F-Droid security in simple words

inoigjig

Hi, can someone explain the vulnerabilities of F-Droid in simple words for the average user? Is it – for exmaple – safe to download Aegis Authenticator (a trusted app) from F-Droid inside a Private Space? Or should I use the .apk instead?

ryrona

inoigjig Hi, can someone explain the vulnerabilities of F-Droid in simple words for the average user?

There are no known vulnerabilities in F-Droid, neither the app nor the repository. Apps you download will be cryptographically verified as genuine, and kept updated with security fixes. F-Droid should thus be a far safer way to install an app than to download and install an APK file from the internet. The latter is only safe if you use AppVerifier, frequently check for updates yourself, and really know what you are doing.

F-Droid is not seen as taking security anywhere near as seriously as some other app stores do. F-Droid is criticized for not following best security practices when it comes to build infrastructure, build dependencies and target SDK levels, among other things. They have also been criticized for being slow at responding to security vulnerabilities when found, and not being transparent enough.

The GrapheneOS team recommends that you only install apps through the built-in app store, Accrescent and sandboxed Google Play. They recommend to avoid F-Droid, Aurora and manual APK installations, unless you have specific needs.

Watermelon

Every app you install from F-Droid can be malware, and every legitimate app you've already installed from F-Droid can be turned into malware with a rogue update. For example, if you've installed Aegis from F-Droid, a rogue update can make Aegis show a screen like "Aegis needs to test your connection to determine if cloud backups are possible. You'll be able to continue to your vault without cloud backups, but we need you to enable network access to Aegis to continue." and when you do grant it the Network permission, it steals all your two factor authentication secrets; if you've installed a gallery app from F-Droid and granted it access to your pictures and videos, a rogue update can turn it into ransomware; etc.

It doesn't matter that the app is trustworthy, because F-Droid are extremely incompetent with security and the apps you install from F-Droid are signed by F-Droid rather than the developer.

(EDIT: As far as I understand, there's some apps on F-Droid that F-Droid reuses the APK signed by the app developer rather than building and signing their own, but you can't know which apps they are when browsing F-Droid; if you install an app from another source and find that F-Droid can update it, then it should be fine even though the F-Droid client app itself can be turned into malware.)

ryrona

Watermelon Every app you install from F-Droid can be malware, and every legitimate app you've already installed from F-Droid can be turned into malware with a rogue update.

Theoretically true for all app stores, and especially manual installation of APK files.

There are no known malware on F-Droid. There's a lot out on the internet as manual APK files.

Byku

Watermelon Such attack would require stealing F-Droid signing keys, no?

secrec

Watermelon the apps you install from F-Droid are signed by F-Droid rather than the developer

Interesting thing to point out, because the owner of the signature can be very misleading. Google allows developers to upload their own signing keys to google servers so that google applies the signatures.

Let me make that extremely clear: Even though an application has the developer's own signature, IT MAY NOT HAVE BEEN SIGNED BY THEM.

K8y

Watermelon Every app you install from F-Droid can be malware, and every legitimate app you've already installed from F-Droid can be turned into malware with a rogue update. For example, if you've installed Aegis from F-Droid, a rogue update can make Aegis show a screen like "Aegis needs to test your connection to determine if cloud backups are possible.

Yes I think something similar happened to me where I downloaded Session from F-droid and a few months later I got a message box that popped up while I was in Session that said it was from F-secure and that a threat was detected. It felt suspicious since I don't know F-secure nor downloaded it, so I just closed the window instead of clicking " accept ".

This was before I had Graphene. I wonder if Graphene would have actually never even allowed that message box to pop up, even if I still use Fdroid...?

Watermelon

ryrona Theoretically true for all app stores

Yeah but whereas it's only theoretical on other app stores, on F-Droid it's a real issue.

ryrona There are no known malware on F-Droid

How do we know? (For what it's worth, I have some F-Droid–signed apps on my phone that I haven't gotten rid of yet, and Google Play Protect doesn't detect them. But that's not proof of anything.)

ryrona especially manual installation of APK files

With manual APK installation, only the initial installation is risky, if you consider HTTPS security risky (it uses the Certification Authorities model which certainly has issues and is much worse than an app store connecting with HTTPS with a hardcoded certificate). Once it's installed, an attacker would need to compromise the app dev to create a rogue update, which is presumably more difficult than compromising F-Droid. (An attacker could still withhold updates from you by disrupting the download of updated APKs. That's always true, although disrupting an app store might be more difficult because it could be more noticed and could disrupt much more than just a single app.)

