Skip to content

fix: FOSS Android patches for F-Droid APK scan#645

Merged
najuna-brian merged 2 commits into
OpenDataEnsemble:devfrom
najuna-brian:fix/fdroid-android-foss-patches
Jun 2, 2026
Merged

fix: FOSS Android patches for F-Droid APK scan#645
najuna-brian merged 2 commits into
OpenDataEnsemble:devfrom
najuna-brian:fix/fdroid-android-foss-patches

Conversation

@najuna-brian
Copy link
Copy Markdown
Contributor

@najuna-brian najuna-brian commented Jun 2, 2026

Problem

fdroid build passed, but check apk failed: the release APK still contained proprietary code (~900+ hits), mainly Google Play Services from geolocation, install referrer / Firebase Gradle deps from device-info, and an extra dependency metadata signing block.

scanignore in metadata only helps the source scan — not the built APK.

Solution

Same approach as Notifee: fix it in ode, not one-off sed in fdroiddata.

  • scripts/patch-android-foss.mjs - after install, patches node_modules:
    • geolocation: drop play-services-location, remove Play Services Java; keep Android LocationManager only
    • device-info: drop install referrer + optional Firebase / GMS Gradle deps
  • android/app/build.gradle - dependenciesInfo { includeInApk false }
  • package.json - patch:android-foss on postinstall and preandroid (with vendor:notifee)

Tested

  • patch:android-foss + vendor:notifee
  • ./gradlew :app:assembleRelease
  • Release APK: no GMS / install-referrer classes in DEX ✅

@najuna-brian
fix: FOSS Android patches for F-Droid APK scan
2189b41 
Strip Play Services from geolocation, proprietary Gradle deps from
device-info, and disable APK dependency metadata. Apply via
patch:android-foss on postinstall and preandroid alongside vendor:notifee.
@najuna-brian najuna-brian requested a review from r0ssing June 2, 2026 16:09
r0ssing
r0ssing previously approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@r0ssing r0ssing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@najuna-brian najuna-brian requested a review from r0ssing June 2, 2026 16:27
@najuna-brian najuna-brian merged commit d82a2a3 into OpenDataEnsemble:dev Jun 2, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0ssing r0ssing r0ssing approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@najuna-brian @r0ssing