F-Droid - App not installed as package appears to be invalid

published 2023-02-06 · updated 2023-02-06 #android #apps #fdroid
The F-Droid website hosts an outdated version of the APK which causes issues for users who try to install it in multiple user profiles.

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven't had a chance to read through it yet. ✔️

It's good practice to document answers to frequently asked questions, as it allows other users to reference them. For example, I've been asked multiple times through email and video comments why a user is unable to install F-Droid in another user profile. To avoid answering these questions individually, I decided to make a video explaining the reason behind this issue. To demonstrate the process, a user can go to f-droid.org on their Android device and click the "Download" button on the home page to download F-Droid. Once the download is complete, they can install the APK.

Open the app, ignore the warning, allow it a minute to update the repositories. Now, if you go to updates because of the notification, the first thing the app wants you to do is update F-Droid to the newest version. The user now has the latest version of it installed. They go through and download whatever apps they want, install them, and then shortly after this, the user finds out about user profiles and wants to start separating their apps to different user profiles to separate user data.

So, they create a new user profile and we're on that new user profile. And again, the first thing they want to do is install F-Droid so they can download apps. They go to fdroid.org again, same process as before, click the download button, download once the download finishes, open, and install again. And they are presented with an error. This is the error I get asked about and that I see different posts about online.

So now that we see what is happening, let's talk about why this is happening. This diagram is overly simplified, but I think it'll help paint the picture of what's going on. At the bottom here, we have the system and part of the system is the Android Package Manager, which we can see here. And above the system level is the user profiles, as we saw in the example. We had our initial owner user profile that we were on and then switched to our user profile, which was that second user profile where the F-Droid install failed.

A common misconception is that when you install an app on a user profile, it's installed in that user profile and then when you switch to the other user profile, it's installed there as well. But that is not correct. What happens when you install an app on Android is that it is handled by the Android Package Manager. That app is installed and then linked, for lack of a better term, to the profile that you are presently in.

In this example, we installed F-Droid from our owner profile. We downloaded it and installed it, which was version one. And as we saw in the example, once we installed F-Droid, we were immediately prompted to update the app, so we went from version one to version two. These are not the actual version numbers. I'm just doing this for the sake of simplicity. So at this point, we now had version 2 of it installed and being managed by the Android Package Manager.

We went to our second user profile, downloaded and installed F-Droid, or tried to install it, but the issue that was occurring was that when we downloaded F-Droid from the website, the version we downloaded was actually version one. Since Android packages are managed by the system, there's a protection in place that prevents an app from being downgraded. So in this case, we were trying to install version one of F-Droid, but the Package Manager saw that we had version 2 installed, therefore it blocked the install on that second user profile, and we were unable to install F-Droid on it.

Just to reiterate, because it was a misconception that I had as well, user profiles are meant to separate user data. The actual installation of apps is handled at the system level by the Android Package Manager. And if you try to install an app on a separate user profile that is an older version than the one currently being tracked by the Android Package Manager, the install will fail.

You may have noticed that when you update an app in one user profile, the same update is reflected in all other user profiles. This is because the package installation is handled at the system level, not at the user profile level. When the app is updated in one profile, the actual package is upgraded across the system, making all user profiles use the same updated version.

This is why the issue of updating F Droid continually occurs. F Droid hosts an outdated version of their app on their website, so every time a new user visits the site, they end up downloading an older version of the app, which then prompts them for an update. To avoid this, you can download the latest version of the app from the home page and save it in a folder titled "F Droid". From there, you can search for "F-Droid" on the right side.

We can scroll down to the latest version labeled "Suggested Download". Again, placing that in the "F Droid" folder. Now, for the sake of simplicity, I'm going to use this online APK analyzer. Here we have our "F Droid" folder with the "F Droid.apk" that was downloaded from the home page and the "org.fdroid" that was the most recent suggested version we downloaded.

If we look at these, we can see that the one from the home page is version 1.15.4, and the version from the actual page in the search was 1.15.6. The 1.15.4 was published on December 2nd, 2022, and the most recent suggested version on January 14th, 2023.

That's why if you go to a separate user profile and try to download F Droid from the main home page, you receive an older version that's out of date and the install fails because Android's downgrade protection kicks in and blocks the install.

Now that we know what is happening and why, there are a couple of things you can do to get around this issue:

Instead of going to the F Droid home page, you can scroll down, search for "Appdroid", select F Droid, and download the latest version with the tag "Suggested". When you open this one and select "install", it's not blocked by Android because you're not trying to install an older version of the app. This is probably the easiest for most people.

If you are running Graphene OS, you can go into "Settings", "System", "Multiple Users", select the second user profile, and use the option "Install Available Apps". Change the toggle next to F Droid, and it will be accessible from your second user profile. The reason the "Install Available Apps" feature works is that APK installation is handled by the package manager at the system level, so when you are in the owner profile, you can give additional profiles access to installed apps.

For the F Droid team, you could update the version on your home page to the latest stable version. It's not good security practice to intentionally host an outdated version of your app in the most popular place to download it. This one change of hosting the most recent version on your home page would save everyone time and make for a better overall user experience.

If you enjoyed this video, I think you'll like the top one listed here, and the engineers at Google think you will like the bottom one.