Bazaar Wiki¶
Bazaar is our focused effort to make the F-Droid app store the most private and secure available, while embedding the best known methods for guaranteeing access no matter the conditions of the internet:
- share apps on your phone with people nearby using WiFi, Bluetooth, NFC, SDCard, etc
- audit installed apps by comparing them to the versions that other people have installed to make sure they are not malware
- use decentralized app stores from all sorts of organizations
- securely build and distribute app releases
- curate your own collections of media and apps
Overview¶
Activities and Research¶
- research published on our blog
- FDroid Audit
- Auditing Existing APKs
- Bootstrapping Trust
- Local Data Transfer
- OTRDATA Integration Plan
- Trusted Intent Interaction
- Chained TLS Cert Verification
- Signing the Local APK Index
- Improving the APK Signing Procedure
- "Swap" apps
- Swap over bluetooth (in development)
- Ideas for the Next Phase
Related Discussions¶
- posts on our blog: https://guardianproject.info/tag/bazaar/
- posts on the FDroid forum: https://f-droid.org/forums/tag/bazaar/
- Oct 23rd IRC Scrum log
- Nov 21st IRC log about identifying repos
- F-Droid and decentralized trust convo on twitter
- OpenITP UX Hackathon - Cydia/Community Notes
- March 26th IRC Scrum log
Code Repositories¶
- FDroid Android client - the Android app store
- FDroid server tools - the tools for managing app repos
- androidobservatory - website to present information about APKs
Relevant F-Droid Issues¶
Whenever possible we should try to frame our work in terms of the F-Droid development process. If we can fix issues in F-Droid by submitting the functionality that we need for Bazaar, then its a win-win.
- Resumeable downloads? - p2p and tor will mean lots of flaky connections
- Repo as virtual category in client - we will need a way to represent what is on the device on the other side of a p2p sync
- backgrounding apk download - downloading via Tor and OTRDATA could be slow
- Method for suggesting users uninstall an apk - if an APK proves to be compromised, it should be able to be revoked and the client should recognize that
Design Assets¶
Starting Point
Wifi-QR/IP screen: s3_wifi_QR.ai (attached)
These documents cover the UI for all of the design we've discussed as of May 30th, 2014. I've labeled them as p01 for 'phase 1'.
Illustrator file: swapUI_p01.ai
Images of each screen (22 total): swapUI_p01.zip
Diagram of the swap workflow and an outline of the other UI components: workflow_diag_p01.pdf
*Phase 2 Design
SVG files are attached below as 'swap_p2_v1.zip'