F-Droid security in simple words

Watermelon

Eumenia Then you have assurance that the binary you are using is the result of the official source code and that F-Droid hasn't added anything

I have no use in matching built form apps to their source code if I don't check their source code anyway (and I'm not gonna do any of this for all apps/updates every time)

Eumenia

Watermelon I have no use in matching built form apps to their source code if I don't check their source code anyway (and I'm not gonna do any of this for all apps/updates every time)

Not everybody has to do this everytime.
But anybody can do it at anytime, and therefore F-Droid can't hide malware inside the binaries

Watermelon

Eumenia anybody can do it at anytime

Not for an app with a modest amount of code.

Eumenia F-Droid can't hide malware inside the binaries

I believe it was discovered that people can upload APKs that would be accepted for serving by the F-Droid server, despite not matching the source code linked in the F-Droid page of the app. Don't quote me on that, though.

gMan

GrapheneOS It is far more likely that F-Droid does it, and considering their involvement in underhanded attacks on the GrapheneOS project and community, they may choose to specifically target GrapheneOS users with it. This is not an unlikely scenario particularly considering the kind of behavior they've engaged in from cover ups of security vulnerabilities to targeting security researchers and others with harassment for talking about them.

absent sources, which were asked for 10 months ago, this sounds like paranoia

SilverCat38

Does this apply to droidify as well?

gMan

SilverCat38 Does this apply to droidify as well?

Droid-ify is just another front-end for the F-Droid apps repo, so if you're asking if exploited apps from F-Droid would be caught by Droid-ify, i believe the answer is no

Eumenia

GrapheneOS It is far more likely that F-Droid does it, and considering their involvement in underhanded attacks on the GrapheneOS project and community, they may choose to specifically target GrapheneOS users with it. This is not an unlikely scenario particularly considering the kind of behavior they've engaged in from cover ups of security vulnerabilities to targeting security researchers and others with harassment for talking about them.

In reproducible builds, this could be discovered quickly and then it would be clear that F-Droid did it, which would ruin their entire project and maybe also put them behind bars (intentionally spreading malware is a felony crime in most of the world)

lackofhumor

GrapheneOS
Eumenia
SilverCat38
gMan

Throwing out some ideas.
I would like someone to challenge these ideas, please.

I'd like to underline (as someone already said) that the first store we have in GOS is the official App Store to install/update the applications mantained from the GOS dev team.

Why is this working? Because over time the developers gained our trust, so much that I suspect (almost) none of us actually go and see the diff of every update.

The only fact we are using GOS is based on trust.

So, suddently trust become a big part of our deciding factors.
This trust must be gained and maintained over time.
If trust is lost, people will stop to update/use/install software.

The same comes with the rest of the apps.
Installing new apps directly from the developers requires us to have some trust (in the code, in the developer, in the community or something else tied to the app).
If we see things happening like the Simple suit, Organic Maps or F-Droid behaviour over time, we might lose trust and decide to not use those software anymore.

People who still decide to put trust on F-Droid in spite of their history in security practices will still use their software.
Once we understood the implication of this, we might decide that cost/benefit (in terms of effort and other things) is good enough for us.

Anyway, there are probably some middle grounds we can still consider.
For example F-Droid clients can have more than one repository, making it a little bit more secure to install (and update) apps on your smartphone.

For example if you like Molly, there is an official repo for that.
You don't like molly and prefer SimpleX? There is an official repo for that.
If you like CollaboraOffice, and so on...

The same concept applies also for larger repositories.
For example the official Guardian Project repo contains all the apps developed by the same team.

In the same way, even more broader repositories exist, like Izzy-on-droid.

These repositories are a collection of a lot of apps signed by their respective developers and allow people to install and update them.
This is the equivalent of installing the apps directly from their respective developers without giving up on automatic updates.
In my understanging, it's pretty much the equivalent of installing them with Obtainium, with the main difference being someone needs to update the repositories before you could download the update.

I would like to have your toughts on this topic to see if this middle ground is considered somewhat ok and/or if there are some pitfalls I didn't take into account.

Of course, all of these options (directly from the developers / obtainium / izzy-on-droid) require us to trust the code/dev/community and there still is the chance that evey app we use between us and the developer (obtanium / droi-ify / f-droid / aurora / play store) might mangle with the first installation.

Your chance of getting killed by a cow are low, but never zero.

