How the in-APP-updates works with Incognito Wallet?And Signature?

Katoshicoins · 1 November 2020 18:09

I would like to ask to dev team how those auto update works?
In a case that I’ m in an android google-free environment without any alternative app store installed, Would my AUTO-UPDATES be reliable?

Are those updates connected within app store necessary in order for the app to work or can i avoid them?

What are the consequences of not DOING updates with play store but only with the BUILD-IN update engine?

Could i have any security issues or just some minor issue ?

I also wanted to ask if is possible to add a SHA256 signature in order to verify the apk from GitHub . As i know that hacks of Github’s profiles can happens to avoid incurring in a bad version of the apk would be nice to add a verification system.
@duc My goal is to make it possible to safely run Incognito Wallet APK without any gservices and with verification system.

Privacy and security have to come togheter!

MrAwesome · 1 November 2020 23:05

Yes there needs to be more security systems in place to make sure that when fraudulent applications come on the market the community can verify the authenticity of the official source.

I recommend having a kind of PGP key for the project and one for each of the developers. Like the Monero Project.

binh · 2 November 2020 04:59

hi @MrAwesome @Katoshicoins

thanks for your attention about app follow release.

Here is the current build and release work flow I apply to the System.

when CI/CD build will sign the apk with the KEY in CI ENV.
and the apk will updated by CI, not manually.

and the final stage : Manager will go to the store (AppCenter Or Playstore,Appstore)
click release the app file pushed by the CI/CD.

for your security, please do not install APK to a rooted device or jailbreak IOS device.
You cant not update the apk signed by other KEY.

Katoshicoins · 2 November 2020 05:16

Looks like that the final stage is needed in order to sign and verify the apk.
So basically a kind of store is needed otherwise the update aren’t effective, isn.t it?
Should i get any message if updates fail?

I have Unrooted OS with CUSTOM ROM without any Gservices on it.
I have 2 profiles on it : one with a “Copy of Play Store” and Incognito APP the other one comes without the play store not even the copy and i installed the APK.

My question is: Would the updates work only in the fist case , on both or none of them?

My personal experience at the moment is that update are for sure working on Profile 1 where there is an app store even is the OS is jailbreaked but the bootloader is locked.

On profile 2 i still didn’t have the time to try if updates were working or not.

binh · 2 November 2020 05:19

@Katoshicoins the APK update still work on your device,
but if your device is rooted device, I’m not sure about security for your device, because if have another app can work with root permission, it can leak all your private data, it can remove and install any apk in your device.
that mean I recommend dont install app on the rooted device.

anyelse with current our update from original source (appstore, apk github, playstore)
you still can update.

Katoshicoins · 2 November 2020 05:24

Ok now i understood: APP it is always auto updating even with only installing github APK without play store.

Yeah i know about rooted devices. The phone is not rooted , bootloader is locked and the device is an hardened version of android so it is very safe to use.

Anyway thanks you for answering

Katoshicoins · 2 November 2020 05:26

Can we get a signify key for the APk on github so we can manually verify the APK without the store when we download? HERE