F-Droid security in simple words

de0u

other8026 So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

Maybe the main fuel is that it's a way to find open-source Android apps that other people are probably using?

ryrona

other8026 So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

One answer is the ever reoccurring answer, that there unfortunately are no alternative app store for most apps. I believe all of us who use F-Droid today will switch over the moment an alternative actually appears.

Another thing that is important for me and probably many others, is that they actually verify the apps are fully open source, without binary blobs, and without privacy invasive or freedom restricting technology included. Badness enumeration, yes, but that badness enumeration works very well in practice compared to all other ways to get open source apps, as was for example evident in one other thread here recently regarding APK releases on GitHub often having proprietary binary blobs from Google included.

Knowing the apps are only truly open source has a lot of value in preventing many kinds of attacks I personally worry a lot about. For example, I worry about end-to-end encryption being weakened or backdoored, which is an especially big threat right now, as many countries are trying to outlaw end-to-end encryption, and even individual companies being forced to or voluntarily adding client-side scanning and similar. Open source seem to have a very high degree of immunity to such bad things being added, and F-Droid does a lot in reinforcing that immunity by building all apps themselves.

A popular example of this being important in practice is Firefox. Allegedly, the official releases of Firefox have very privacy invasive telemetry added, but basically all Linux package repositories are building their own versions with the most privacy invasive telemetry disabled or patched out.

Watermelon

ryrona Maybe an app store isn't the ideal solution here. Maybe there should be someone like F-Droid but as a publisher on something like Accrescent. They'd publish rebranded apps with rebranded package names.

secrec

Watermelon Yeah but whereas it's only theoretical on other app stores, on F-Droid it's a real issue.

Actually, its real issue ELSEWHERE, not on F-Droid. There is and has always been TONS of malware published on google store. Including right now.

Carlos-Anso

secrec There is and has always been TONS of malware published on google store.

While it is the case that theres been a lot of malware published on the Play Store, which is hardly surprising as most Android apps are published there, it is also true that Google has progressively increased measures over the years to counter malware publication.

The topic needs to be approached with a certain amount of nuance. People will have differing opinions.

Its certainly the case that installing apps from any source should be approached with some care. Best to spend some time checking out the app, or stick to apps, or app developers which are known to have a good reputation. Also should take care what data you share with an app.

Ive deleted a load of posts above where there was some disagreements between people which was producing an unproductive conversation. Would be appreciated if people could refrain from making such posts.

secrec

Watermelon the apps you install from F-Droid are signed by F-Droid rather than the developer

Interesting thing to point out, because the owner of the signature can be very misleading. Google allows developers to upload their own signing keys to google servers so that google applies the signatures.

Let me make that extremely clear: Even though an application has the developer's own signature, IT MAY NOT HAVE BEEN SIGNED BY THEM.

K8y

Watermelon Every app you install from F-Droid can be malware, and every legitimate app you've already installed from F-Droid can be turned into malware with a rogue update. For example, if you've installed Aegis from F-Droid, a rogue update can make Aegis show a screen like "Aegis needs to test your connection to determine if cloud backups are possible.

Yes I think something similar happened to me where I downloaded Session from F-droid and a few months later I got a message box that popped up while I was in Session that said it was from F-secure and that a threat was detected. It felt suspicious since I don't know F-secure nor downloaded it, so I just closed the window instead of clicking " accept ".

This was before I had Graphene. I wonder if Graphene would have actually never even allowed that message box to pop up, even if I still use Fdroid...?

Watermelon

K8y F-Secure is a name of an antivirus that has nothing to do with F-Droid. Antivirus apps can pop a window like that over other apps you're using if you grant them the "Display over other apps" special permission and perhaps also the Accessibility service permission. Both of these permissions are incredibly dangerous and I don't recommend granting them to any app unless absolutely necessary. You can still use an anti-malware scanner like Google Play Protect, they should still be able to scan and notify you if you have malware, but they won't be able to block you from opening the app if you don't give them these two permissions (this shouldn't be an issue because 1. you'll probably see the notification from the anti-malware scanner, and 2. all apps are denied all permissions by default so there's practically no harm they can cause when you first open them and haven't given them your personal info or any permissions). These permissions can be seen here: Settings app –> Apps –> Special app access –> Display over other apps. And: Settings app –> Accessibility –> (if any third-party requests Accessibility service permission its name would appear under a "Downloaded apps" heading at the top, and the subtext would say either "on" or "off" if it's granted or revoked). (Note that if you ever give an untrusted app the "Display over other apps" special permission, you can't really revoke this permission because there's no guarantee you're revoking the permission, because the app can mess with what you're seeing on your screen. And the same thing might apply to Accessibility service permission. So if you want to revoke the "Display over other apps" special permission, I recommend you to boot into Safe Mode which temporarily disables all third-party apps, so you can revoke the permission and know that no other app can mess with what you're seeing. You can't revoke Accessibility service permission in Safe Mode, however you can disable or uninstall the app you granted it to. To enter Safe Mode, restart your phone and don't unlock it after restarting, then hold the power button for about 30 seconds to force your phone to restart and release the power button, then when you see the Google logo start holding the volume down button and don't release it until you feel a vibration. (This also ensures that no app can show you a fake animation that your phone looks like it's restarting or fake that you're in Safe Mode. By holding the power button physically and entering Safe Mode with the physical volume down button, you're ensuring that the phone restarts and enters Safe Mode and no third-party app can fake it.) To exit Safe Mode, just reboot as usual.)

