Checking if Aarogya Setu's Source Code Produces the App from Play Store

🗄️ Code
Aarogya Setu’s Android source code is supposedly on github. How do we know if it is the real app?

Setup

  • Get a copy of the APK (either from a device with it installed or from a web service like apkpure)
  • Clone the source code. git clone https://github.com/nic-delhi/AarogyaSetu_Android. If you have already, update to the latest with git pull
  • Update keystore.properties as per README.
  • Use a mock google-services.json. But replace the client_info.client_id and client_info.android_client_info.pakcage_name to the one expected nic.goi.aarogyasetu
  • Create a keystore (probably using Android Studio (Build -> Generate Signed APK))

Build

  • Execute the gradle task assembleRelease. Probably using Android Studio

Diff

  • Get a diff utility, like apkdiff
  • Make sure you have meld on your path. (apt install meld)
  • Also, configure meld to ignore line endings
  • python apkdiff.py -o ~/reproducibility -m ~/Downloads/Aarogya\ Setu_v1.2.2_apkpure.com.apk ~/AarogyaSetu_Android/app/build/outputs/apk/release/app-release.apk