Auditing Existing APKs¶

One key feature of Bazaar is the ability to audit the existing APKs already installed on the phone.

• do zero-knowledge comparison so as not to leak the entire app list to the other person
• flag when two APKs are claiming to be the same thing, but have differences.
  • use package name as the canonical ID for an app
  • what differences should be flagged? signing key, checksum, size, version name/code, etc.
• compare all APKs both system and user-installed

Alert Conditions¶

• Are the two apps signed by the same set of public keys?
• Are the two apps the same version code?
  • Are the two apps requesting the same permissions?
  • Do the two apps have identical classes.dex?

Next Step Actions¶

The app should prompt the user when it finds that APKs don't match, and should provide simple ways to trigger actions that could help the situation.

• Uninstall
• "Freeze" the app, i.e. uninstall it but keep a copy around just in case
• check APK on external site
  • https://androidobservatory.org/
  • https://openintegrity.org/

Secure Two-party Computation¶

• One Java framework: http://www.mightbeevil.com/framework/
• Example app to find common contacts between Android devices: http://mightbeevil.com/contacts/
  • Description: http://mightbeevil.com/contacts/description.pdf