F-Droid security in simple words

Watermelon

dawt Just use work profile/private space?

User profiles (including Private Space and work profiles) share all packages. Each user profile has some selected apps linked into it from all the packages installed on the system, but you can't install different packages with the same package name (even if the signing certificate is identical) on different user profiles.

dawt my point is that it's a marginal benefit

Depends which app, and which kind of user.

dawt Take for instance, the recent xz compromise

That's an awful example, sorry. It was barely caught!

dawt which was only on the release artifacts but not the original git

As far as I remember, this was one of the things that raised the alarm about it — if true, then if the backdoor had been added to the source code instead of only the builds, it would've been stealthier.

lackofhumor

Watermelon that Google has access to the private signing key

I don't think Google has access to any private key from developers, or am I missing something?

Watermelon

lackofhumor I don't think Google has access to any private key from developers

They do, for all apps created since August 2021 if I'm not mistaken, and optionally for prior apps if the app developer chooses. There's no way for you to see which apps have this (except maybe checking the first release date in the app description, but this date can be later than the creation date on the Play Store for apps that have/had an early access program, and there's no way to see which apps had had such a program). See here:

WAU3604 https://developer.android.com/studio/publish/app-signing

lackofhumor

Watermelon
As far as I can read from the source you provided, every developer signs their apk (or build) with their private local key (upload key), and only then they upload the signed app/build.

Google will use another key (not given to the developer) before publishing it, but that is not the same signing key.

Am I missing something?

de0u

lackofhumor Empirically, if I install mullvad (just to name an app) from their website, I am able to update it from the play store (and vice versa) because it has been signed with the same developer key.

As documented on Google's site, and as mentioned earlier in this thread (Watermelon) at present the Play store allows authors of apps that were registered before August 2021 to continue using the legacy keys controlled by the app author.

Retiring the legacy author-controlled keys would require Google to change the package manager (presumably to accept either a signature from the key from the first installation or from a Google key). That would not be a lot of code.

de0u

lackofhumor The result is that every APK served by the Play store is signed by a key Google knows. So if Google hypothetically wants to issue an APK that the developer did not build, that could be signed too. Or even hypothetically somebody who breaks into Google could get APK signing keys for some apps and publish fake versions of those apps on APK web sites.

There is some metadata in APKs that involves the app author's signing key, but it's not clear to me who checks it: https://developer.android.com/guide/app-bundle/code-transparency

Watermelon

lackofhumor you provided

(Not I provided it)

Eumenia

dawt Of course it is. You can run both variants of the same app side by side and compare the settings for both, and compare your permissions and notification settings for both. With F-Droid, maybe take screenshots? And onve you switch away from the F-Droid build, if you forgot to copy anything, good luck, your data is gone. This is assuming no export function exists in the app.

Never put data you are not totally fine with losing in apps that doesn't have an backup/export function or some other method to make the data independent of your apo instance.

de0u Indeed, an overall status/dashboard page is what I was curious about.

This would be very cool.
Maybe someone could write a Python script that fetches the reproducibility information from all apps and creates a static.

lackofhumor

de0u So if Google hypothetically wants to issue an APK that the developer did not build, that could be signed too.

I fail to understand this part, can you explain this a little more please?

Empirically, if I install mullvad (just to name an app) from their website, I am able to update it from the play store (and vice versa) because it has been signed with the same developer key.

If Google decide to publish a rogue version of the app, will it update anyway?
It seems to me that this breaks the first signature and shouldn't be possible, or am I missing something?

lackofhumor

Eumenia The Issue with nearly all sources other then the official F-Droid repository, is that we need to put blind trust into the maintainers to compile only from source without making any malicious changes.

This cannot happen, because of signing keys.
That's why you should avoid f-droid repository in the first place, but you can accept the others (like izzyondroid).

Then you have reproducible builds which gives you the possibility to check that the code has not been tampered (also for fdroid repo), but this requires manual verification and it's not embedded in the checks the OS does when you uodate an app.

