Android based vote verification application for Estonian i-voting system
The intention behind this repository is to make source code of the official i-vote verification application for Estonian internet-voting system available for public review.
The repository is not used for active development, but will be kept up to date, so the code that can be found here is the code that is used for election. As the voting system used for legally binding elections must strictly follow the legislation, the actual development of Estonian i-voting system and i-vote verification application is supervised by Estonian State Electoral Office (ESEO, www.valimised.ee). Please refer to www.valimised.ee for further information.
The source code published in this repository is enough to reproduce the APKs distributed via Google Play Store.
The app is published here: https://play.google.com/store/apps/details?id=ee.ivxv.ivotingverification&hl=en. Current APK version is 22 (git tag KOV2017-APK-22). It is also possible to rebuild APK version 18 (git tag KOV2017-APK-18). Both APKs were used during KOV2017 election.
Steps to building the project and verifying the codebase matches the published APKs.
- Java 8 JDK
- Android SDK (Preferably the same build tool version as stated in app/build.gradle, easiest to get with SDK Manager)
- App external dependencies saved to app/libs/
- xom-1.2.10.jar (sha256: 35134150151dc4d3295c7a617fcce35b1b9537cca92179f48bf97655bae6782f)
- zxing_core-3.1.0.jar (sha256: f00b32f7a1b0edc914a8f74301e8dc34f189afc4698e9c8cc54e5d46772734a5)
- Gradle buildsystem is used, actual version is specified in gradle/wrapper/gradle-wrapper.properties (currently 3.5)
- Run gradlew (gradlew.bat on Windows) script in the root directory with 'assembleRelease' argument
- Output apk will be located at app/build/outputs/apk/app-release-unsigned.apk
Process of obtaining APKs from Google Play Store is not described in this document.
As APK is a valid ZIP file, the quickest method to compare two APKs is with some ZIP comparison tool, for example 'zipcmp' on any Linux system. For more thorough analysis diffoscope (https://diffoscope.org/) could be used.
The expected differences will be in the META_INF directory. The published APK will contain two extra files (CERT.SF, CERT.RSA) and more detailed MANIFEST.MF file due to being signed.
It is also possible that the AndroidManifest.xml files differ. This is due to fact that multiple correct encodings of the manifest file exist. If this happens, manifests of both APKs should be decoded and verified that the originals match. This can be done for example with APK Analyzer (https://developer.android.com/studio/build/apk-analyzer.html) in Android Studio.