How to make Android applications with reproducible builds?

Asked 22/10, 2013 at 7:11 Answered 2/3, 2021 at 19:51

java android open-source binary-reproducibility

In my experience, recompiling the source code for the same Android application won't produce the same binary every time. A reproducible build is very useful for developers, but I think the most important benefit from a reproducible build process is security. In open source Android apps, how we can verify produced binary (.apk) is really compiled from reviewed source code? Is there any way to generate reproducible builds from Android SDK or Java?

Bukhara answered 22/10, 2013 at 7:11 Comment(0)

The F-Droid project has been working on reproducible builds for Android for a couple years now. The Android-specific issues are tracked at https://f-droid.org/docs/Reproducible_Builds It is still a tricky process, especially if the app includes NDK code. If the app is only Java, then there are a few relatively easy steps that will get you there, like pre-crunching PNGs and committing them to git.

Google doesn't make it easy to reproduce APKs in the longer term, since they do a lot of random little changes, like:

Definitely check out diffoscope for viewing the differences between two builds. You can see lots of example output at https://verification.f-droid.org

Boneyard answered 12/1, 2018 at 15:18 Comment(1)

F-Droid people are heroes. – Helminthology 24/2, 2021 at 11:15

"Reproducible"/"deterministic" build refers to build processes where the compiler outputs a binary that is always identical, given identical input files/build system/chroot. (The article you linked to is actually talking about being able to build/run the same version of an app that a bug is filed against, which is something different. See this description of how Tor makes deterministic builds.)

Java packages seem to be very difficult to work with, since timestamps are present in many, many places. One thing you could try, in lieu of exact binary compatibility, is to decompile the two .apk's, and see if that decompiled output is identical.

Versicle answered 6/12, 2013 at 22:48 Comment(1)

APKs definitely have to be decompiled to be compared in a useful way. Check out diffoscope for an easy way to do that diffoscope.org – Boneyard 28/6, 2018 at 8:8

I just found that Telegram claims experimental reproducible builds for their Android app: https://core.telegram.org/reproducible-builds so it might be worth to study how they are achieving it.

The procedure uses Docker to build, and at the end compares the APKs with:

python apkdiff.py telegram_store.apk telegram_built.apk

which suggests they are not byte-by-byte the same.

apkdiff.py is present in-tree at: https://github.com/DrKLO/Telegram/blob/e1c101c334c80387cf10ca9857052e70e19c60af/apkdiff.py

Helminthology answered 2/3, 2021 at 19:51 Comment(1)

For the benefit of the reader: apkdiff.py compares the ZIPped files independently of the order of the ZIP entries in the ZIP. But it completely ignores the embedded binary parts which are ignored by ZIP, which are present to carry things like the APK signing block (which preceeds the ZIP central directory) – Tuyettv 14/4, 2021 at 14:26

Recommended topics

Hot tags