Checking if Aarogya Setu's Source Code Produces the App from Play Store

Aarogya Setu’s Android source code is supposedly on github. How do we know if it is the real app?

Setup

  • Get a copy of the APK (either from a device with it installed or from a web service like apkpure)
  • Clone the source code. git clone https://github.com/nic-delhi/AarogyaSetu_Android. If you have already, update to the latest with git pull
  • Update keystore.properties as per README.
  • Use a mock google-services.json. But replace the client_info.client_id and client_info.android_client_info.pakcage_name to the one expected nic.goi.aarogyasetu
  • Create a keystore (probably using Android Studio (Build -> Generate Signed APK))

Build

  • Execute the gradle task assembleRelease. Probably using Android Studio

Diff

  • Get a diff utility, like apkdiff
  • Make sure you have meld on your path. (apt install meld)
  • Also, configure meld to ignore line endings
  • python apkdiff.py -o ~/reproducibility -m ~/Downloads/Aarogya\ Setu_v1.2.2_apkpure.com.apk ~/AarogyaSetu_Android/app/build/outputs/apk/release/app-release.apk