Response to misinformation about our Sensors permission from F-Droid

Dumdum

cuckflared I have to trust that their personal computers are free from malware e.g. from pirated software or porn sites:D How many developers build their apps in secure environments?

That's the point of compartmentalisation. Keep things in separate baskets so if one basket becomes poisoned, only that basket needs to be thrown away and not a single basket with everything in it. In this case, uninstall/avoid only the affected apps vs. all Fdroid-installed apps.

If users can have faith that the Fdroid team (or insert any "reputable entity") can singlehandedly keep all the apps free of malware, then fair enough. But otherwise it shouldn't be a surprise for users to choose the compartmentalisation route.

There's also the ever present issue of a single entity being a much juicier target for an attack, thereby requiring even more effort to stay secure and free of malware than what may be required otherwise.

locked

cuckflared " If I understand correctly App Verifer only checks signatures but doesn't verify if binary form matches the source code.

That is correct.

p-marg

Greet read, thanks for posting!

GrapheneOS

cuckflared

At the same time, as a long time Debian user, I've always felt more secure by using packages built and signed by a "reputable" entity. I know Debian is not ideal, but at least there is some hope that the machines an OSes used to build packages are clean and not infected with malware. Of course I understand that infecting such central entity could have devastating effects.

There are a huge number of Debian packagers and many have a history of untrustworthy behavior. You're trusting an enormous group of people able to add vulnerabilities intentionally or unintentionally. Aside from that, you're only getting a subset of backported patches for vulnerabilities with CVEs which are a subset of overall vulnerabilities. Debian also has a history of introducing many vulnerabilities with downstream changes including some quite famous ones such as the Debian SSH weak key issue, but it's far from the only one. F-Droid has a similar history of doing this through using an outdated build environment and dependencies including downgrading app dependencies to ones with vulnerabilities.

But if, on the other hand, I use packages built by the developers, I have to trust that their personal computers are free from malware e.g. from pirated software or porn sites:D How many developers build their apps in secure environments?

F-Droid automatically downloads and build the code. There's no review or auditing process. They build and ship what's released. As an example, WireGuard included a self-updater in plain sight and F-Droid never noticed it even after WireGuard began using it. They found out about it from the developer talking about it.

Maybe reproducible builds and an easy way to compare the results could help solve this problem. If I understand correctly App Verifer only checks signatures but doesn't verify if binary form matches the source code.

Open source software doesn't provide the privacy, security or trust assurances you believe it does. The Linux kernel has hundreds of serious vulnerabilities found each month. A portion of those have existed for years or even decades. How would open source protect against a subtle backdoor when tons of serious vulnerabilities can survive for so long with no one making an attempt to hide them? Someone could create a similar vulnerability on purpose but hide it. How would it protect against that?

n2gwtl

GrapheneOS someone needs to rewrite the kernel in Rust. Do to Linux what was done to Unix. Make it modular and leave this kernel in the dustbin. The reason macos is so much more secure is that they are not afraid to dump backwards compatibilty and move forward with the latest and greatest.

cuckflared

GrapheneOS Thanks for your reply.

So, if understand correctly, our most important protections are fine-grained system permissions (like AOSP) that ensure that apps have minimal access to our data. Equally important are additional protections provided by a hardened OS like GrapheneOS e.g. hardened malloc which make exploiting vulnerabilities more difficult. Both open-source and closed-source applications should be confined as much as possible.

My point about reproducible builds is they allow us to be sure that binary we downloaded matches the source code, regardless of the package distributor. Of course this only means that they match, nothing else. It doesn't mean there are no vulnerabilities or back-doors in the code. But if the adversary wants e.g. to slightly weaken client-side encryption in a note-taking application with an online sync and reproducible builds, he has to work in the public repository and make sure that the commits look innocent. This requires more time and increases the chance that some developer "finds out" anyway.

Without reproducible builds I think it's easier for an attacker to make a custom build with slightly modified encryption and get away with it. Doing code analysis on the binary is much more difficult and requires coders versed with assembly or de-compilation. And observing the app at run-time might not reveal anything suspicious.

Without reproducible builds law enforcement can also force distributors to build packages with additional custom code more easily. Especially vulnerable are non-anonymous, lone open-source developers who may not be able to resist existential threats. Bigger distributors like Linux distros can defend with help of their lawyers.

Is my thinking flawed?

de0u

n2gwtl The reason macos is so much more secure is that they are not afraid to dump backwards compatibilty and move forward with the latest and greatest.

Part of the approach is refusing to run arbitrary hardware. In the Windows world there is a tussle about Windows 11 requiring 2.0 level TPM hardware on billions of machines made by thousands of companies. Apple just doesn't have that problem. They ship ~10 motherboards per year and stop supporting each one after ~7 years.