Byku Such attack would require stealing F-Droid signing keys, no?

DeletedUser237 It would need access to their infra in the first place. Just with the keys you could pretend the app is signed by them, but would not allow you to push it to users

F-Droid has extremely bad security. How do we know that their infrastructure isn't just as badly secured as their signing keys? EDIT: Also the GrapheneOS project account mentioned that the machine containing the signing keys is airgapped, but pointed out that that doesn't provide any security because they don't even check what they sign.

GrapheneOS

ryrona App stores distributing developer signed builds can't make malicious updates themselves though, only malicious fresh installs.

DeletedUser237

Byku It would need access to their infra in the first place. Just with the keys you could pretend the app is signed by them, but would not allow you to push it to users, unless for example you'd try to trick them to pull it from a site you control.

horde

Watermelon How do we know? (For what it's worth, I have some F-Droid–signed apps on my phone that I haven't gotten rid of yet, and Google Play Protect doesn't detect them. But that's not proof of anything.)

Exactly so why deliberately spread misinfo?

It's funny how people expect F-Droid to audit each and every app and update (that's not possible) while F-Droid was recently granted a good amount of money, they will be hopefully quick with updates, and follow best security practices, but still they need to do a massive work and you can always volunteer so you can have truly FOSS app store that is private and secure.

ryrona

Watermelon Yeah but whereas it's only theoretical on other app stores, on F-Droid it's a real issue.

Google Play also signs app updates themselves. It is not more of a real issue with F-Droid than it is with Google Play. And it is not a real issue with either, as it never happened as far as I know.

F-Droid has issues, but please do not spread fear around F-Droid for things that actually aren't issues.

Watermelon How do we know?

I didn't say there are no malware on F-Droid, I said there are no known malware on F-Droid. There also are no known malware on Google Play. A lot of malware has been found on Google Play, and removed, over the years. F-Droid too would promptly remove any malware that is on there that gets discovered.

So, there is no known malware on F-Droid. We don't know about any.

This is totally unlike how it is for the rest of the internet, like if you install APK files manually. The rest of the internet is not curated in the sense that F-Droid and Google Play are, malware on the general internet does not get removed.

Watermelon With manual APK installation, only the initial installation is risky,

No. App updates are still at least as risky as it would be if installed from app stores. Individual devs usually do not have very secured build environments. Complaining about F-Droid not having secure build environment and then recommending to install apps directly from individual developers instead is hypocritical. F-Droid might not have very good build environment security, but at least that is something they consider at all, unlike what the individual developer who builds things on their own totally insecure machine would, where the signing keys are often stored unprotected on disk on the same computer.

Watermelon if you consider HTTPS security risky

The risk is not having your HTTPS connections compromised. The risk is judging what even is the legitimate source for an app. I bet most who install apps manually just does an internet search for the app name, and install from the first site or github repository that "looks" genuine. Unlike app stores who specifically try to ensure all apps are legitimate, search engines do not care about that at all, just what sites are popular.

fid02

Watermelon Also the GrapheneOS project account mentioned that the machine containing the signing keys is airgapped, but pointed out that that doesn't provide any security because they don't even check what they sign.

Do we have a source for the claim that F-droid's machine containing signing keys is airgapped? It is the first I have heard this stated.

secrec

Watermelon Yeah but whereas it's only theoretical on other app stores, on F-Droid it's a real issue.

Actually, its real issue ELSEWHERE, not on F-Droid. There is and has always been TONS of malware published on google store. Including right now.

Watermelon

horde Exactly[,] so why deliberately spread misinfo?

You're affirming what I said but then you call it out for being misinformation. This inherently implies that I have a self contradiction. Can you please make clear how you interpreted what I said, and clearly point out the self contradiction? I fail to see it.

fid02 Do we have a source for the claim that F-droid's machine containing signing keys is airgapped? It is the first I have heard this stated.

I just remember the GrapheneOS project account specifically pointing out that there's no security benefit to this because they sign without looking. It's probably in the thread about the F-Droid vulnerability.

