About (Re)distributing Open Source Apps ( dSploit )



It’s a while I see compiled dSploit versions pop up on Google Play Store, most of the times the actual changes are just a matter of icons, other times are merely compiled versions of one of the nightly releases.

Altough I can not ( and really don’t want to ) avoid this, I’d like to write a few lines about this kind of conduct and the ethics behind open source software.

As most of my personal projects, dSploit was released from the beginning under the GPL 3 license, this means that you can modify it at your own will, distribute it for free or even as a paid software and share it with your friends.
You are only asked to make your changes available under the same license and make references to the original authors of the software itself. That’s it, this is so simple.

Beyond the fact I find deeply unfair not putting even the smallest link to the original repository or some credits on the description of those compiled distributions, there are a few things anyone who wants to make such thing should be aware of before blindly cloning the repository and compiling the source code.

BugSense Identifier

Starting from one of its first versions, dSploit uses BugSense free service to track unexpected application exceptions (crashes). There’s a specific string used by BS to identify the application itself and its many versions, if you just clone and compile the repo I will receive aggregated notifications both from my version and from yours, making it difficult for me to track down bugs causes … so please, fork it and modify this identifier, or remove it if you don’t want to use bugsense.

Signed APK Conflicts

As you probably already know, dSploit has its own update mechanism based on a freely available web application, so when a new release is available I compile the source code, sign the package with my own signature key and finally I upload the signed app to the update server which distributes it to everyone.
You are probably (surely unless you have access to my pc, in that case please let me know :P) using your own signature key to create the final apk you uploaded to the store … you know what ? If someone installs your version and then I upload a new release, they will start the update process ( since the update server url you are using it’s the official one ) at the end of the which the user will see an error due to signature conflicts … guess who’s gonna receive dozens of emails from github notifying him of new issues being opened for that ? Me.
So please, at least modify the update urls using your own.

Bandwidth

Besides updates, dSploit needs to download other (big) files such as a precompiled metasploit distribution, dictionary files for the wifi cracking module and so on … I pay for the bandwidth since dsploit.net is hosted on a dedicated server, please do not abuse it, modify the update urls.

Reliability

This being said, I strongly discourage pleople from downloading other distributions unless a specific reference to the modifications is provided, remember you are allowing the application to run with root privileges, this is not something you really want if you are not 100% sure of what it really does under the hood, or unless you have basic Android reverse reverse engineering skills and you can verify it by your own.

Peace.