F-Droid security in simple words

Watermelon

horde Exactly[,] so why deliberately spread misinfo?

You're affirming what I said but then you call it out for being misinformation. This inherently implies that I have a self contradiction. Can you please make clear how you interpreted what I said, and clearly point out the self contradiction? I fail to see it.

DeletedUser370 Do we have a source for the claim that F-droid's machine containing signing keys is airgapped? It is the first I have heard this stated.

I just remember the GrapheneOS project account specifically pointing out that there's no security benefit to this because they sign without looking. It's probably in the thread about the F-Droid vulnerability.

Watermelon

ryrona The risk is not having your HTTPS connections compromised. The risk is judging what even is the legitimate source for an app.

About this specifically, you've got the same issue with app stores. The only way to know that an app is surely legitimate is to see if the default links settings successfully verified that the app is permitted to handle links for the official domain, or check the official website and see if they link to this app using the full package name in the link. In both cases, you already need to know what's the official website of the app. There can always be unofficial forks/clients/etc., even if you ignore copycats (are unofficial forks/clients copycats?).

ryrona

Watermelon About this specifically, you've got the same issue with app stores.

No, app stores would not permit unofficial copies to carry the name of the official app.

other8026

I'd suggest reading what the project account wrote about F-Droid here: https://discuss.grapheneos.org/d/18731-f-droid-vulnerability-allows-bypassing-certificate-pinning/15.

I'd also suggest reading through this article about security issues with F-Droid: https://privsec.dev/posts/android/f-droid-security-issues/

Considering F-Droid's history of not addressing issues in the past and not taking security seriously, they are objectively not a group that should be trusted by people who value security.

Regardless of how you get apps, you have to trust the app developer(s). If the app developers are untrustworthy, then F-Droid won't magically make their code trustworthy. It's already been established that F-Droid doesn't review code or updates. Their code scanning is basic and relies on badness enumeration. The only real way to know for sure there's no malicious code is for people to actually read through it, which isn't happening on F-Droid.

So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for? As far as I can tell, people like it because they like to believe that it solves the "problem" of having to trust developers. But really, it's an unnecessary trusted 3rd party, and a 3rd party that some trust way too much, especially those who get the majority of their apps from F-Droid.

Developers having or using insecure environments to write code or to build is a big assumption. If good developers who make good apps care about security, as we'd hope they do, they may have a pretty good setup. They may even have a better setup than F-Droid in many ways. But even if they don't, that would mean only one app may have this problem, rather than the multiple that most people have from their preferred unnecessary trusted 3rd party.

de0u

other8026 So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

Maybe the main fuel is that it's a way to find open-source Android apps that other people are probably using?

ryrona

other8026 So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

One answer is the ever reoccurring answer, that there unfortunately are no alternative app store for most apps. I believe all of us who use F-Droid today will switch over the moment an alternative actually appears.

Another thing that is important for me and probably many others, is that they actually verify the apps are fully open source, without binary blobs, and without privacy invasive or freedom restricting technology included. Badness enumeration, yes, but that badness enumeration works very well in practice compared to all other ways to get open source apps, as was for example evident in one other thread here recently regarding APK releases on GitHub often having proprietary binary blobs from Google included.

Knowing the apps are only truly open source has a lot of value in preventing many kinds of attacks I personally worry a lot about. For example, I worry about end-to-end encryption being weakened or backdoored, which is an especially big threat right now, as many countries are trying to outlaw end-to-end encryption, and even individual companies being forced to or voluntarily adding client-side scanning and similar. Open source seem to have a very high degree of immunity to such bad things being added, and F-Droid does a lot in reinforcing that immunity by building all apps themselves.

A popular example of this being important in practice is Firefox. Allegedly, the official releases of Firefox have very privacy invasive telemetry added, but basically all Linux package repositories are building their own versions with the most privacy invasive telemetry disabled or patched out.

horde

other8026

So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

If that's what you are looking for, then you won't find any, including Accrescent. F-Droid is FOSS app store that lists only open source apps that are free of tracking.

Watermelon

ryrona Maybe an app store isn't the ideal solution here. Maybe there should be someone like F-Droid but as a publisher on something like Accrescent. They'd publish rebranded apps with rebranded package names.

secrec

Watermelon Yeah but whereas it's only theoretical on other app stores, on F-Droid it's a real issue.