Watermelon

ryrona The risk is not having your HTTPS connections compromised. The risk is judging what even is the legitimate source for an app.

About this specifically, you've got the same issue with app stores. The only way to know that an app is surely legitimate is to see if the default links settings successfully verified that the app is permitted to handle links for the official domain, or check the official website and see if they link to this app using the full package name in the link. In both cases, you already need to know what's the official website of the app. There can always be unofficial forks/clients/etc., even if you ignore copycats (are unofficial forks/clients copycats?).

ryrona

Watermelon About this specifically, you've got the same issue with app stores.

No, app stores would not permit unofficial copies to carry the name of the official app.

other8026

I'd suggest reading what the project account wrote about F-Droid here: https://discuss.grapheneos.org/d/18731-f-droid-vulnerability-allows-bypassing-certificate-pinning/15.

I'd also suggest reading through this article about security issues with F-Droid: https://privsec.dev/posts/android/f-droid-security-issues/

Considering F-Droid's history of not addressing issues in the past and not taking security seriously, they are objectively not a group that should be trusted by people who value security.

Regardless of how you get apps, you have to trust the app developer(s). If the app developers are untrustworthy, then F-Droid won't magically make their code trustworthy. It's already been established that F-Droid doesn't review code or updates. Their code scanning is basic and relies on badness enumeration. The only real way to know for sure there's no malicious code is for people to actually read through it, which isn't happening on F-Droid.

So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for? As far as I can tell, people like it because they like to believe that it solves the "problem" of having to trust developers. But really, it's an unnecessary trusted 3rd party, and a 3rd party that some trust way too much, especially those who get the majority of their apps from F-Droid.

Developers having or using insecure environments to write code or to build is a big assumption. If good developers who make good apps care about security, as we'd hope they do, they may have a pretty good setup. They may even have a better setup than F-Droid in many ways. But even if they don't, that would mean only one app may have this problem, rather than the multiple that most people have from their preferred unnecessary trusted 3rd party.

de0u

other8026 So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

Maybe the main fuel is that it's a way to find open-source Android apps that other people are probably using?

ryrona

other8026 So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

One answer is the ever reoccurring answer, that there unfortunately are no alternative app store for most apps. I believe all of us who use F-Droid today will switch over the moment an alternative actually appears.

Another thing that is important for me and probably many others, is that they actually verify the apps are fully open source, without binary blobs, and without privacy invasive or freedom restricting technology included. Badness enumeration, yes, but that badness enumeration works very well in practice compared to all other ways to get open source apps, as was for example evident in one other thread here recently regarding APK releases on GitHub often having proprietary binary blobs from Google included.

Knowing the apps are only truly open source has a lot of value in preventing many kinds of attacks I personally worry a lot about. For example, I worry about end-to-end encryption being weakened or backdoored, which is an especially big threat right now, as many countries are trying to outlaw end-to-end encryption, and even individual companies being forced to or voluntarily adding client-side scanning and similar. Open source seem to have a very high degree of immunity to such bad things being added, and F-Droid does a lot in reinforcing that immunity by building all apps themselves.

A popular example of this being important in practice is Firefox. Allegedly, the official releases of Firefox have very privacy invasive telemetry added, but basically all Linux package repositories are building their own versions with the most privacy invasive telemetry disabled or patched out.

horde

other8026

So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

If that's what you are looking for, then you won't find any, including Accrescent. F-Droid is FOSS app store that lists only open source apps that are free of tracking.

Watermelon

ryrona Maybe an app store isn't the ideal solution here. Maybe there should be someone like F-Droid but as a publisher on something like Accrescent. They'd publish rebranded apps with rebranded package names.

Carlos-Anso

secrec There is and has always been TONS of malware published on google store.

While it is the case that theres been a lot of malware published on the Play Store, which is hardly surprising as most Android apps are published there, it is also true that Google has progressively increased measures over the years to counter malware publication.

The topic needs to be approached with a certain amount of nuance. People will have differing opinions.

Its certainly the case that installing apps from any source should be approached with some care. Best to spend some time checking out the app, or stick to apps, or app developers which are known to have a good reputation. Also should take care what data you share with an app.

Ive deleted a load of posts above where there was some disagreements between people which was producing an unproductive conversation. Would be appreciated if people could refrain from making such posts.