WalletScrutiny on Nostr: Among the reproducible Android wallets, Zeus appears to be the first to have switched ...
Among the reproducible Android wallets, Zeus appears to be the first to have switched to Android App Bundles. We tested what we got from Google - the arm64-v8a version and found all bytes accounted for, giving it the verdict "reproducible" but with somewhat of a headache …
Android App Bundle or AAB in short allows Google to provide each user a tailored version of the product. For example in the case of this wallet, the older format contained binaries for arm64-v8a, armeabi-v7a, x86 and x86_64 CPUs. The new format only for "your" CPU.
And that makes the app much smaller. In this case the zeus-universal.apk weighs 92MB while the zeus-arm64-v8a.apk only weighs 32MB.
With games where assets for bigger screens can be excluded for lower end devices, this can make even more of a difference.
But it also implies that Google gets the developer's signing key, theoretically enabling them to also tailor security aspects of your apps - on a case by case basis.
Google is pushing for AAB to trim MBs off all these apps but this comes at a cost:
* Security: Where before, only the developer could sign an update, now Google engineers can, too.
* Transparency: Where before, only one binary was circulating per version, now many circulate.
The full analysis of the latest Zeus wallet can be found here:
https://walletscrutiny.com/android/app.zeusln.zeus/Published at
2023-10-08 17:41:20Event JSON
{
"id": "7c98c226bf2f437ed9c55c8d0774b0bc579a6f702ea4c8d99a3c54f2b2ae560d",
"pubkey": "916cb5ff07d3b51cef7f6b6b7f5479b1001b401c0e82558ee1a22504c7d507c9",
"created_at": 1696779680,
"kind": 1,
"tags": [],
"content": "Among the reproducible Android wallets, Zeus appears to be the first to have switched to Android App Bundles. We tested what we got from Google - the arm64-v8a version and found all bytes accounted for, giving it the verdict \"reproducible\" but with somewhat of a headache …\n\nAndroid App Bundle or AAB in short allows Google to provide each user a tailored version of the product. For example in the case of this wallet, the older format contained binaries for arm64-v8a, armeabi-v7a, x86 and x86_64 CPUs. The new format only for \"your\" CPU.\n\nhttps://void.cat/d/B44P1WNKFjQqSaYg6VTUng.webp\n\nAnd that makes the app much smaller. In this case the zeus-universal.apk weighs 92MB while the zeus-arm64-v8a.apk only weighs 32MB.\n\nWith games where assets for bigger screens can be excluded for lower end devices, this can make even more of a difference.\n\nBut it also implies that Google gets the developer's signing key, theoretically enabling them to also tailor security aspects of your apps - on a case by case basis.\n\nGoogle is pushing for AAB to trim MBs off all these apps but this comes at a cost:\n\n* Security: Where before, only the developer could sign an update, now Google engineers can, too.\n* Transparency: Where before, only one binary was circulating per version, now many circulate.\n\nThe full analysis of the latest Zeus wallet can be found here:\nhttps://walletscrutiny.com/android/app.zeusln.zeus/",
"sig": "f638fd77b4631917655dbd9fb9cb7ac00db9749a2d08ef7e7557df0ce138190345b00519ec8bd01a07b27579508d34d842284aece3d895ef30a9d438ef15f8da"
}