Actually, its real issue ELSEWHERE, not on F-Droid. There is and has always been TONS of malware published on google store. Including right now.

Carlos-Anso

secrec There is and has always been TONS of malware published on google store.

While it is the case that theres been a lot of malware published on the Play Store, which is hardly surprising as most Android apps are published there, it is also true that Google has progressively increased measures over the years to counter malware publication.

The topic needs to be approached with a certain amount of nuance. People will have differing opinions.

Its certainly the case that installing apps from any source should be approached with some care. Best to spend some time checking out the app, or stick to apps, or app developers which are known to have a good reputation. Also should take care what data you share with an app.

Ive deleted a load of posts above where there was some disagreements between people which was producing an unproductive conversation. Would be appreciated if people could refrain from making such posts.

secrec

Watermelon the apps you install from F-Droid are signed by F-Droid rather than the developer

Interesting thing to point out, because the owner of the signature can be very misleading. Google allows developers to upload their own signing keys to google servers so that google applies the signatures.

Let me make that extremely clear: Even though an application has the developer's own signature, IT MAY NOT HAVE BEEN SIGNED BY THEM.

K8y

Watermelon Every app you install from F-Droid can be malware, and every legitimate app you've already installed from F-Droid can be turned into malware with a rogue update. For example, if you've installed Aegis from F-Droid, a rogue update can make Aegis show a screen like "Aegis needs to test your connection to determine if cloud backups are possible.

Yes I think something similar happened to me where I downloaded Session from F-droid and a few months later I got a message box that popped up while I was in Session that said it was from F-secure and that a threat was detected. It felt suspicious since I don't know F-secure nor downloaded it, so I just closed the window instead of clicking " accept ".

This was before I had Graphene. I wonder if Graphene would have actually never even allowed that message box to pop up, even if I still use Fdroid...?

Watermelon

K8y F-Secure is a name of an antivirus that has nothing to do with F-Droid. Antivirus apps can pop a window like that over other apps you're using if you grant them the "Display over other apps" special permission and perhaps also the Accessibility service permission. Both of these permissions are incredibly dangerous and I don't recommend granting them to any app unless absolutely necessary. You can still use an anti-malware scanner like Google Play Protect, they should still be able to scan and notify you if you have malware, but they won't be able to block you from opening the app if you don't give them these two permissions (this shouldn't be an issue because 1. you'll probably see the notification from the anti-malware scanner, and 2. all apps are denied all permissions by default so there's practically no harm they can cause when you first open them and haven't given them your personal info or any permissions). These permissions can be seen here: Settings app –> Apps –> Special app access –> Display over other apps. And: Settings app –> Accessibility –> (if any third-party requests Accessibility service permission its name would appear under a "Downloaded apps" heading at the top, and the subtext would say either "on" or "off" if it's granted or revoked). (Note that if you ever give an untrusted app the "Display over other apps" special permission, you can't really revoke this permission because there's no guarantee you're revoking the permission, because the app can mess with what you're seeing on your screen. And the same thing might apply to Accessibility service permission. So if you want to revoke the "Display over other apps" special permission, I recommend you to boot into Safe Mode which temporarily disables all third-party apps, so you can revoke the permission and know that no other app can mess with what you're seeing. You can't revoke Accessibility service permission in Safe Mode, however you can disable or uninstall the app you granted it to. To enter Safe Mode, restart your phone and don't unlock it after restarting, then hold the power button for about 30 seconds to force your phone to restart and release the power button, then when you see the Google logo start holding the volume down button and don't release it until you feel a vibration. (This also ensures that no app can show you a fake animation that your phone looks like it's restarting or fake that you're in Safe Mode. By holding the power button physically and entering Safe Mode with the physical volume down button, you're ensuring that the phone restarts and enters Safe Mode and no third-party app can fake it.) To exit Safe Mode, just reboot as usual.)

