process for an app hash is as rigorous as AppVerifier’s was.

3 Likes

Just done my first submission, was very easy. Thanks for doing this Jonah :+1:

1 Like

AppVerifier allows you to paste in hashes that other people share with you, which this app doesn’t do. This app only checks the internal database.

org.privacyguides.verifiedapps
40:5C:6B:D2:CA:7C:3A:AE:8F:46:3C:6F:8B:55:BC:F0:DD:AC:43:1C:5E:D8:EA:FF:65:D1:06:C9:81:7A:20:7F
3 Likes

Are there plans to get the app into any app stores eventually? Accrescent?

2 Likes

Yeah, fdroid, accressent and play in that order. it’s in the readme.

2 Likes

Looks like one can access your database via AppVerifierBG as well:

The internal database is extended with entries from privacyguides/verified-apps, updated with each build. The database download is verified against GitHub attestations before every build.

— GitHub - RoundSalmon4/AppVerifierBG: Verify installed apps against shared signature hashes, the internal database, or a user-created database. · GitHub

But not submit entries to it, I assume.

1 Like

what happens if an app has different sources (and thus different signatures) ?

1 Like

Yes, it does also use this data.

To submit entries from that app you’d just have to copy them to the clipboard and then open our issue tracker and paste them manually.

I made this new app:

  1. To reduce the number of people you need to trust if you only care about checking our new database. If you use AppVerifierBG you are relying on both Privacy Guides and @RoundSalmon4. Plus, AppVerifierBG might add other data or data sources to their database in addition to ours at some point. Which can be cool, no problem with that, but I want an app that will always exactly mirror ours.

  2. To give people a button to open an auto-filled form to submit, yeah.

AppVerifierBG looks like it will be a better option for most people who want a full set of tools, the custom user database feature is neat. Our app is more cut down.

F-Droid info in README now.

We can verify all of them if people submit all of them.

5 Likes

since AppVerifier Source is static , I suggest choosing it once and it gets submitted with the issue instead of having to choose it every time

2 Likes

What do you mean?

Yes I’m going to fix this. When I added the autofill we didn’t have the option in the issue form template yet.

2 Likes

sometimes forks use same package name for the original app , how will you deal with that ?

for example (not fork though) : Gcam Services Provider uses same package name as Google Photos

edit : nevermind you know about it : [New]: Gcam Services Provider (photosonly) · Issue #520 · privacyguides/verified-apps · GitHub

1 Like

Thanks for the App, I tested it, it works well and adds a lot of value :slight_smile:

PS. I wish it was hosted somewhere else than Github/Microsoft… did you consider Codeberg? :hugs:

2 Likes