Eumenia

lackofhumor Eumenia The Issue with nearly all sources other then the official F-Droid repository, is that we need to put blind trust into the maintainers to compile only from source without making any malicious changes.

This cannot happen, because of signing keys.
That's why you should avoid f-droid repository in the first place, but you can accept the others (like izzyondroid).

The developer could compile anything he wants and sign it with his key.
Nothing about app signing is preventing this.
Reproducibility gives everyone the option to compile the exact same binary out of the source code to check if the hash match.

Watermelon

lackofhumor Empirically, if I install mullvad (just to name an app) from their website, I am able to update it from the play store (and vice versa) because it has been signed with the same developer key.

Developers can publish APKs signed with the key that Google has access to. Or even copy the APK from Google Play to a backup location (e.g. their website).

lackofhumor If Google decide to publish a rogue version of the app, will it update anyway?

If the app you installed is signed with the key Google has access to:

If you last installed/updated the app from Google Play, then yes.
If you last installed/updated the app from somewhere other than Google Play, then it would require your explicit confirmation, but it would be accepted if you agree to update. (Take in mind that many people/sites copy the APK from Google Play and publish it elsewhere, so unless you're updating directly from the app developer's official source (e.g. their website), you can't really know if the APK is a rogue update from Google. Being able to update apps from any source while knowing they're still the authentic version created by the app developer is an Android security feature, which Google is ruining.)

Otherwise, no.

lackofhumor

de0u
You are right (both of you, also @Watermelon ), I dug better in the documentation, and indeed, Google has the private part of the signing key.

I am in shock, even if this thing is already 5 years old, I discovered it just now, and for straight two days I wouldn't believe of what I was reading, literally.

I apologize for spreading misinformation in this thread (if any) for what concerns apk signing, I cannot edit my previous posts, but hopefully people will read the whole thread and figure the bad part.

I guess we will accept (as if we had choice lol) that Google’s threat model assumes "Someone will notice" and don't do shady stuff, even if I always consider that a company could not only be malicious, but also compromised and most important, coerced to do things.

If we take into account that Google is responsable for the whole Play’s existing dynamic delivery infrastructure , I can see how a government agency could issue secret orders to modify an apk per geography, per account type or per Android version.
This is not mere science fisction, it’s exactly the threat model behind supply-chain attacks, hardware root-of-trust debates and zero-trust architectures.

I am not saying they are doing it, just that it's thecnically possible to do it.
Let's hope it stays just theoretical and never breaks into practice.

Watermelon

Eumenia The developer could compile anything he wants and sign it with his key.
Nothing about app signing is preventing this.

(Okay, let's move on to the next point:)

Eumenia Reproducibility gives everyone the option to compile the exact same binary out of the source code to check if the hash match.

How does this address your previous point? There is a logical fallacy here. Reproducibility doesn't mean the developer hasn't added malicious source code. Checking the hash means nothing.

Furthermore, do you do any cryptographic checks on the source code at all? If that's even possible to do with the source code, because not all app developers would sign it, whereas APK signing is mandatory on Android as an OS feature. How do you know that the source code you download is the source code that everyone else downloads? How do you know the source code hasn't been tampered between the developer and your device?

And you still don't get any benefit from having the source code if you can't completely understand it, and then you'll still have to obsessively read a shitton of source code for a shitton of apps (not to mention the operating system, web browser… good luck with that) and read all the changes of all future updates, and read the source code of your compiler because you're gonna need it to build all of this stuff, then build it, compare it to your reproducible installed version, and then you can relax… until the next update. Have fun reading source code like a maniac, I guess. Or entrust an all-knowing third-party like F-Droid to read and understand all the million lines of source code thrown at them, right? But how do you know you can trust them? What if today you agree with them, but tomorrow they say something controversial about politics or something, and suddenly you don't trust them anymore? Even GrapheneOS doesn't audit AOSP entirely like obsessed maniacs, they rely on Google's mature development processes, a certain level of competence and integrity they expect from a big tech company, and of course: everything is still sandboxed. So whom would you give the task of constantly reading and completely understanding mountains of source code of all of your apps? The OS has the features to make apps secure: sandboxing, mandatory app signing, app stores, etc. The question is why the obsession with source code for security? It's nice and all, it increases trust, but it isn't a security feature. It's the reason why I don't feel bad at all for subscribing to the security preview releases of GrapheneOS.

