ASD

Checking if Aarogya Setu's Source Code Produces the App from Play Store

posted on Mon, Jun 01 '20 under tag: code

Aarogya Setu’s Android source code is supposedly on github. How do we know if it is the real app?

Setup

• Get a copy of the APK (either from a device with it installed or from a web service like apkpure)
• Clone the source code. git clone https://github.com/nic-delhi/AarogyaSetu_Android. If you have already, update to the latest with git pull
• Update keystore.properties as per README.
• Use a mock google-services.json. But replace the client_info.client_id and client_info.android_client_info.pakcage_name to the one expected nic.goi.aarogyasetu
• Create a keystore (probably using Android Studio (Build -> Generate Signed APK))

Build

• Execute the gradle task assembleRelease. Probably using Android Studio

Diff

• Get a diff utility, like apkdiff
• Make sure you have meld on your path. (apt install meld)
• Also, configure meld to ignore line endings
• python apkdiff.py -o ~/reproducibility -m ~/Downloads/Aarogya\ Setu_v1.2.2_apkpure.com.apk ~/AarogyaSetu_Android/app/build/outputs/apk/release/app-release.apk