Bazaar2 Monthly Report - October 2016

Added by hans 8 months ago

This past month, we ran a bunch of user tests to confirm that existing
parts were working, and to get feedback about the new UX overhaul of the
client app. Overall, we received solid feedback that things are
working, while the studies did point out areas where we have work to do.
At the OTF Summit, Seamus Tuohy kicked off the developer user research
portion of the project. We also had a number of good discussions on
various issues and challenges related to this project.

One realization that came out of the OTF Summit is that the differences
in the various context around the world mean that F-Droid needs to be
portrayed quite differently in each context. For example, in Zimbabwe,
the private local app/media swapping is the most valuable feature since
many parts of the country the internet is unreliable or expensive, but
otherwise people use Google Play and not much else. In China, the
internet is affordable and widely available and most people already use
multiple app stores, but it is often heavily filtered, with specific
sites and services totally blocked. So in Cuba, the local app swapping
is far and away the dominant feature while in China, the circumvention
is the key feature. When all of this is included in a single app, then
communicating what exactly this app is must be strongly tied to the
local context in order for people to effectively understand how it can
be useful to them.

Objective 1 Simple multi-pronged distribution

Media Support

The core “fdroidserver” tools now support adding any arbitrary file to a
repository. This was first done to support videos, e-books, audio,
etc., but it became rapidly clear that there wasn’t a need to limit what
kinds of files are supported. This opens things up for experimentation.
For example, perhaps it would be useful to also distribute desktop apps
via F-Droid.

One clear use case that has developed since this was implemented is for
distributing “Over-The-Air” (OTA) update files. This is the standard
format used to update the core Android OS. Then system updates and
additions can be safely distributed via F-Droid. Currently, there are
lots of lots of people who are downloading additions like “gapps”
(Google Apps) to add on to custom Android OS distributions like
CyanogenMod. These are usually just downloaded from random, insecure
places on the internet. With F-Droid’s new file support, these can now
easily be safely distributed via the F-Droid ecosystem. Follow the
progress of this via F-Droid’s own OTA update, the “F-Droid Privileged
Extension”:
https://gitlab.com/fdroid/privileged-extension/issues/9

Another potential use for OTA files in F-Droid is for securely
distributing optional system-level software packages comes from Mike
Perry’s “Mission Improbable” project for customizing the Copperhead
Android ROM distribution. Additions that Copperhead do not support like
https://microg.org/’s free replacements for Google Apps, or even Google
Apps itself, can be included in an F-Droid repository for easy
installation when the user wants. The Android method for managing these
files is based entirely around software updates, so it is not meant for
browsing and selectively applying OTA files.

Reproducible Builds

Finally, the completion of the fully reproducible build process is
within reach. This has been stymied by the difficulties of running a VM
in a VM. We are now quite close to getting fully automated, ground up
build server process that then in turn runs reproducible builds of
Android apps. We set up a new server to serve as the “verification
server” test platform on eclips.is. That will serve as a place to
polish up the verification server so that it is easy for anyone to
deploy to verify any app they are interested in. Follow that work here:
https://f-droid.org/wiki/page/Verification_Server

Objective 2 Curation Tools for Organizations

No notable progress on this.

Objective 3 Modern App Store with Built-in Circumvention

UX Overhaul

We ran a couple user tests using a mockup of the new F-Droid client app
UX designs. The tests were run in two southern African countries and
Vienna, Austria. Overall, the new designs were quite well accepted.
Testers navigated the app easily. There were no major issues with
completing the tasks that were given to the testers, including with
nearby app swapping. This points us to the need for getting the nearby
features very solidly implemented so the reality can match these user tests.

In the real world test of nearby app swapping in southern Africa, over
90% were able to successfully swap apps, with WiFi having a much higher
success rate over Bluetooth. The downside is that conceptually WiFi was
more difficult than Bluetooth, since all of the participants thought of
the word WiFi as interchangeable with the word Internet. Bluetooth was
generally understood as only local.

Additionally, we are working on a partnership with Svenja Schroeder of
University of Vienna’s Usable Security lab to run user studies that
highlight the usability issues of software that aims to protect privacy.
https://cs.univie.ac.at/cosy/home/

Here is the full report and raw materials from the Vienna test:

Final Report:
https://docs.google.com/document/d/1ZyrdUzkVdEjubhEsadLeSsAwqUF0ChWYOpr0QlIryrk

Task Success Rates/Survey Results:
https://docs.google.com/spreadsheets/d/1aDE7uCzO8FURGhjNn4gsjeeb7EmXJNc2WRjVb5V_4Mc

F-Droid Overhaul User Test Script:
https://docs.google.com/document/d/13CpKXBmvpuKnBfcajMFeef_840Z9Rnqkey3kd0E_vnA

User Test Printout materials:
https://docs.google.com/document/d/1NbxjWYXuYw7Wn9Dn-sZmNVdAX-DiTYWFGFtp7GwJREg

Implementation Begins

The implementation of the new UX overhaul designs has begun. The plan
is to get the basic user experience working as per the designs, before
moving onto more minute details such as exact
colours/fonts/paddings/etc. The basic UX is now in place for the main
featured apps screen, the categories overview screen, the list of apps
for a single category, which doubles as a general purpose search
interface, and the settings view (which I ported directly from the
current settings view in the old UI).

There are still many things missing which need to be added, most
prominently: * The "My Apps" screen where users can see updates to their installed apps * The "Nearby" screen, which will be a port of the current "Swap" interface * Integrating feedback from the app download process into the app list
screen (e.g. "This app is downloading", "This app can be updated").
Right now it either has an install button or it doesn't.

Some of these will wait until further feedback from usability studies
that we are working on. Some videos of the current implementation are
available here:

https://gitlab.com/fdroid/fdroidclient/issues/709

New Approaches for Security Scans

We discussed new security scanning approaches with academic security
researchers as part of the ACM CCS conference. In the academic world,
there is a chunk of work going on for doing automatic scans of software
for finding libraries and even specific versions. We plan to use this
information in combination with standardized vulnerability reports like
CVEs to notify users that the specific apps that they have installed or
are seeking to install have known security issues.

We planned out the implementation using some upcoming free software
libraries like LibScout and Alterdroid:
https://www.infsec.cs.uni-saarland.de/~derr/
http://www.seg.inf.uc3m.es/~guillermo-suarez-tangil/Alterdroid/

Objective 4 Partner Deployments

We discussed specific distribution approaches with two potential
partners for environments with very limited internet access.

Objective 5 Usability Research on In-country Developers

We kicked off at the OTF Summit with a series of interviews and a survey
to help establish the scope of the research. Over the next two months,
Seamus Tuohy will be conducting interviews with internet freedom
developers from a variety of closed and closing spaces on their
development processes and the challenges they face. This study will
produce guidance, user stories, and/or other information that can be
shared with organizations working on internet freedom issues. It aims to
help them better support developers in closed and closing spaces.

Here are the results of the survey:
https://drive.google.com/file/d/0B7TJ3OZ3bai_YmpqSjI4cDdKTFk

We are currently looking to interview individuals with insights into the
challenges of technologists and software developers in places where the
internet is heavily monitored and filtered and/or where developers could
be at-risk because of their work. If you, or someone you know, fits this
description and are willing to participate in a face-to-face, phone or
video conference interview please feel free to reach out to me.


Comments