library for helping user install F-Droid after directly downloading an app (#714) · Issues · F-Droid / Client

library for helping user install F-Droid after directly downloading an app

There are many ways around the world to share apps, often times people are getting APKs from wherever, and many app stores are just scrapping any APK sources they find. F-Droid provides the best delivery infrastructure for updates, so apps should tell the user to install it. Then they'll get regular updates from a trusted source.

I can see that app devs like to have the simpler model of just updating their own app, but there are so many advantages to the one time F-Droid install that I really want to drive people to installing F-Droid over having apps install their own updates. For example:

F-Droid has built-in circumvention techniques (Tor, Nearby Swap, etc.)
F-Droid will have a streamlined update procedure for lots of updates
F-Droid can run without Unknown Sources when its a system app

This library should also be allowed in Google Play so that app developers do not need to make separate versions of the APK for Play. Lots of app stores scrape Play for APKs, so we want the library included there too. Here's the general flow of the library, when the app starts (i.e. Application.onCreate()):

detect if Google Play com.android.vending is installed and signed by the correct certificate, and if so, do nothing
detect if F-Droid org.fdroid.fdroid is installed and signed by the correct certificate, and if so, do nothing
launch dead simple, verified F-Droid download and install process

The library API does not need to be complicated, I think this would probably cover it:

checkIfFdroidIsNeeded()
downloadFDroid()
installFDroid()

As for verification, the library should embed the F-Droid APK signing key and perhaps the GPG key and use that to verify what it downloads. The library would always verify using the APK signing certificate, and if spongycastle was included, then it would also verify the GPG signature. It would download F-Droid from:

One other thing that this library could do is serve as an update nag for people who have F-Droid installed. We could make F-Droid respond to a query Intent for the latest version available, then this lib would allow apps to nag the user whenever they used the app to install the update.

This plan so far was devised in discussions with @n8fr8 and @commonsguy

There are many ways around the world to share apps, often times people are getting APKs from wherever, and many app stores are just scrapping any APK sources they find.  F-Droid provides the best delivery infrastructure for updates, so apps should tell the user to install it.  Then they'll get regular updates from a trusted source.

* F-Droid has built-in circumvention techniques (Tor, Nearby Swap, etc.)
* F-Droid will have a streamlined update procedure for lots of updates
* F-Droid can run without Unknown Sources when its a system app

This library should also be allowed in Google Play so that app developers do not need to make separate versions of the APK for Play.  Lots of app stores scrape Play for APKs, so we want the library included there too.  Here's the general flow of the library, when the app starts (i.e. `Application.onCreate()`):

1. detect if Google Play `com.android.vending` is installed and signed by the correct certificate, and if so, do nothing
2. detect if F-Droid `org.fdroid.fdroid` is installed and signed by the correct certificate, and if so, do nothing
3. launch dead simple, verified F-Droid download and install process

The library API does not need to be complicated, I think this would probably cover it:
* `checkIfFdroidIsNeeded()`
* `downloadFDroid()`
* `installFDroid()`

As for verification, the library should embed the F-Droid APK signing key and perhaps the GPG key
and use that to verify what it downloads.  The library would always verify using the APK signing certificate, and if spongycastle was included, then it would also verify the GPG signature.  It would download F-Droid from:

* https://f-droid.org/FDroid.apk
* https://f-droid.org/FDroid.apk.asc

One other thing that this library could do is serve as an update nag for people who have F-Droid installed.  We could make F-Droid respond to a query Intent for the latest version available, then this lib would allow apps to nag the user whenever they used the app to install the update.

This plan so far was devised in discussions with @n8fr8 and @commonsguy

Discussion
Designs

library for helping user install F-Droid after directly downloading an app

Linked issues