There's two kinds of harm that malware could cause on Android/GrapheneOS:

It can try to exploit vulnerabilities in your OS, or in the drivers or firmware, to grant itself access and privileges that it shouldn't have. GrapheneOS makes this extremely difficult to do in the first place, and the firmware and drivers on Pixels should also be much better than other devices, and you can keep your OS and drivers/firmware all updated if you install GrapheneOS updates regularly, and you can restart your phone to ensure that your phone reloads the OS from a clean state again, or restart into Safe Mode using the instructions I gave above to disable or uninstall any app you think is malicious.
It can try to abuse the permissions you give it. This is not something that GrapheneOS can prevent, but GrapheneOS certainly gives you more granular permissions which help to limit the damage. But there's things it simply can't prevent, for example if you use a third-party gallery app and grant it access to all your photos, and this app then encrypts all your photos and demands a ransom, this isn't something GrapheneOS can prevent or detect. What might be able to detect this is an anti-malware scanner like Google Play Protect. You can keep Play Protect enabled and make sure it scans apps downloaded from third-party sources in the Play Protect settings, and if you install an app from outside the Play Store then run a scan with Play Protect, and it might be able to detect that the gallery app is ransomware. Also be careful with what permissions you give to apps.

Watermelon

K8y Watermelon Also I forgot to say, if you installed a rogue version of Session then it doesn't need any permission to steal your messages and what you type into Session, because it doesn't need permission to access what it already has access to. This falls under the second type because the malware plays by the rules and permissions it has rather than exploiting the OS as the first type I mentioned does. Just be careful where you install Session from. Make sure to install Session from its official source that's not F-Droid and you should be okay. If you installed Session from another source and want to make sure it's authentic, install Accrescent from the GrapheneOS App Store, then install AppVerifier from Accrescent, then open it and go to the app list and search for Session, then copy the following text and in AppVerifier tap on "paste from clipboard" and see if it matches what I have:

network.loki.messenger
F2:A0:EC:F7:06:86:44:7D:1D:6C:6C:BB:F5:8C:42:89:05:00:CC:F4:1A:F3:72:AE:20:99:30:39:80:82:4E:DD

This should correspond to the version of Session in their official APK download and the version in their F-Droid repo.

K8y

Watermelon thank you!

GrapheneOS

ryrona App stores distributing developer signed builds can't make malicious updates themselves though, only malicious fresh installs.

secrec

GrapheneOS App stores distributing developer signed builds can't make malicious updates themselves though, only malicious fresh installs.

On play store you CAN'T TELL if its actually signed by the developer, or just the developer's signature was added by google.

Also, on play store, you need to trust every developer, plus google themselves (they are not trustworthy). That's a lot more trust than needed on F-Droid, where you need only trust F-Droid - they provide source code packages matching the published builds, so you can audit the code yourself and don't need that layer of trust. Just that F-Droid built and published that actual code.

Watermelon

secrec On play store you CAN'T TELL if its actually signed by the developer, or just the developer's signature was added by google.

As far as I know, Google has turned off the ability to publish APKs on the Play Store that aren't signed by a private key that Google doesn't have access to.

secrec Also, on play store, you need to trust every developer, plus google themselves (they are not trustworthy). That's a lot more trust than needed on F-Droid, where you need only trust F-Droid

That's not true, the GrapheneOS project account said how badly F-Droid check the apps they publish.

secrec you can audit the code yourself

Nobody does that

GrapheneOS

secrec This is not true. You also have to trust the developers. Being able to review the source code is meaningless since no one does that and even if they did it would not provide any assurance of not having malicious code since in reality reviewing the code doesn't find all vulnerabilities and it's a ridiculous to claim that it would.