SilverCat38

gMan thanks for the reply... what is the recommended way to get foss apps then ? Obtainium only? Direct apk?

gMan

SilverCat38 that's a question i can't really answer - i think that, if you're able to analyze the code, and are willing to do so for each update, then obtaining apps directly from the developer may be the better solution, especially if you tend to not install a large number of apps

i know GOS and some others here have made what sounds like a reasonable case for using the Play Store via GOS's app, but that doesn't resonate with me given that the Play Store is a huge target for malicious hackers, not to mention all the adware which i also consider to be malware

F-Droid, on the other hand, apparently has been free of (known) malware, besides the occasional adware crap, but there are what seem to be very serious concerns regarding their security and app signing practices which seems to result in a single point of failure; if F-Droid is compromised, so are all its users

i would certainly keep an eye on the Accrescent store - right now they have very few apps, but i suspect that, once they get the platform hammered out, the number may increase very quickly, but that doesn't solve the 'now' problem

final answer: beats me!

i'm not really able to read code, but i am able to get a sense of the developer(s) writing it by carefully reading whatever docs they make available and skimming through their issue/bug reports, considering how it's licensed, etc., so for me, i'm rolling the dice a bit by using Obtainium, but if you don't want to jump through any hoops at all (bad idea IMO), then my suggestion might be to go to GOS's App Store first, then Accrescent, then F-Droid, using either their minimal client app, or whatever they call it, or potentially Droid-ify

Watermelon

SilverCat38 Obtainium only? Direct apk?

Obtanium and “direct APK” are the same thing. Obtanium just automates downloading and installing direct APKs. I recommend against using Obtainium to install new apps, I could only suggest it for updating installed apps. To install new apps that aren't published on a secure app store (like Accrescent) or semi-secure app store (like Google Play Store), download and install the APK using Vanadium from an official website/repo provided by the app developer. If you do this, the first time you update the app using something like Obtainium you'd have to explicitly confirm the update to the OS, but afterwards the OS would let Obtainium do it automatically.

gMan that's a question i can't really answer - i think that, if you're able to analyze the code, and are willing to do so for each update, then obtaining apps directly from the developer may be the better solution, especially if you tend to not install a large number of apps

Checking source code to find malicious backdoors would require checking and understanding it so thoroughly that it's practically impossible to do for any app with even a modest amount of code, let alone every update of it or more than one app. You could audit the code to find honest security mistakes, but aomething that someone intentionally spent effort to hide is out of the question. And it's insane to spend so much time reading source code.

gMan i know GOS and some others here have made what sounds like a reasonable case for using the Play Store via GOS's app, but that doesn't resonate with me given that the Play Store is a huge target for malicious hackers, not to mention all the adware which i also consider to be malware

You're not supposed to blindly trust any app store. Accrescent being a secure app store isn't meant to be a guarantee that all apps offered on Accrescent are 100% free of backdoors. The review process when an app/update is accepted into an app store, and the user-provided reviews and ratings and other info on the app store listing, all help to let you determine if the app is safe to download.

gMan F-Droid, on the other hand, apparently has been free of (known) malware, besides the occasional adware crap, but there are what seem to be very serious concerns regarding their security and app signing practices which seems to result in a single point of failure; if F-Droid is compromised, so are all its users

The problem isn't just F-Droid being a central point of failure, the problem is this together with them having security issues and dismissing them and doing dangerous things. While I don't believe they do it out of malice, they're at the very least incompetent, and I can't trust them for security, and I'd rather trust Google Play's review processes with dedicated employees to catch malware than them.

Another problem is F-Droid taking the same package names as the legitimate apps, preventing easy export of your data from F-Droid's unofficial builds.

lackofhumor Why is this working? Because over time the developers gained our trust, so much that I suspect (almost) none of us actually go and see the diff of every update.

The built-in App Store is special in that it helps deliver partial system updates for better security without producing a full OS update. And the only non-GrapheneOS apps on it are identical authentic mirrors, not unofficial builds signed by the GrapheneOS team. But yes, we still need to trust them.

lackofhumor In my understanging, it's pretty much the equivalent of installing them with Obtainium

Don't install new apps using neither Obtainium nor a custom repo in F-Droid. Use either a secure app store (e.g. Accrescent), a semi-secure app store (e.g. Google Play Store), or an official source (e.g. the app's official website opened in Vanadium) for the initial installation, then feel free to update it with Obtainium/custom repo/whatever else that you trust (app signatures aren't foolproof, you still want to trust where you update apps from).

lackofhumor For example the official Guardian Project repo contains all the apps developed by the same team.

The Guardian Project F-Droid repo hosts apps signed with the same signing certificate as their builds on Google Play Store, meaning that Google has access to the private signing key. How do I know? Because I installed their apps from F-Droid, but switched to updating them through Google Play Store.

