Hi,
I would like to know how you would verify a APK before actually installing it. From what I can tell, there's no official GnuPG App available for Android. The Playstore Version of "Termux" (should include gpg) is outdated and not really recommended for use anymore.
Would you recommend "Openkeychain" instead or is there an even better alternative?
I'm using a Samsung A52S with stock ROM btw.
Thank you.
Not exactly what you asked sorry... But kind of related... You can install an app for the first time via a trusted channel like Google Play.... In another profile.... Then trust-on-first-use thingie kicks in and you can update or install into other profiles from any source you like and OS guarantees it's signed by the same dev key
I don't know if this exactly answers your question, but you have the program classyshark3xodus (https://f-droid.org/fr/packages/com.oF2pks.classyshark3xodus) which displays the certificate and fileSum fingerprints for each application (installed or not). The program also allows to view known trackers of an application (provided by Exodus).
The proper way to verify an APK is to get the fingerprint of the certificate from a trusted source (preferably one that isn't published where the APK is hosted so you mitigate the risk of a single point of failure). Then, with apksigner (instructions to install may depend on your OS), run:
apksigner verify --print-certs --verbose my_app.apkThen proceed to compare the fingerprints.
Modern APKs should use a proper signature scheme and they don't work with legacy tools such as GPG. It's true that F-Droid additionally sign them this way but this doesn't mean that's a useful thing. In fact, GPG would be a clearly inferior solution because it suffers from numerous issues.
There might be third-party apps to do that directly from your phone but I can't vouch for any at the moment. Also it could be something GrapheneOS might look into in the future, so stay tuned.
As you may already know, Android pins the certificate upon the first installation of an app, and enforces signature check for app updates, so you should only bother doing that for first app installs.
Thanks for your input, but what you describe would still require me to "blindly trust" an APK (just a different one first) and I want to avoid that.
Cool, that's pretty much it. Thank you.
So another device (PC) will be necessary after all for the first verification. No Problem.
If a more convenient solution is in the works, I can only welcome that. The Camera & PDF Viewer Apps are already pretty useful.
If nobody objects, I would pick the droid-ify APK directly from Github instead of the vanilla F-Droid Store APK and call it a day. That seems to be recommended here from what I can tell.
In the future GrapheneOS wants to make it more easy to check the app certificate's fingerprint, and could eventually provide a database of known-good fingerprints to strengthen the trust at first-time app installs.
If nobody objects, I would pick the droid-ify APK directly from Github instead of the vanilla F-Droid Store APK and call it a day. That seems to be recommended here from what I can tell.
In that case you're trusting the web PKI. Depending on your threat model, it should be fine, as long as you make sure to use HTTPS and that you don't download from a shady source. It's totally fine for app updates.
F-Droid isn't ideal either as it suffers from several issues, and ideally the app repository would implement advanced security features like certificate pinning and proper repository signing.
Thanks again.
After reading your blog post, it seems to be worth putting in more effort by manually installing/updating the apps instead of relying on the current implementation of the F-Droid infrastructure.
I also use Hash Checker to make sure the .apk matches the published SHA256 Hash provided on a github releases page.
As already mentioned use apksigner to verify the SHA256 fingerprint of the signing certificate.
In addition I upload the apks to https://www.virustotal.com to ensure they're not malicious.
Please keep in mind that when using a desktop OS to verify .apks, you're using a less secure platform to create a chain of trust whose endpoint (the GrapheneOS phone) is the more secure platform. This is not desirable from a security standpoint.
The better option is to check the fingerprint on-device, using an app from a trusted source. Since this also generates a chain of trust problem, the ultimate solution, as mentioned by Wonderfall, will be a fingerprint tool/checker built into GrapheneOS (which is an open issue: https://github.com/GrapheneOS/os-issue-tracker/issues/211).
Absolutely.
Verifying checksums for data integrity (if provided by the dev) and checking unknown files or websites with VT is what I do as well.
Sure, but that's pretty much the only choice I've got right now, other than refraining from side loading altogether. I don't want to buy a Pixel 6 (Pro), maybe the upcoming Pixel 7 or 8 (Pro).
Would it make sense to package that "fingerprint authenticator" into an App for the Playstore as well? I mean the Auditor App that verifies the entire GrapheneOS Installation of a connected Phone is there as well.