Also they don't aim for the cheap end of the market.

DeletedUser355

GrapheneOS They wrongly blamed GrapheneOS and didn't fix it:

https://gitlab.com/fdroid/fdroidclient/-/issues/2914

Jesus, so much drama... Guys are fighting for it like it's the matter of life and death. Just take a look at the gitlab thread (if you have a lot of spare time). These are just fucking apps and OSes. There are like 10 people in the world for whom such things might be a matter of life and death, but they probably don't use phones and computers anyway.

FlipSid

DeletedUser355

Thanks for the link. I had previously uninstalled F-Droid, because of issues mentioned here, but reinstalled because I needed one app I could not get anywhere else.

I'll figure out if I really need this one app.

This type of conduct is not what I expect from developers, especially the ones who spread many Apps that will be used by many people, not just one app.

GrapheneOS
Thanks for the statement 👍🏽

wizoatk

FlipSid but reinstalled because I needed one app I could not get anywhere else.

While not as convenient, it likely can also be fetched and updated with Obtainium. I strongly suspect you could scare up some help if you wanted to try that direction.

xxx

What's about sandboxed f-droid? Would that help? Or maybe more apps in the buld in store?

Xtreix

xxx What's about sandboxed f-droid?

All apps are sandboxed, F-Droid is simply not recommended.

Dumdum

xxx sandboxed f-droid?

If you mean in the same way as "Sandboxed" Google Play, then no, Fdroid is not privileged and so is not in need of the same "sandboxing" (which is of course just the regular Android sandbox that all user apps have by default, as stated by Xtreix).

xxx

Xtreix I know.

Dumdum

I mean some kind of sandboxing for this 'bad' behaving installer. I'm really unsure about this. I never had problems with f-droid but securitywise it is a mess.

de0u

cuckflared Without reproducible builds I think it's easier for an attacker to make a custom build with slightly modified encryption and get away with it.

But "get away with it" would still require tricking victims into installing and running the malware version, which seems like the hard part. If I can trick a victim into installing a bogus version I built, and the app does have reproducible builds, then what? Clearly the victim isn't checking much about the app, and it's highly unlikely that the victim is reproducing builds.

cuckflared Without reproducible builds law enforcement can also force distributors to build packages with additional custom code more easily. Especially vulnerable are non-anonymous, lone open-source developers who may not be able to resist existential threats.

If the threat model is compromised developers, I don't think reproducible builds will add a lot of value, because a compromised developer can be made to insert plausible subtle bugs and then build them reproducibly.

Reproducible builds are useful against corruption of public builds from public source, but only when a third party actually does the labor to reproduce builds. So far that is a mostly hypothetical benefit, right?

Skorp

cuckflared

Reproducible builds don't help with this. Source availability or licensing also don't really help with this.

To explain, auditing an app or service is not reliant on the source code availability or license. In many cases it is not very helpful at all. Auditing can be and is done on many closed source and/or source-unavailable apps and services.

Doing code analysis on the binary is much more difficult and requires coders versed with assembly or de-compilation. And observing the app at run-time might not reveal anything suspicious.

Code analysis of the source code can be equally troublesome as it may not be clear what specific functions do until it is actually compiled, and the actions or connections can be observed. Assuming that because something is FOSS means it is inherently more difficult to hide behaviors or that it benefits from more eyes is flawed logic because in practice we can see many cases of projects that receive little or no review.

Another resource: https://privsec.dev/posts/knowledge/floss-security/

xxx

https://bsky.app/profile/grapheneos.org/post/3lt3ov4a4k22r

I've found the post. ^^
'Due to F-Droid deliberately causing friction and annoyances for GrapheneOS users, we'll be implementing a feature similar to our sandboxed Google Play compatibility layer for it. ...'

https://bsky.app/profile/grapheneos.org/post/3lt3ov4a4k22r

cuckflared

Thanks @de0u and @Skorp for your thoughts. So there aren't many things that we can safely rely upon and no solutions on the horizon.

de0u

cuckflared So there aren't many things that we can safely rely upon and no solutions on the horizon.

Right now there is no magic "security spell" (or "privacy spell") that solves all issues if only one can find out what it is. But then again there is no single medicine that cures all kinds of cancer.

There are steps one can take to improve security and/or privacy, but each of those steps requires time, effort, inconvenience, and/or money. For example, one can refuse to run popular gigantic information-harvesting apps ... but they are popular, so one's friends and family, or one's job, might request or require some of those apps. One might purchase a separate dedicated device for each one of those apps one decides to run, but that's expensive and may be inconvenient.

Edit: there are things on the horizon. Maybe running each Android app inside a Microdroid VM would help. Perhaps the CHERI processor architecture extensions will be shipped in a mainstream phone processor (which would be an upgrade from the research implementation).