Note that both Tor Browser for Android and Orbot have security issues. Tor Browser has slow updates on Android, and Orbot has known exploitable vulnerabilities as pointed out by the official GrapheneOS account here on the forum.

Eumenia The Issue with nearly all sources other then the official F-Droid repository, is that we need to put blind trust into the maintainers to compile only from source without making any malicious changes.

I don't get the thinking here. Why should I care whether an app developer that created malware for me publishes the malware's source code when I don't and can't meticulously check the source code anyway?

Eumenia With apps from the F-Droid repo, anyone can check if the binaries that are distributed by F-Droid, correspond to the public source code.
Therefore F-Droid is accountable for their binaries in a transparent way.

Firstly, accountability is good, but doesn't prevent malware. Secondly, I believe (don't quote me on this please, I'm not sure) that it was found out that F-Droid has a security vulnerability that any arbitrary APK can be accepted into being served by the F-Droid server even if it doesn't match the claimed source code. So if you don't build the source code and verify the reproducibility yourself, you have no confirmation at all that the built APK that F-Droid gives you corresponds to the source code as they say.

Eumenia If the developer themself provide a reproducible build without hard none-FOSS dependencies, then F-Droid will distribute this developer/maintainer's signed binary.

Their is nothing preventing a maintainer from just providing reproducible builds that then would be distributed by F-Droid without changes to the signature

That's good, but then what's the point of using F-Droid? Especially if what I said above is true.

Eumenia

lackofhumor

The Issue with nearly all sources other then the official F-Droid repository, is that we need to put blind trust into the maintainers to compile only from source without making any malicious changes.
With apps from the F-Droid repo, anyone can check if the binaries that are distributed by F-Droid, correspond to the public source code.
Therefore F-Droid is accountable for their binaries in a transparent way.
If the developer themself provide a reproducible build without hard none-FOSS dependencies, then F-Droid will distribute this developer/maintainer's signed binary.

Their is nothing preventing a maintainer from just providing reproducible builds that then would be distributed by F-Droid without changes to the signature.

lackofhumor

Eumenia The Issue with nearly all sources other then the official F-Droid repository, is that we need to put blind trust into the maintainers to compile only from source without making any malicious changes.

This cannot happen, because of signing keys.
That's why you should avoid f-droid repository in the first place, but you can accept the others (like izzyondroid).

Then you have reproducible builds which gives you the possibility to check that the code has not been tampered (also for fdroid repo), but this requires manual verification and it's not embedded in the checks the OS does when you uodate an app.

Eumenia

Watermelon that's a question i can't really answer - i think that, if you're able to analyze the code, and are willing to do so for each update, then obtaining apps directly from the developer may be the better solution, especially if you tend to not install a large number of apps

Reading the source code doesn't help if you can't verify that the binary corresponds to the source code.
Therefore we need reproducible builds and if the developer doesn't care, then F-Droid is the only option to get them.

Watermelon Checking source code to find malicious backdoors would require checking and understanding it so thoroughly that it's practically impossible to do for any app with even a modest amount of code, let alone every update of it or more than one app. You could audit the code to find honest security mistakes, but aomething that someone intentionally spent effort to hide is out of the question. And it's insane to spend so much time reading source code.

This depends on the code's architecture.

dawt

Watermelon Another problem is F-Droid taking the same package names as the legitimate apps, preventing easy export of your data from F-Droid's unofficial builds.

Having a different package id isn't going to make import/export easier either. At it prevents confusing errors when trying to update from another source.

Watermelon Use either a secure app store (e.g. Accrescent)

What makes Accrescent "secure" over something like f-droid? The only difference seems to be that it verifies the package certificate prior to install, but if it's just verifying that against whatever the server returns then it's not meaningfully more secure. If the server can return a backdoored apk it can also return an updated certificate.

Watermelon The Guardian Project F-Droid repo hosts apps signed with the same signing certificate as their builds on Google Play Store, meaning that Google has access to the private signing key. How do I know? Because I installed their apps from F-Droid, but switched to updating them through Google Play Store.

This isn't indicative of anything because play store allows developers to sign with their own keys.

Watermelon I don't get the thinking here. Why should I care whether an app developer that created malware for me publishes the malware's source code when I don't and can't meticulously check the source code anyway?

It's not meant to be foolproof, only raises the bar for the attacker.

lackofhumor

Watermelon that Google has access to the private signing key

I don't think Google has access to any private key from developers, or am I missing something?

de0u

Eumenia Reading the source code doesn't help if you can't verify that the binary corresponds to the source code. Therefore we need reproducible builds and if the developer doesn't care, then F-Droid is the only option to get them.