There's two kinds of harm that malware could cause on Android/GrapheneOS:

It can try to exploit vulnerabilities in your OS, or in the drivers or firmware, to grant itself access and privileges that it shouldn't have. GrapheneOS makes this extremely difficult to do in the first place, and the firmware and drivers on Pixels should also be much better than other devices, and you can keep your OS and drivers/firmware all updated if you install GrapheneOS updates regularly, and you can restart your phone to ensure that your phone reloads the OS from a clean state again, or restart into Safe Mode using the instructions I gave above to disable or uninstall any app you think is malicious.
It can try to abuse the permissions you give it. This is not something that GrapheneOS can prevent, but GrapheneOS certainly gives you more granular permissions which help to limit the damage. But there's things it simply can't prevent, for example if you use a third-party gallery app and grant it access to all your photos, and this app then encrypts all your photos and demands a ransom, this isn't something GrapheneOS can prevent or detect. What might be able to detect this is an anti-malware scanner like Google Play Protect. You can keep Play Protect enabled and make sure it scans apps downloaded from third-party sources in the Play Protect settings, and if you install an app from outside the Play Store then run a scan with Play Protect, and it might be able to detect that the gallery app is ransomware. Also be careful with what permissions you give to apps.

Watermelon

K8y Watermelon Also I forgot to say, if you installed a rogue version of Session then it doesn't need any permission to steal your messages and what you type into Session, because it doesn't need permission to access what it already has access to. This falls under the second type because the malware plays by the rules and permissions it has rather than exploiting the OS as the first type I mentioned does. Just be careful where you install Session from. Make sure to install Session from its official source that's not F-Droid and you should be okay. If you installed Session from another source and want to make sure it's authentic, install Accrescent from the GrapheneOS App Store, then install AppVerifier from Accrescent, then open it and go to the app list and search for Session, then copy the following text and in AppVerifier tap on "paste from clipboard" and see if it matches what I have:

network.loki.messenger
F2:A0:EC:F7:06:86:44:7D:1D:6C:6C:BB:F5:8C:42:89:05:00:CC:F4:1A:F3:72:AE:20:99:30:39:80:82:4E:DD

This should correspond to the version of Session in their official APK download and the version in their F-Droid repo.

K8y

Watermelon thank you!

GrapheneOS

ryrona App stores distributing developer signed builds can't make malicious updates themselves though, only malicious fresh installs.

secrec

GrapheneOS App stores distributing developer signed builds can't make malicious updates themselves though, only malicious fresh installs.

On play store you CAN'T TELL if its actually signed by the developer, or just the developer's signature was added by google.

Also, on play store, you need to trust every developer, plus google themselves (they are not trustworthy). That's a lot more trust than needed on F-Droid, where you need only trust F-Droid - they provide source code packages matching the published builds, so you can audit the code yourself and don't need that layer of trust. Just that F-Droid built and published that actual code.

Watermelon

secrec On play store you CAN'T TELL if its actually signed by the developer, or just the developer's signature was added by google.

As far as I know, Google has turned off the ability to publish APKs on the Play Store that aren't signed by a private key that Google doesn't have access to.

secrec Also, on play store, you need to trust every developer, plus google themselves (they are not trustworthy). That's a lot more trust than needed on F-Droid, where you need only trust F-Droid

That's not true, the GrapheneOS project account said how badly F-Droid check the apps they publish.

secrec you can audit the code yourself

Nobody does that

GrapheneOS

secrec This is not true. You also have to trust the developers. Being able to review the source code is meaningless since no one does that and even if they did it would not provide any assurance of not having malicious code since in reality reviewing the code doesn't find all vulnerabilities and it's a ridiculous to claim that it would.

GrapheneOS

Watermelon

Nobody does that

Extensively reviewing / auditing the sources doesn't result in finding all accidentally introduced vulnerabilities let alone ones which were carefully hidden. It's ridiculous to make the claim that it does. Linux kernel has hundreds of serious vulnerabilities found each month and a large portion are very old. Some are many years or even decades old. How exactly is people reviewing the sources meant to avoid trusting the developers? It has no bearing in reality.

Watermelon

GrapheneOS FWIW I never claimed I want an app store that audits apps that I want to use but suspect that they're malware. I think that's ridiculous. If I'd truly suspect an app to be malware, I'd avoid it. Google Play Store reviews and scans apps, and Accrescent (from what I've heard) also does or aims to do that. Unless it's a thorough security audit (and even then what you said still applies), it's good as another defence but not something to rely on. I don't blindly install apps from Google Play Store because Google reviews and scans the apps on it. EDIT: And I certainly don't give every app every permission it asks for.

Do or have people blindly install(ed) apps from F-Droid thinking that they must be malware-free because F-Droid must be reviewing them?

« Previous Page