requested changes to URI scheme about exodus HOT 6 CLOSED

SHA256 and the fr.meteo name are the standards across Android things.

The handle is actually known as the Android "Application ID" which is basically the same a Java "Package Name". So we can leave Google out of it ;-). That is required, unique ID for Android itself, then it is also used in Google Play, F-Droid, and many other app stores.

Also, do you know about https://androidobservatory.org? Its free software, and quite complimentary to Exodus Privacy scanner. Would be nice to have both somehow merged. It uses both "Application ID" and SHA-256. VirusTotal uses SHA-256.

from exodus.

SHA256 and the |fr.meteo| name are the standards across Android things.

The handle is actually known as the Android "Application ID" which is
basically the same a Java "Package Name". So we can leave Google out of
it ;-). That is required, unique ID for Android itself, then it is also
used in Google Play, F-Droid, and many other app stores.

Right. Exodus grabs the package from GP using gplaycli, so I was using that terminology... it's a somewhat important distinction because of so many fake scam apps out there. If we're going to list reports for apps in the Exodus Web UI that are outside of GP, then I think we need to come up with a naming scheme that includes the source (goog play, f-droid repo, manual upload, etc.) But the Exodus scanner (the CLI etc.) can be used for any APK without having to worry about what ends up listed on reports.exodus-privacy.eu.org

Also, do you know about https://androidobservatory.org? Its free
software, and quite complimentary to Exodus Privacy scanner. Would be
nice to have both somehow merged. It uses both "Application ID" and
SHA-256. VirusTotal uses SHA-256.

I stumbled across it a few months ago; it's great for checking APKs. Doesn't focus on trackers and does manual upload, which is a bit different... Exodus is designed to provide reports before people install something, and to provide a quick audit of an app's respect for privacy.

There's certainly some cross-pollination to be done here, but I think we need to figure out how we're going to handle integration with LibScout first... I would expect Exodus to incorporate parts of the androidobservatory.org UI if anything, and not any backend changes in the foreseeable future.

from exodus.

Regarding IDs, SHA256 is best for individual files, "Application ID" is for the things claiming to be a specific app (e.g. Firefox is org.mozilla.firefox and fake ones might use that Application ID also), then I guess you need a third kind of ID for the source (F-Droid, Google Play, Amazon, Baidu, Aptoide, etc). Android Observatory has tried to the do same kind of labeling, so something to look at.

I think Android Observatory is entirely complementary with Exodus, there isn't really any overlap in functionality, but they do overlap a lot in presentation and interaction. They both work on the user uploading a file and seeing a result. The way things are cross-linked in Android Observatory is really nice. You can start by looking at a file, then click to see all other files that are signed by the same key, or all files that share the "Application ID".

from exodus.

exactly right Hans. I think it would be good to have application ID still recorded in the URI, if possible, to make it easier to group together fake scam apps if necessary... e.g. I would have wanted to have a static record of the fake Haven APK scans for posterity, and we've even seen at least one fake F-Droid in Google Play. That would also require the feature request of marking them somehow as not genuine.

Also, we see malicious apps hop around under different application IDs in GP. So I think it depends on priorities here, but while we're thinking about changes we should make sure there's something more "meaningful" than a hash to look up easily.

from exodus.

Hi @seandiggity
I'm taking a look at this now because we will probably need to add some features to the API for a new revamped version of Exodus.

Does the current API call https://reports.exodus-privacy.eu.org/api/search/fr.meteo satisfy your needs ? If not, what would you like to see ?

from exodus.

Closing this without answer, @seandiggity feel free to reopen it if needed

from exodus.