Skip to content

Permissions in APK and index.xml do not match!

We are currently experiencing an issue with out whitelabeled F-Droid store not being able to install an application (we also have Privileged Extension installed). All other apps are being installed correctly except this one.

I did some investigation and these are my findings:

2021-12-10 11:58:27.088 26142-26215/com.i3_technologies.i3store D/ApkVerifier: Checking permissions
2021-12-10 11:58:27.088 26142-26215/com.i3_technologies.i3store D/ApkVerifier: Actual:
      android.permission.INTERNET
      android.permission.READ_PRIVILEGED_PHONE_STATE
      android.permission.ACCESS_CACHE_FILESYSTEM
      android.permission.RECEIVE_BOOT_COMPLETED
      android.intent.action.MY_PACKAGE_REPLACED
      android.permission.REBOOT
      android.permission.RECOVERY
      android.permission.ACCESS_NETWORK_STATE
      android.permission.WAKE_LOCK
      com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE
      android.permission.READ_PHONE_STATE
2021-12-10 11:58:27.088 26142-26215/com.i3_technologies.i3store D/ApkVerifier: Expected:
      android.permission.INTERNET
      android.permission.RECOVERY
      android.permission.ACCESS_NETWORK_STATE
      android.permission.WAKE_LOCK
      com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE
      android.permission.READ_PRIVILEGED_PHONE_STATE
      android.permission.RECEIVE_BOOT_COMPLETED
      android.permission.ACCESS_CACHE_FILESYSTEM
      android.intent.action.MY_PACKAGE_REPLACED
      android.permission.REBOOT
2021-12-10 11:58:27.091 26142-26215/com.i3_technologies.i3store D/Installer: Permissions in APK and index.xml do not match!

You can see that the actual permissions has android.permission.READ_PHONE_STATE and this is missing from the permissions list in index-v1.json. I believe, but haven't been able to verify it, that the problem is because of the outdated androguard.

Fdroidserver is using SDK 28 instead of SDK 30 which causes to not read the permissions correctly.

2021-12-10 14:14:41,024 WARNING: Requested API level 30 is larger than maximum we have, returning API level 28 instead.

I think this happens because of the permission android.permission.READ_PRIVILEGED_PHONE_STATE in our manifest. On the device running Android 11 it adds android.permission.READ_PHONE_STATE to the permission list of the apk. But because fdroidserver isn't parsing the apk against the same SDK it doesn't get added.

I hope I explained it correctly 😅

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information