How does google drive, onedrive and dropbox vaults work on the fdroid version?

I was thinking of buying a license key, but i use an device without a play store with resurrection remix.
Doesnt gdrive, 1drive and dropbox need a api key?

Without Play Services and the Play Store, Google Drive doesn’t work and is also excluded in the F-Droid version of Cryptomator. Onedrive and Dropbox work as expected.

But how do 1drive and dropbox work? I dont see any api keys in the github repo

See android/README.md at develop · cryptomator/android · GitHub

Those API keys aren’t published to Github. We use environment variables to set them locally on the device while building the app:

  • release: DROPBOX_API_KEY or ONEDRIVE_API_KEY and ONEDRIVE_API_REDIRCT_URI
  • debug: DROPBOX_API_KEY_DEBUG or ONEDRIVE_API_KEY_DEBUG and ONEDRIVE_API_REDIRCT_URI_DEBUG

Yes, that explains the apkstore/playstore variant, but what about the fdroid flavor?
As far as i know, fdroid doesnt have any secrets management

The same applies to our F-Droid flavor. That is the only reason why the app isn’t in the official repository and we’re hosting our own one at https://static.cryptomator.org/android/fdroid/repo?fingerprint=F7C3EC3B0D588D3CB52983E9EB1A7421C93D4339A286398E71D7B651E8D8ECDD

We’re definitely not completely satisfied with it, we would love to be in the official one but however, for security reasons, we cannot simply upload the API keys to something like Github.

Here you can read some background discussion about the integration: cryptomator-android (#713) · Issues · F-Droid / Requests For Packaging · GitLab

Oh ok.
Why not use a method similar to rclone? The client is authorized using a webserver on localhost, with a globally shared client_id. It seems to be working well for them.
https://rclone.org/onedrive/#getting-your-own-client-id-and-key

Very nice idea, but then every user who installs the app via F-Droid would have to enter self-created API keys because when we would fallback to a default set of published API keys, these cannot be considered “safe”.

The idea behind Cryptomator is that our grannies should also be able to use it, and I definitely don’t trust mine to create and enter own API keys (sorry granny :pray:).

The catch with rclone is that these “fallback” keys are used by default. In cryptomatkr those who wish to have their own api key could do so under some advanced settings button.

Yes, I have understood that. In any case, it is no problem at all to enter own API keys in advanced settings, that could be implemented very straight forward and easy too, but it doesn’t solve the problem that we had discussed earlier with publishing the API keys to something like Github.

This also raises the question, whether those users who are both able and willing to request their own API keys for the various cloud storage services they’re using, aren’t also capable of building the app themselves.

Once you have obtained a set of API keys, it’s not too much of a hassle to also fill them into the build config.