Download and install latest APK about apktrack HOT 27 OPEN

Hi @timofonic. My position on the topic has slightly evolved following very interesting conversations I had with an android hacker at the latest Hack in the Box conference.
In the very long term, I will try to reverse-engineer the Play Store's protocol in order to obtain (free) APKs directly from Google's servers, which I find acceptable from a security standpoint.

However, this is obviously a lot of work and it may be a while before I begin working on this (months, maybe a whole year).

from apktrack.

Hi!
Not fetching APKs, even free APKs on F-Droid is a decision that I made at the very beginning. The rationale behind this is that downloading APKs over the network and installing them on a device has big security implications.
For some update sources, a direct link to APKs is provided and the user is one click away from the update, which seems like a good compromise for me. This could be possible on F-Droid as well, but some work would be necessary because the URLs do not follow a specific pattern.

In the general case, however, I think it is a bad idea to automatically fetch updated APKs on Evozi.

from apktrack.

Not fetching APKs, even free APKs on F-Droid is a decision that I made at the very beginning.

Good to know, that implicates you're a programmer who has been thinking a lot about his app! ;-)

The rationale behind this is that downloading APKs over the network and installing them on a device has big security implications.

For unknown sources, I'm sure that is really the case. But fetching directly from Google via HTTPS?

For some update sources, a direct link to APKs is provided and the user is one click away from the update, which seems like a good compromise for me.

In my eyes, that is only partially right. Running your app now makes me feel like "Oh hey, new update! But WTF, how to get it if not available on Aptoide or F-Droid?" Preferred suggestion: Add download and installation as an advanced user option within the settings as well as a warning prompt before enabling?

from apktrack.

If I knew Google's URL scheme, I would definitely provide a direct link to their APKs inside the app, as it is done for WhatsApp, Nine Mail, etc. who provide official, HTTPS links.

That being said, I really don't want to perform automatic background downloads, this involves some file-system management (detecting that the app has been installed, remove downloaded APKs, etc.). As I said, a direct link to the latest APKs is provided whenever possible (but not for F-Droid yet), I think this is a good compromise.

from apktrack.

If I knew Google's URL scheme, I would definitely provide a direct link to their APKs inside the app, as it is done for WhatsApp, Nine Mail, etc. who provide official, HTTPS links.

Doesn't the source of the ApkDownloader and maybe apk-php-parser by @evozi provide some clues?

That being said, I really don't want to perform automatic background downloads, this involves some file-system management (detecting that the app has been installed, remove downloaded APKs, etc.)

Ok, I understand that. How about adding a button to manually initiate the download of the APK?

from apktrack.

I haven't had the time to look into Evozi's source yet :)
The button you talk about already exists in ApkTrack. It replaces the search icon next to the app when a direct link is available (i.e. for ApkTrack's own updates and some built-in others).

from apktrack.

I haven't had the time to look into Evozi's source yet :)

Don't worry, I'll be patient until you did. Also, these projects might be useful, too:

• gplay-downloader.py
• GooglePlayDownloader

The button you talk about already exists in ApkTrack. It replaces the search icon next to the app when a direct link is available (i.e. for ApkTrack's own updates and some built-in others).

Oh, didn't know that. Thanks for making me aware of it!

from apktrack.

I also thought about it and already looked in some sources.
I think it should be possible to port some code from F-Droid to ApkTrack to download and install APKs.

The issue for downloading APKs from Google Play is, that you need an Google-Account for it, I don't know another solution.
You also need an Google-Account to request the version from GPlay where version depends on device.
This seems to be done for Evozi and other online Downloaders by them.

from apktrack.

@DJaeger, have you had a look at the projects I listed in my previous answer? I don't see any hardcoded accounts in these projects, but maybe I've just not looked thoroughly enough. Please verify.

I think it should be possible to port some code from F-Droid to ApkTrack to download and install APKs.

Do I misunderstand this, or is F-Droid able to grab APKs from GooglePlay? Would be new to me..

from apktrack.

Yes I had a look on these projects and much more.
They all require a Google Account to download APKs (as this is a requirement by Google).
This is supplied in different ways:
Hardcoded in config file
Hardcoded as static property in sources
Attached as params to buildscript
Configured in GUI

So for all the first it has to be in sources that F-Droid can build the app.
Or a webservice is used (which can be FLOSS) where it is configured by supplier where the configuration is the only thing not in sources.
Or allow the user to configure the account in GUI of the app.

As no one want to write credentials in source codes the only possible solutions are to deploy a webservice, where credentials are configured but not in sources or to require the user to configure them himself.