To be honest, I haven't paid much attention to F-Droid and reproducible builds. I looked at the site briefly.

F-Droid's builds of the F-Droid app don't always reproduce: https://verification.f-droid.org/packages/org.fdroid.fdroid/
Since I am interested in calculator apps, I picked one semi-randomly, and it isn't reproducible: https://f-droid.org/en/packages/com.neumorphic.calculator/
I picked another one, and it is: https://verification.f-droid.org/packages/us.lindanrandy.cidrcalculator/

Is there a way to see the reproducibility status of everything on F-Droid?

Eumenia

de0u To be honest, I haven't paid much attention to F-Droid and reproducible builds. I looked at the site briefly.

F-Droid's builds of the F-Droid app don't always reproduce: https://verification.f-droid.org/packages/org.fdroid.fdroid/
Since I am interested in calculator apps, I picked one semi-randomly, and it isn't reproducible: https://f-droid.org/en/packages/com.neumorphic.calculator/
I picked another one, and it is: https://verification.f-droid.org/packages/us.lindanrandy.cidrcalculator/

I am not so deep in it so I cant be
erry tell why some binaries on F-Droid are reproducible and some aren't.
I think it's bugs in the buildserver that cause this.

Sometime the reproducibility tests
also ignores certain versions, but I don't know why at the moment.

de0u Is there a way to see the reproducibility status of everything on F-Droid?

Do you mean like a static that documents how much % of builds are reproducible?

de0u

de0u Is there a way to see the reproducibility status of everything on F-Droid?

Eumenia Do you mean like a static that documents how much % of builds are reproducible?

Indeed, an overall status/dashboard page is what I was curious about.

de0u

Eumenia As I desribed its very easy to get reproduction by at least 3 parties

To what extent is it happening?

I think a week or so ago I checked for a few random apps whether or not F-Droid felt that their build was reproducible
(de0u). What I checked was absolutely not a random sample, and absolutely was too small to draw conclusions from. But the results didn't seem overwhelmingly great to me.

Personally I was not encouraged by not finding a single inventory across the whole site of which apps do/don't have reproducible builds. But perhaps people who find F-Droid's investment in reproducible builds to be encouraging could check to see how many of F-Droid's builds are believed by F-Droid to be reproducible.

If it's hard for F-Droid to get right, perhaps that's because they aren't good at it, or perhaps it's because it's not "very easy" after all.

Watermelon

dawt Having a different package id isn't going to make import/export easier either.

Of course it is. You can run both variants of the same app side by side and compare the settings for both, and compare your permissions and notification settings for both. With F-Droid, maybe take screenshots? And onve you switch away from the F-Droid build, if you forgot to copy anything, good luck, your data is gone. This is assuming no export function exists in the app.

dawt At it prevents confusing errors when trying to update from another source.

This doesn't make sense. Other sources wouldn't detect the app as installed, because the detection relies on the package name, and F-Droid would be using different package names.

dawt if it's just verifying that against whatever the server returns

No. It verifies the signature of it from the app store's maintainers, not just transport security to the app store's servers. This is according to the features list on Accrescent's website.

dawt If the server can return a backdoored apk it can also return an updated certificate.

This is possible for every app store for fresh installation of new apps, although Accrescent also tries to fix this for the fresh installation, as I mentioned in the previous paragraph. Updates should be secure, because your OS pins the certificate of the installed apps, accepting only updates signed with the same signature (or properly rotating the signature to a new certificate). But F-Droid and Google Play destroy this security feature, because both of them sign apps at the app store, so compromising the app store (or a malicious employee at the app store) could allow to create a properly signed rogue update. Accrescent is explicitly meant to allow app developers to sign apps by themselves and keep their key private to themselves, as it should be.

dawt play store allows developers to sign with their own keys

This hasn't been true in the past five years I think. Quite ironic how Google that creates security features in Android finds ways to destroy the security value of the features they create.

dawt It's not meant to be foolproof, only raises the bar for the attacker.

All malware has source code. It'd be trivial to publish it, although I'm not sure what amount of obfuscation would be needed to survive for a meaningful amount of time before someone notices and alerts about it (enough to reach the right people to take it down or block it), which also depends on the popularity of the app and its audience. The GrapheneOS project makes a good argument that unobfuscated code that has existed for decades can have severe vulnerabilities, and this is something that happens regularly.

WAU3604

Watermelon dawt play store allows developers to sign with their own keys

This hasn't been true in the past five years I think. Quite ironic how Google that creates security features in Android finds ways to destroy the security value of the features they create.

