feat: add build script, release key and prepare for automation

Author: thelicato

.gitignore

@@ -0,0 +1 @@
+build

README.md

@@ -7,3 +7,14 @@ The following applications are currently available:
 | Application     | Description                                                         |
 |-----------------|---------------------------------------------------------------------|
 | Hidden Activity | A simple application with an hidden activity that contains the flag |
+
+Every sample app has the following:
+- a placeholder flag set to `DROIDGROUND_FLAG_PLACEHOLDER`
+- a `config.json` file in the root of the app directory that specifies:
+    1. The file(s) that contain the placeholder flag
+    2. The actual flag
+
+Using this info the *GitHub action* can build **two versions** of each app (one with the placeholder flag and one with the actual flag).
+This simulates what should happen in a real CTF event, where the player are given the placeholder version while the real one is installed on the device accessible through *DroidGround*.
+
+If you want to build them on your own you can use the `build.sh` script provided here in the root of the repo.

build.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -e
+
+read -p "Keystore path [./release-key.jks]: " USER_KEYSTORE_PATH
+KEYSTORE_PATH="${USER_KEYSTORE_PATH:-./release-key.jks}"
+KEYSTORE_ABS_PATH=$(realpath $KEYSTORE_PATH)
+
+if [[ ! -f "$KEYSTORE_ABS_PATH" ]]; then
+  echo "Keystore file not found at: $KEYSTORE_ABS_PATH"
+  exit 1
+fi
+
+echo "Enter keystore credentials:"
+read -p "Key alias: " KEY_ALIAS
+read -s -p "Keystore password: " KEYSTORE_PASSWORD; echo
+
+rm -rf build
+mkdir -p build
+for appdir in */ ; do
+  if [[ -f "$appdir/config.json" && -f "$appdir/gradlew" ]]; then
+    echo "===================================="
+    echo "Building app in: $appdir"
+
+    cd "$appdir"
+
+    # Read config
+    FLAG=$(jq -r '.flag' config.json)
+    FILES=$(jq -r '.files[]' config.json)
+
+    # Placeholder build
+    echo "Building placeholder version..."
+    ./gradlew clean assembleRelease \
+      -Pandroid.injected.signing.store.file=$KEYSTORE_ABS_PATH \
+      -Pandroid.injected.signing.store.password=$KEYSTORE_PASSWORD \
+      -Pandroid.injected.signing.key.alias=$KEY_ALIAS \
+      -Pandroid.injected.signing.key.password=$KEYSTORE_PASSWORD
+
+    cp app/build/outputs/apk/release/app-release.apk "../build/${appdir%/}-placeholder.apk"
+
+    echo -e "\n\n"
+    # Flagged build
+    echo "Replacing placeholder string with actual flag..."
+    for file in $FILES; do
+      echo "Modifying file: $file"
+      sed -i "s/DROIDGROUND_FLAG_PLACEHOLDER/${FLAG//\//\\/}/g" "$file"
+    done
+
+    echo ""
+    echo "Building flagged version..."
+    ./gradlew clean assembleRelease \
+      -Pandroid.injected.signing.store.file=$KEYSTORE_ABS_PATH \
+      -Pandroid.injected.signing.store.password=$KEYSTORE_PASSWORD \
+      -Pandroid.injected.signing.key.alias=$KEY_ALIAS \
+      -Pandroid.injected.signing.key.password=$KEYSTORE_PASSWORD
+
+    cp app/build/outputs/apk/release/app-release.apk "../build/${appdir%/}-flag.apk"
+
+    echo "Restoring modified source files..."
+    git restore .
+
+    cd ..
+    echo "Finished building: $appdir"
+    echo
+  fi
+done
+
+echo "All builds complete. APKs are in the \"build\" folder."

hidden-activity/config.json

@@ -0,0 +1,4 @@
+{
+  "flag": "FLAG{just_4_h1dd3n_4ct1v1ty}",
+  "files": ["./app/src/main/java/com/droidground/hiddenactivity/HiddenActivity.kt"]
+}