Android based vote verification application for Estonian i-voting system
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
app
gradle/wrapper
LICENSE
README.md
build.gradle
gradlew
gradlew.bat
settings.gradle

README.md

ivoteverification

Android based vote verification application for Estonian i-voting system

The intention behind this repository is to make source code of the official i-vote verification application for Estonian internet-voting system available for public review.

The repository is not used for active development, but will be kept up to date, so the code that can be found here is the code that is used for election. As the voting system used for legally binding elections must strictly follow the legislation, the actual development of Estonian i-voting system and i-vote verification application is supervised by Estonian State Electoral Office (ESEO, www.valimised.ee). Please refer to www.valimised.ee for further information.

Reproducible building

The source code published in this repository is enough to reproduce the APKs distributed via Google Play Store.

The app is published here: https://play.google.com/store/apps/details?id=ee.ivxv.ivotingverification&hl=en. Current APK version is 22 (git tag KOV2017-APK-22). It is also possible to rebuild APK version 18 (git tag KOV2017-APK-18). Both APKs were used during KOV2017 election.

Steps to building the project and verifying the codebase matches the published APKs.

Build pre-requisites:

Building:

  • Gradle buildsystem is used, actual version is specified in gradle/wrapper/gradle-wrapper.properties (currently 3.5)
  • Run gradlew (gradlew.bat on Windows) script in the root directory with 'assembleRelease' argument
  • Output apk will be located at app/build/outputs/apk/app-release-unsigned.apk

Comparing APKs:

Process of obtaining APKs from Google Play Store is not described in this document.

As APK is a valid ZIP file, the quickest method to compare two APKs is with some ZIP comparison tool, for example 'zipcmp' on any Linux system. For more thorough analysis diffoscope (https://diffoscope.org/) could be used.

The expected differences will be in the META_INF directory. The published APK will contain two extra files (CERT.SF, CERT.RSA) and more detailed MANIFEST.MF file due to being signed.

It is also possible that the AndroidManifest.xml files differ. This is due to fact that multiple correct encodings of the manifest file exist. If this happens, manifests of both APKs should be decoded and verified that the originals match. This can be done for example with APK Analyzer (https://developer.android.com/studio/build/apk-analyzer.html) in Android Studio.