Actually, They have a 2 Signing Key System. An Upload key for the Developers, and an App Signing Key.

Play App Signing uses two keys: the app signing key and the upload key, which are described in further detail in the section about Keys and keystores. You keep the upload key and use it to sign your app for upload to the Google Play Store. Google uses the upload certificate to verify your identity, and signs your APK(s) with your app signing key for distribution as shown in figure 1. By using a separate upload key you can request an upload key reset if your key is ever lost or compromised.

https://developer.android.com/studio/publish/app-signing

App signing key: The key that is used to sign APKs that are installed on a user's device. As part of Android’s secure update model, the signing key never changes during the lifetime of your app. The app signing key is private and must be kept secret. You can, however, share the certificate that is generated using your app signing key.

Upload key: The key you use to sign the app bundle or APK before you upload it for app signing with Google Play. You must keep the upload key secret. However, you can share the certificate that is generated using your upload key. You may generate an upload key in one of the following ways:

If you choose for Google to generate the app signing key for you when you opt in, then the key you use to sign your app for release is designated as your upload key.

If you provide the app signing key to Google when opting in your new or existing app, then you have the option to generate a new upload key during or after opting in for increased security.

If you do not generate a new upload key, you continue to use your app signing key as your upload key to sign each release.

https://developer.android.com/studio/publish/app-signing#certificates-keystores

This is from the Android documentation, which was last updated in January of 2025. So IDK if this is how it still works.

dawt

Watermelon Of course it is. You can run both variants of the same app side by side and compare the settings for both, and compare your permissions and notification settings for both. With F-Droid, maybe take screenshots? And onve you switch away from the F-Droid build, if you forgot to copy anything, good luck, your data is gone. This is assuming no export function exists in the app.

Just use work profile/private space?

Watermelon This doesn't make sense. Other sources wouldn't detect the app as installed, because the detection relies on the package name, and F-Droid would be using different package names.

You must be misinterpreting what I said. "confusing errors when trying to update from another source" refers to the situation where you have an app installed from f-droid but try to update from play store or whatever. Having a package id prevents this, and my point is that it's a marginal benefit

Watermelon Accrescent is explicitly meant to allow app developers to sign apps by themselves and keep their key private to themselves, as it should be.

No disagreement her. You do introduce the vulnerability of f-droid going rogue, but make it harder for the developer to a backdoored apk.

Watermelon All malware has source code. It'd be trivial to publish it, although I'm not sure what amount of obfuscation would be needed to survive for a meaningful amount of time before someone notices and alerts about it (enough to reach the right people to take it down or block it), which also depends on the popularity of the app and its audience.

Again, the argument isn't that it's some sort of airtight virus shield, only that it's more effort. The amount of effort to disassemble a compiled .apk is surely higher than a tarball that you can diff against prior versions. Take for instance, the recent xz compromise, which was only on the release artifacts but not the original git. Compiled .apks are one level of obfuscation on top.

Watermelon

lackofhumor I don't think Google has access to any private key from developers

They do, for all apps created since August 2021 if I'm not mistaken, and optionally for prior apps if the app developer chooses. There's no way for you to see which apps have this (except maybe checking the first release date in the app description, but this date can be later than the creation date on the Play Store for apps that have/had an early access program, and there's no way to see which apps had had such a program). See here:

WAU3604 https://developer.android.com/studio/publish/app-signing

Eumenia

dawt Of course it is. You can run both variants of the same app side by side and compare the settings for both, and compare your permissions and notification settings for both. With F-Droid, maybe take screenshots? And onve you switch away from the F-Droid build, if you forgot to copy anything, good luck, your data is gone. This is assuming no export function exists in the app.

Never put data you are not totally fine with losing in apps that doesn't have an backup/export function or some other method to make the data independent of your apo instance.

de0u Indeed, an overall status/dashboard page is what I was curious about.

This would be very cool.
Maybe someone could write a Python script that fetches the reproducibility information from all apps and creates a static.

Watermelon

dawt Just use work profile/private space?

User profiles (including Private Space and work profiles) share all packages. Each user profile has some selected apps linked into it from all the packages installed on the system, but you can't install different packages with the same package name (even if the signing certificate is identical) on different user profiles.

dawt my point is that it's a marginal benefit

Depends which app, and which kind of user.

dawt Take for instance, the recent xz compromise

That's an awful example, sorry. It was barely caught!

dawt which was only on the release artifacts but not the original git

As far as I remember, this was one of the things that raised the alarm about it — if true, then if the backdoor had been added to the source code instead of only the builds, it would've been stealthier.

« Previous Page Next Page »