Eumenia

Watermelon How does this address your previous point? There is a logical fallacy here. Reproducibility doesn't mean the developer hasn't added malicious source code. Checking the hash means nothing.

It seems lime you don:'t even unterstand what reproducibility means, so I explain it for you:

Download the official binary
Download the source code of the commit state the binary was compiled from
Compile the source code the same way the developer as done it (for this you need a reproducible build)
Add the additional metadata (like the signature) or skip it in the hashing process
Hash both your downloaded binary and the binary you have compiled yourself.

At the end you have verified that the official binary corresponds to the official source code.

Watermelon If that's even possible to do with the source code, because not all app developers would sign it, whereas APK signing is mandatory on Android as an OS feature. How do you know that the source code you download is the source code that everyone else downloads? How do you know the source code hasn't been tampered between the developer and your device?

Normally open source projects include the source code as .zip/.tar.gz in the releases and if they publish hashes of the binaries, they also publish hashes if the source code.

Watermelon

Eumenia It seems lime you don:'t even unterstand what reproducibility means

I don't think so.

Eumenia At the end you have verified that the official binary corresponds to the official source code.

Congratulations, you have achieved nothing. You know the binary corresponds to the source, but you know nothing about the source. Now what.

Eumenia Normally open source projects include the source code as .zip/.tar.gz in the releases and if they publish hashes of the binaries, they also publish hashes if the source code.

Are these .zip/.tar.gz/hashes signed? Are source code commits signed? If not, you're basically trusting the repository's host to not be compromised. And you still can't practically read and completely understand all source code of all apps.

de0u

Eumenia At the end you have verified that the official binary corresponds to the official source code.

I wonder how many users of this forum have done that...

For the current version of all APKs currently installed on a device, or even
Ever, for any version of any APK installed on a device.

By no means am I suggesting that reproducible builds are a bad idea! But to for people to actually be protected by them, some people need to be checking.

Eumenia

Watermelon Are these .zip/.tar.gz/hashes signed? Are source code commits signed?

If the developers care aboutsecuirty, , then they will sign it.
Signing is so easy to do, even without a CLI, that everyone who is not totally tech literate can do it

Eumenia

de0u

de0u I wonder how many users of this forum have done that...
For the current version of all APKs currently installed on a device, or even
Ever, for any version of any APK installed on a device.

By no means am I suggesting that reproducible builds are a bad idea! But to for people to actually be protected by them, some people need to be checking.

The idea behindert reproducible builds is not that everyone compiles everything from source, if you would do this, then reproducible builds wouldn't really matter.
The idea is that anyone can check for everyone.

And achieving at least 3 independent compiling parties for each release is not so difficult.
For example: If you build a reproducible apk yourself and then upload it to F-Droid, F-Droid will try to recompile your build for every release before pushing it, you could do the same with IzzyonDroid, who also recompile every build that is marked as reproducible.
Then you have 3 compiling parties:

Yourself
F-Droid
IzzyonDroid
And if course everyone who wants to can compile themself to check the reproducibility.

Note: If you make your build reproducible yourself, F-droid will allow you to keep the private signing key by yourself and just copy your signature. So making your build reproducible also solves the main critique point of F-Droid.

de0u

Eumenia The idea is that anyone can check for everyone.

That indeed is an idea.

Is it happening?

Eumenia

de0u That indeed is an idea.

Is it happening?

As I desribed its very easy to get reproduction by at least 3 parties

« Previous Page Next Page »