Reproducible Builds for im.adamant.adamantmessengerpwa

[xrviv]

Hello team Adamant! 😃

I'm Danny from walletscrutiny.com. We help Bitcoin app developers verify the build reproducibility of Bitcoin Android apps on Google Play. (See reproducible-builds.org)

So far, we've analyzed over 6500+ bitcoin apps and devices.

One of these is Adamant.im's.

With adequate build instructions, we were able to build your app successfully.

You can browse our attempt here:

https://walletscrutiny.com/android/im.adamant.adamantmessengerpwa/

Our conclusion

During the build, we've had to modify 3 files. After the build

We found signing related diffs in files such as: BNDLTOOL.RSA, BNDLTOOL.SF, MANIFEST.MF, stamp-cert-sha256 and META-INF. These are only present in the fromOfficial or the APKs we extracted from our phone. Similarly, we also find a difference in resources.arsc.

In resources.arsc:

We ran diffoscope between the build/base/resources.arsc and official/base/resources.arsc:

These are the results:

danny@lw10:~/work/compare/im.adamant.adamantmessngerpwa/4.8.1$ cat resources.arsc.diff.txt 
    --- fromOfficial/base/resources.arsc
    +++ fromBuild/base/resources.arsc
    │┄ Format-specific differences are supported for Android package resource table (ARSC) but no file-specific differences were detected; falling back to a binary diff. file(1) reports: Android package resource table (ARSC), 261 string(s), utf8
    @@ -3496,15 +3496,15 @@
    0000da70: 7461 696e 6572 0024 2457 6964 6765 742e  tainer.$$Widget.
    0000da80: 436f 6d70 6174 2e4e 6f74 6966 6963 6174  Compat.Notificat
    0000da90: 696f 6e41 6374 696f 6e54 6578 7400 2020  ionActionText.  
    0000daa0: 5769 6467 6574 2e53 7570 706f 7274 2e43  Widget.Support.C
    0000dab0: 6f6f 7264 696e 6174 6f72 4c61 796f 7574  oordinatorLayout
    0000dac0: 0006 0663 6f6e 6669 6700 0a0a 6669 6c65  ...config...file
    0000dad0: 5f70 6174 6873 0007 0773 706c 6974 7330  _paths...splits0
    -0000dae0: 0000 0000 0202 1000 7400 0000 0100 0100  ........t.......
    +0000dae0: 0000 0000 0202 1000 7400 0000 0100 0000  ........t.......
    0000daf0: 1900 0000 0000 0000 0000 0000 0000 0000  ................
    0000db00: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    0000db10: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    0000db20: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    0000db30: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    0000db40: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    0000db50: 0000 0000 0000 0000 0102 5400 4802 0000  ..........T.H...

Take note of offset 0000dae0

However, when we generated a hexdump on both resources.arsc, prior to running diffoscope, we get more diffs that are similar in nature:

Nosbin (Nostr Pastebin)

We note the following:

1. At offset 0000dae0:

- 0100 0000  
+ 0100 0100

2. At offset 0000dda0:

- 0200 0000  
+ 0200 0100

3. At offset 0000de90:

- 0300 0000  
+ 0300 0100

4. At offset 00010fc0:

- 0400 0000  
+ 0400 0200

5. At offset 00011c20:

- 0600 0000  
+ 0600 0700

6. At offset 00014b90:

- 0800 0000  
+ 0800 0100

7. At offset 00015e20:

- 0900 0000  
+ 0900 0100

8. At offset 00015f20:

- 0a00 0000  
+ 0a00 0100

9. At offset 00016ba0:

- 0d00 0000  
+ 0d00 0100

10. At offset 00016ff0:

- 0e00 0000  
+ 0e00 0d00

11. At offset 00020020:

- 1000 0000  
+ 1000 0100

12. At offset 00016020:

- 0b00 0000  
+ 0b00 0300

These diffs lead us to conclude that the app is nonverifiable.

For this reason, we'd like to invite you to collaborate with us to figure out how we can make the build reproducible.

Hoping for your kind response.

[adamant-al]

Hi,

Thanks for the report.
We'll take a look on it.

Also note that source for the iOS app is available from start of development: https://github.com/Adamant-im/adamant-iOS
https://walletscrutiny.com/iphone/im.adamant.adamant-messenger/#nosource

[xrviv]

Noted! Will update.

By the way, by default, we treat all iOS apps as 'nonverifiable'