WalletScrutiny.com Reproducibility Report for version 1.51.10

[xrviv]

Non-Reproducible Build Report for TrusteeWallet v1.51.10

Overview

Hi TrusteeWallet team! 👋

We at WalletScrutiny have attempted to verify the reproducibility of TrusteeWallet v1.51.10 by building it from source and comparing the resulting APKs with those from the Google Play Store. Unfortunately, we found that the build is not fully reproducible.

Build Process

We created a custom build script (com.trusteewallet.sh) that:

1. Clones the TrusteeWallet repository
2. Checks out the v1.51.10 tag
3. Builds the Android App Bundle (AAB) using Docker containers with your Dockerfiles
4. Generates split APKs using bundletool
5. Extracts and compares the built APKs with official APKs from Google Play

Key Findings

Our analysis revealed several differences between the official and built APKs:

Base APK Differences:

• AndroidManifest.xml:
  • Different settings for extractNativeLibs (false in official, true in built)
  • isSplitRequired="true" present only in built APK
  • requiredSplitTypes attribute missing in built APK
• Binary differences: In assets/index.android.bundle
• DEX files: Official APK lists classes.dex through classes5.dex in apktool.yml, missing in built APK

Architecture-specific APK Differences:

• AndroidManifest.xml:
  • splitTypes="base__abi" attribute missing in built APK
• Compression settings: Official APK has detailed doNotCompress list for native libraries, missing in built

Language and Screen Density APK Differences:

• Similar pattern of missing attributes and different metadata

Technical Impact

While some differences are expected (Google Play metadata, signatures), others suggest non-deterministic build processes:

• Different binary files
• Different DEX file structures
• Different compression settings
• Different native library handling

Recommendations

To achieve reproducibility, we suggest:

1. Standardize build environment: Ensure all environment variables and build tools are fixed at specific versions
2. Document build process: Create detailed instructions for reproducing builds
3. Fix bundletool configuration: Ensure consistent split APK generation settings
4. Address native library handling: Standardize compression settings for native libraries
5. Consider Hermetic builds: Implement fully isolated build environments

Next Steps

We'd be happy to collaborate on improving build reproducibility. Our full analysis and build scripts are available at WalletScrutiny.

Let us know if you have any questions or need further details about our findings!