The first solution has the disadventage that no paid apps can be downloaded and the latter, that it requires the user to register and accept Googles terms of use.
I think we should offer both possibilities.

That the user can choose to use a webservice (or how it is today oftern called "the cloud" ;-) ) or configure his own credentials.

But if a webservice is deployed for this app it should offer some more solutions than this.
It could also offer a api for requesting version informations including those depending on devices and those which have to be summarized from different pages like F-Droid.

Yes you misunderstood this.
I only mean the code to install a apk which is already available with system or su permissions.

from apktrack.

I think I will try to develope a webservice for this app, which supplies an api at some time

from apktrack.

That would be very nice to have!

from apktrack.

No, sorry.

from apktrack.

In the very long term, I will try to reverse-engineer the Play Store's protocol in order to obtain (free) APKs directly from Google's servers, which I find acceptable from a security standpoint.

If ApkTrack had this feature, it would be for sure the number one app fetching APKs and updates! ;-)

from apktrack.

The latest beta version can now do this wherever direct links to APKs can be found (so for F-Droid and Xposed apps).

from apktrack.

The latest beta version can now do this wherever direct links to APKs can be found

Awesome! I guess an update of ApkTrack via F-Droid should work?

from apktrack.

F-Droid does not build beta releases. Right now, it's only available in the APKs I distribute, but if things go well (i.e. no bugs are reported), I'll make a stable release in a week or so.

from apktrack.

I'll make a stable release in a week or so.

Perfect, just take your time, I'll be patient. 👍

from apktrack.

@JusticeRage what about just exporting a list of apks that need updating? Or automatically creating this file on sdcard? It could be a csv, a xml, a yaml, a json file, the simplest thing you can get.

At least this way you can help people that want to automate upgrades: having this list, I can send it to my owncloud instance, and set a bash script that iterates through all apks that need upgrading and download using a 3rd party script. So, if I installed "Meme Generator Free" from https://play.google.com/store/apps/details?id=com.zombodroid.MemeGenerator&hl=pt_BR, your file would contain "com.zombodroid.MemeGenerator" in a line and it would be easier to download the apks. What do you think? At least this is easier than reverse-engineering google play. :)

from apktrack.

I may work on this in the future, but this will not be top priority!
What kind of third party script are you using to download APKs?

from apktrack.

That's not a CLI

https://codingteam.net/project/googleplaydownloader/download

But some of it's dependencies are. The idea is to use them somehow in the future, or something like this one https://github.com/yan12125/google-play-downloader (haven't tested it).

I think this is feasible and not so complicated as reverse engineering google play itself. But as you said, not top priority, that's fine.

from apktrack.

The AppBrain proxy has been updated to retrieve APKs from APKMirror when possible.
Cases where no universal APK is available (architecture-dependent releases, i.e. x86, arm-eabi, etc.) are not supported for now, as the proxy wouldn't know which one to provide to the client.

from apktrack.

F-Droid does not build beta releases. [...]

While I have no knowledge about the specifics of the build process at F-Droid, software authors do release beta versions there.
In the F-Droid client app they are shown as the topmost release, but are not marked with the hollow star indicating the most recent stable release (see screenshot below for an example).
The F-Droid client app provides Settings > Unstable updates with which users can select, if they want beta releases to be offered as regular updates. If this setting is switched off (which is its default, IIRC, and my personal preference), one can still tap on any release of an app available at F-Droid, hence manually installing those beta releases (as I did with Sokoban 1.14 shown below).
Edit: It is also possible to promote such an "unstable release" to a stable one (visually in the F-Droid client by that hollow star being moved), later on. I have seen this happening a couple of times (although not many software authors seem to use this feature).
Edit 2: Issue #50 is related to this topic (unstable / beta vs. stable / recommended releases) and provides some further technical details.
Edit 3: The F-Droid Build Metadata Reference describes how this is achieved in its section 7.33 "Current Version". I will open a different thread / issue for this in order to untangle this convoluted thread / issue here.

I am mentioning this, as releasing beta versions on F-Droid will likely provide many more testers, resulting in much more test coverage on various Android versions etc.

• Example screenshot:
  

from apktrack.

What kind of third party script are you using to download APKs?

gplaycli is now working flawlessly.

from apktrack.

gplaycli is now working flawlessly.

This supposedly addresses this Python program: https://github.com/matlink/gplaycli

from apktrack.

Thanks for all of your work with this. Any chance that an automated background install via system privileges (or root privileges) could become part of ApkTrack in the future?

from apktrack.

It could in theory, but this isn't something I can work on as I don't own a phone I can root... Contributions are welcome on this issue.

from apktrack.