GrapheneOS

Watermelon

Nobody does that

Extensively reviewing / auditing the sources doesn't result in finding all accidentally introduced vulnerabilities let alone ones which were carefully hidden. It's ridiculous to make the claim that it does. Linux kernel has hundreds of serious vulnerabilities found each month and a large portion are very old. Some are many years or even decades old. How exactly is people reviewing the sources meant to avoid trusting the developers? It has no bearing in reality.

Watermelon

GrapheneOS FWIW I never claimed I want an app store that audits apps that I want to use but suspect that they're malware. I think that's ridiculous. If I'd truly suspect an app to be malware, I'd avoid it. Google Play Store reviews and scans apps, and Accrescent (from what I've heard) also does or aims to do that. Unless it's a thorough security audit (and even then what you said still applies), it's good as another defence but not something to rely on. I don't blindly install apps from Google Play Store because Google reviews and scans the apps on it. EDIT: And I certainly don't give every app every permission it asks for.

Do or have people blindly install(ed) apps from F-Droid thinking that they must be malware-free because F-Droid must be reviewing them?

horde

other8026

So if F-Droid doesn't actually protect us from malicious developers (or any other kind of bad code in our apps), then what is it there for?

If that's what you are looking for, then you won't find any, including Accrescent. F-Droid is FOSS app store that lists only open source apps that are free of tracking.

graphy22

So, what do we do? I have been using droidify to install apps, is it problematic too?

ryrona

graphy22 So, what do we do? I have been using droidify to install apps, is it problematic too?

Only you can decide what to do, or what is best for your situation. I have chosen to use F-Droid as my primary app store, even after having taken into account all criticism against it. I am not happy with that, but there are no realistic alternative for me in my threat model.

jem

ryrona After reading many opinions, I arrived to the same conclusion.

F-droid, with all its drawbacks, allows me to be confident enough that the app installed is a build corresponding to the published source code.

It's true that each app code is very probably not manually reviewed, but if a developer introduces malicious code in an F-droid app, at least there will be a clear proof in the F-droid tarball history. Not that this is a solution, but I bet most people won't want to damage their reputation like that. It's more difficult to release a version with hidden malicious code in F-droid and remain unnoticed for long.

Another advantage that I see in F-droid is that, if an app stops being open source (for example, if the developer sells it), future non-free versions won't reach F-droid. But I assume that Google Play will happily continue releasing new versions of the app, even if the app is not open source any more (please, correct me if I'm mistaken about this).

Nevertheless, I hope F-droid will improve its security to a higher level. But I don't see any better alternative for me right now.

This is based on what I've read so far. Please, correct me if I'm wrong with something.

GrapheneOS

jem

but if a developer introduces malicious code in an F-droid app

It is far more likely that F-Droid does it, and considering their involvement in underhanded attacks on the GrapheneOS project and community, they may choose to specifically target GrapheneOS users with it. This is not an unlikely scenario particularly considering the kind of behavior they've engaged in from cover ups of security vulnerabilities to targeting security researchers and others with harassment for talking about them.

ryrona

jem But I assume that Google Play will happily continue releasing new versions of the app, even if the app is not open source any more (please, correct me if I'm mistaken about this).

Yes, they would. Actually, all other app stores other than F-Droid are fine with apps containing closed source components or being fully closed source. Even Accrescent, unfortunately.

GrapheneOS It is far more likely that F-Droid does it, ..., they may choose to specifically target GrapheneOS users with it.

No, they would not.

The reason to use F-Droid is very specifically because they would be the ones that would never do anything like that. Doing something like that goes against everything the open source culture stands for. It is the proprietary apps and app stores we worry would do things like that. It is the proprietary operating systems and apps that are routinely violating user privacy and freedoms, both because of being mandated to do so by policies or law, or out of free will.

This is a very serious allegation you are making.

GrapheneOS This is not an unlikely scenario ...

Yes. It is far far more unlikely they would do that than that Google would do that, just to mention one thing.

GrapheneOS ... particularly considering the kind of behavior they've engaged in from cover ups of security vulnerabilities to targeting security researchers and others with harassment for talking about them.

mushix99 Are there sources to read more about this?

Yes, please do backup these statements with sources.

It is one thing arguing about F-Droids general lack of security, which I think most of us can agree with after just taking a brief look about how they are doing and handling things. It is another thing entirely to claim they are acting maliciously and have malicious intentions, something of which I have seen absolutely zero signs of.

« Previous Page