Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crashlytics build_id breaks reproducibility #3677

Closed
Giszmo opened this issue Apr 25, 2022 · 2 comments
Closed

Crashlytics build_id breaks reproducibility #3677

Giszmo opened this issue Apr 25, 2022 · 2 comments
Labels
api: crashlytics

Comments

@Giszmo
Copy link

Giszmo commented Apr 25, 2022

[READ] Step 1: Are you in the right place?

Issues filed here should be about bugs in the code in this repository.
If you have a general question, need help debugging, or fall into some
other category use one of these other channels:

  • For general technical questions, post a question on StackOverflow
    with the firebase tag.
  • For general Firebase discussion, use the firebase-talk
    google group.
  • For help troubleshooting your application that does not fall under one
    of the above categories, reach out to the personalized
    Firebase support channel.

[REQUIRED] Step 2: Describe your environment

  • Android Studio version: Bumblebee
  • Firebase Component: Crashlytics
  • Component version: 17.2.1

[REQUIRED] Step 3:

Using Crashlytics breaks reproducibility for Android apps as it adds a random(?) build_id such as:

<string name="com.crashlytics.android.build_id">e0c37a103082460fbf95f3c097222e61</string>

Steps to reproduce:

  1. Build your app release twice (maybe on different machines?)
  2. Compare the files with diffoscope

The diff probably is only the build_id.

If the builds are otherwise identical, there should be no reason to assign a different build_id. Please use a hash of the folder state or something deterministic instead.
@Giszmo Giszmo mentioned this issue Apr 25, 2022
Open
@argzdev
Copy link
Contributor

argzdev commented Apr 26, 2022

Hi @Giszmo, thanks for reporting. Here's the reply of one of our engineers:

This is working as intended, the value is non-deterministic because it is added into the app at build time. There's no way to generate the id based on the build output, because the id itself is part of the build. We've considered some tricks to make it deterministic in the past, but there's nothing that works reliably across all Gradle versions.

There's currently no plans to change this in the future as of the moment. That being said, I'll be closing this for now.

If this gets more requests in the future, then we can probably revisit this and discuss this further. Thanks!

@argzdev argzdev closed this as completed Apr 26, 2022
@devrandom
Copy link

I will have to recommend to dependent projects that they find a different solution if this is not resolved. Build reproducibility is crucial for being able to trust applications from the Play Store. This applies in particular to cryptocurrency wallets where a supply chain attack could net the attacker significant profit.

For example, see https://walletscrutiny.com/android/io.muun.apollo/

@firebase firebase locked and limited conversation to collaborators May 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: crashlytics
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Giszmo @devrandom @google-oss-bot @argzdev