ryrona
Having reproducible builds is nice. But I'm not using GOS or and other apps because it is reproducible. I'm using them because I trust the devs to write code with good will and build it correctly. I also trust Google Play to verify apps genuine and deliver apps to me in a secure way.
I think if your threat model requires reproducible builds, you should also check the entire source and trust yourself to be able to find any backdoors in it. It's not enough to just trust others to inspect source for you. it'd be better to have your own secure build environment and build it yourself
F-Droid vulnerability allows bypassing certificate pinning
- Edited
missing-root In practice, neither you or others are checking the sources. Even if you were checking the sources, finding an intentionally hidden vulnerability is unlikely. Serious vulnerabilities often last for widely used and widely reviewed projects like the Linux kernel for years or even decades. If accidental vulnerabilities can't be reliably spotted even after substantial review, auditing, etc. that doesn't bode well for the ability to find a backdoor.
The xz situation was brought up and that was not spotted in the source code after several rounds of them adding backdoor infrastructure to the Git repository. It wasn't spotted when they put the finishing touches in the source tarball for the release, but it's highly unlikely that would have been spotted if they'd pushed it to Git since the final touches were well disguised / hidden. It was only the overall set of changes which when put together triggered deobfuscating a payload and using it maliciously. Most of that was in the Git repository already before the final pieces were added. It's unclear why they took the risk of making a far more non-reproducible source tarball someone might have noticed differed from what got generated from the Git repository. It's an example of their lack of stealth and finesse despite the long term commitment to it. They also severely screwed up the performance and that's why it was discovered: unnecessarily causing huge spikes of CPU usage. That likely would have been spotted by others eventually. If they hadn't made those mistakes, there's a high chance it would have gone undiscovered for months or longer. Would it have made it to Debian stable? Probably not considering it has frozen packages for years and hasn't had a new release yet, but Debian stable is full of unpatched, known vulnerabilities in a lot of the packages, including things like web and mail servers which are remote-facing but typically don't classify all the little memory corruption bug fixes as security vulnerabilities with CVE assignments. Most projects don't seek out CVE assignments at all.
What is, if you only use F-Droid with the following repos?
-https://mobileapp.bitwarden.com/fdroid/repo
-https://releases.threema.ch/fdroid/repo
These repos are from the offical Websites.
Are they also not safe? Ist it worse or better to use these repos than the normal ones from F-Droid? How bad in comparison to Github?
- Edited
xuid0 github is not better here. It adds an additional middleman you need to trust.
Also Obtainium has no methods of verifying packages, only the android package manager solves this, if the APKs are signed.
Using F-Droid repos will be more performant and the F-Droid client is also more minimal. Using official repos from the devs should eliminate all risks with F-Droid, apart from maybe the client being outdated, then you can still use F-Droid Basic.
Sorry I did not write earlier this but using Obtainium app with AppVerifier app is the recommended way to directly obtain APKs via GitHub. Then comparing the certificate hashes of the APK using AppVerifier against the known internal database.
We don't want to blindly trust the APK one downloads from GitHub without making effort to verify the certificate hashes of the APK. If it doesn't work i would be asking in the Matrix listed under Community:
https://github.com/soupslurpr/AppVerifier
F-Droid or using any F-Droid client is not recommended: https://privsec.dev/posts/android/f-droid-security-issues
Appverifier is only needed for the first install. If devs dont publish their certificate, does this even make sense?
That "F-Droid security issues" is only about the official repo afaik, so not useful.
First install? We should be checking the APK every time it is downloaded. That means first install & updates.
- Edited
xuid0 We should be checking the APK every time it is downloaded. That means first install & updates.
The AOSP package manager which handles installation and updates of apps/apks pins the signature on install and then all updates must be signed with the same cert or they are rejected.
Carlos-Anso
Ah OK I wasn't aware it worked that way. Thanks for informing me :-)
xuid0 Sorry I did not write earlier this but using Obtainium app with AppVerifier app is the recommended way to directly obtain APKs via GitHub.
Obtainium is a nice way to automate update of apps you cannot obtain from app stores such as Accrescent and Play, but it's not a more "secure" way to directly obtain APKs via GitHub. It just doesn't do a verification check of the downloaded APKs. I feel like stating that it is the "recommended" way to obtain APKs make it sound like it's an official recommendation by the GrapheneOS project, which to my knowledge, it is not.
- Edited
fid02 it is the "recommended" way to obtain APKs
Maybe "commonly recommended" would be more appropriate. Personally I feel this is generally implied when people say "recommended" without a specific source, but I suppose some might think its not clear where the recommendation comes from and lead to misunderstandings.
I would not even recommend it personally.
It is really only good to have a single source of apps. But as said, it is way more inefficient than F-Droid at pulling and checking updates. It has waaay more attack surface.
And it has no background updates and parallel downloads, that work. Unlike on F-Droid, I never get an update note or just a prompt, while the app has already downloaded.
You won't believe it but people never update manually. If updates are not automatic, they are often not done.
Carlos-Anso what would be the error code, if there is one, in the case of a rejection?
missing-root I would not even recommend it personally.
I know. You make that obvious from your Fdroid defending. You don't need to tell me, nor do I care. Plenty of people, myself included, are happy using Obtainium and happy to recommend it (until Accrescent can properly replace it, then that'll be the recommendation instead).
You won't believe it but people never update manually. If updates are not automatic, they are often not done.
Well, sorry then, that's an untrue statement. Because I do all updates manually. I don't like not controlling updates and have never understood people's obsessions with automatic updates. I have never spent more than a few minutes updating apps (most of which is spent looking at changelogs), and its not in any way a hindrance to me. I don't find it difficult to keep up to date on my apps and will pretty much always update my apps within a few hours (if not 5-15 minutes) of the updates being available. I'm sure I'm likely not alone in this either.
missing-root If updates are not automatic, they are often not done
All of my updates are manual. Either based on notifications, or on spontaneous check. I haven't automated nothing, except through Accrescent, which I use for 2 apps (including Accrescent itself).
Wow... yes I update manually too. This simply is not a scaleable solution. It is an ease to have somewhat background updates.
And no, F-Droid is not only better than Obtainium because of that. I hope that you didnt really only get that. The client is extremely minimal, so that some repos dont even work with it, and only work with Droid-ify.
Obtainium is an entire browser. It renders HTML and runs Javascript, follows redirects and more. I use both, but Obtainium is not the secret tool that is better than all others.
GrapheneOS can I just say what an absolutely fascinating read this entire thread has been, i had zero clue f droid's security was so borked. until today most of my apps were from obtanium, accrescent, and f droid, but after learning all this i uninstalled f droid and replaced my f droid apps with either the play store version or directly from obtainium. thank you so much for keeping security at the forefront