WalletScrutiny.com Verification Report for Version 3.1.0 #115
Description
Reproducibility Verification Results for ShapeShift Android v3.1.0
Overview
Hello ShapeShift team! 👋
We're reaching out from the WalletScrutiny project, where we verify the reproducibility of cryptocurrency wallet applications. We recently attempted to reproduce your Android app (v3.1.0) and wanted to share our findings.
Verification Attempt
We attempted to build the app from source using:
- Repository: https://github.com/shapeshift/mobile-app
- Commit:
5836f656f240ce1494a2c9625365c18ae3d47bec - Build environment: Docker with Node.js 18 and Android SDK
- APK comparison tools: apktool v2.7.0,
diffoscope, anddiff
Results
Unfortunately, we found significant differences between the Play Store APKs and our locally built versions:
-
Size discrepancies:
- base.apk: Official=19,799,693 bytes, Built=8,660,696 bytes (56% smaller)
- split_config.en.apk: Official=45,465 bytes, Built=34,803 bytes (23% smaller)
-
Content differences:
- Missing
dexoptdirectory in assets - Binary differences in
index.android.bundle(core JavaScript code) - Differences in app icons and splash screen images
- Binary differences in
libexpo-modules-core.sonative library - Differences in
resources.arscfiles
- Missing
These differences go beyond the expected metadata and signing variations that normally occur during the Google Play publishing process.
Expo Build Process
We noticed in Issue 104 that you're now using Expo for builds. We'd love to understand more about your specific build process to help achieve reproducibility.
Why This Matters
Reproducible builds are crucial for security and trust in cryptocurrency applications. They allow users and third parties to verify that the app they download contains exactly the code that's publicly available, with no unexpected additions.
Thank you for your time and consideration!
Detailed Report
For a complete analysis including hash comparisons and specific differences, please see our full verification report.