Skip to content

Latest commit

 

History

History
71 lines (56 loc) · 3.36 KB

README.md

File metadata and controls

71 lines (56 loc) · 3.36 KB

I-vote verification application

Android based vote verification application for Estonian I-voting system

The intention behind this repository is to make source code of the official I-vote verification application for Estonian internet-voting system available for public review.

The repository is not used for active development, but will be kept up to date, so the code that can be found here is the code that is used for election. As the voting system used for legally binding elections must strictly follow the legislation, the actual development of Estonian I-voting system and I-vote verification application is supervised by State Electoral Office of Estonia. Please refer to www.valimised.ee for further information.

Reproducible building

The source code published in this repository is enough to reproduce the APKs distributed via Google Play Store.

The app is published here: https://play.google.com/store/apps/details?id=ee.ivxv.ivotingverification&hl=en. Current APK version is 38 (git tag EP2024-APK-38) used during EP2024 election.

Steps to building the project and verifying the codebase matches the published APKs.

Build pre-requisites:

Building:

  • Gradle buildsystem is used, actual version is specified in gradle/wrapper/gradle-wrapper.properties (currently 7.0.2)
  • Run gradlew (gradlew.bat on Windows) script in the root directory with 'assembleRelease' argument (e.g., './gradlew assembleRelease' on Linux)
    • Android Gradle plugin requires Java 11 to run
  • Output apk will be located at app/build/outputs/apk/release/app-release-unsigned.apk

Comparing APKs:

Process of obtaining APKs from Google Play Store:

As APK is a valid ZIP file, the quickest method to compare two APKs is with some ZIP comparison tool (e.g., 'zipcmp' or 'diff' on any Linux system). For more thorough analysis diffoscope (https://diffoscope.org/) could be used.

  • For example, unzipping the APK files and using the 'diff -ru folder1/ folder2/ | sort' command would be helpful

The expected differences will be in the META_INF directory. The published APK will contain two extra files (CERT.SF, CERT.RSA) and more detailed MANIFEST.MF file due to being signed.

It is also possible that the AndroidManifest.xml files differ. This is due to fact that multiple correct encodings of the manifest file exist. If this happens, manifests of both APKs should be decoded and verified that the originals match. This can be done for example with APK Analyzer (https://developer.android.com/studio/build/apk-analyzer.html) in Android Studio.