Why does an app store using multiple sources violate the security model?

Fay_Wilmont

Since immersing myself in the GrapheneOS sphere, I keep coming across the claim that (as I understand it) the Install unknown apps permission is only meant to be requested by apps that obtain their installation files from a single source, or at least only sources controlled by a single entity (i.e. stable and beta repositories). If I'm misunderstanding, I hope someone can clarify.

Two examples:

[Package manager being discussed] doesn't follow the intended app source model correctly. Enabling an app source is not meant to enable installing from more than one source (..)

https://discuss.grapheneos.org/d/4374-does-google-play-store-update-apps-automatically-without-user-input/2

(..) having other repositories in a single app also violates the security model of Android which was not designed for this at all. The OS expects you to trust an app repository as a single source of apps, yet [package manager being discussed] isn't that by design as it mixes several repositories in one single app.

https://privsec.dev/posts/android/f-droid-security-issues/#5-general-lack-of-good-practices

Yet I can't find a single authoritative source that substantiates this claim. Every time Android and its documentation use the word source in this context it refers to the package requesting the permission, not the source of the APK they want to install. E.g.

For your security, your phone currently isn’t allowed to install unknown apps from this source. You can change this in Settings.

It specifically talks about “unknown apps”, i.e. Android doesn't and won't know where they originate from. Moreover, Vanadium and Files—and indeed any web browser and file manager—request this permission while obtaining APKs from a theoretically limitless amount of sources. As do apps like App Manager (app management), Termux (terminal emulator), LocalSend (file sharing) and ReVanced (app patcher). Clearly, you're being asked if you trust these apps enough to give them permission to initiate installations on your behalf.

So why is it "not following the intended app source model correctly" and "violating the security model of Android" when an app like Obtainium or Droid-ify does it?

If the permission is intended to apply to a repository instead of an app, why do I need to grant it per app (e.g. when I have multiple apps that use the same repository) instead of per repository?

It doesn't really make sense to me. Can anyone explain?

GrapheneOS

Fay_Wilmont Browsers and file managers do not use the API in the same way as an app store. Those don't automatically update apps and are only used to manually install an app with the user explicitly doing it and then approving it. App stores are automatically updating apps including using the unattended update permission for it. App stores are supposed to be a single source of apps. You should look at the device management APIs where app stores must be a single source of apps in order to be permitted when disallowing unknown app sources and only permitting first party or specific known app sources. If F-Droid is included as a trusted OS app store, then the OS has a security vulnerability through the device management APIs for disallowing arbitrary party app sources no longer working. It's an incorrect implementation. Browsers and file managers do not bypass that since they use don't use APIs which would make them trusted app stores. They also don't provide automatic updates and don't use the unattended update API.

23Sha-ger

You shouldn't grant an app you don't or barely trust a permission to install additional apps. That's just common sense. The exception to that can be 3d party "app stores", some of which users prefer to install regardless of recommendations, like F-Droid, Aurora Store, etc.

Byku

GrapheneOS App stores are automatically updating apps including using the unattended update permission for it.

This is the "update apps without user input" permission right? Is that what I should be looking for when screening apps for permissions? From what I gather this is an "AppOps" type permission that is not grantable separately. So... when an app does not have this listed it cannot install anything without notifying the user first. even when granted "Install apps from unknown source" special permission. Is that correct?

GrapheneOS

Changed the title since these are app stores, not package managers. The package manager is part of the OS.

GrapheneOS

Byku No, that's not how it works. Only privileged OS components can do it entirely without user consent. Regular sandboxed apps which you've granted the install permission can do unattended updates of apps where they're the installer of the current version. You can see the current installer in app info settings.