Apps: THE adoption barrier and security gap for GrapheneOS?

atmz

Hi all, new GrapheneOS user here, long time on AOSP.

Being mostly in the Google ecosystem and trying to de-google, it stood out how unreliable, inconvenient and fragmented it is to get apps from other sources. I'm I missing something or the current state is really that sad? That's a huge adoption barrier to anything not Goog related, not to mention a security risk.

Before GrapheneOS: I trusted Google (and by extension the developers).
After GrapheneOS: I trust select developers, but want to verify that the apps really come untampered from them.

There are many sources without clear trustworthiness (F-Droid, APKPure, APKMirror, Amazon Store, Aurora, github repos, etc) and almost no way of being sure that the apps that come from any of these sources are untampered with (unless I'm missing it) for the first install (I understand that updates are checked by Android itself).

There's some tools like Guardian Checkey but very out of date. There's also command line apksigner, inconvenient for daily use but okay-ish.

The biggest problem by far is that there's no "know good" database of signatures. APKSCAN.org was shut down years ago, that backed androidobservatory.org and checkey. There's androidobservatory.com but AFAIK that's for a different purpose.

I can code my own scripts in whatever to check my APKs, as inconvenient as it sounds, but there's no actual database of dev trusted certificates to check against (hey, that's a CA does btw). And I'd like a lot to avoid doing my own custom, hackish, incomplete and inconvenient solution that would only benefit myself. The thought of that is enough to make me think going back to Google, I don't want to invest that amount of my free time on my mobile phone. There's life after all!

And that's not even thinking about binary transparency logs (bottom of page)

To be clear, I'm not surprised that there are dozens of different "stores" (although annoying) or other security aspects. I'm not worried about trusting a rando developer - that's a different problem.

I'm surprised there's no app that comes from GrapheneOS or other (good) paranoid people out there that goes "hey, let's check every single one of these APKs for know-good verifiable signatures".

I'm I missing something or that's the actual state of things outside the Google ecosystem? We install an app downloaded from F-Droid, apkpure or whatever and then just trust that whatever comes from it hasn't been tampered with?

Just asking as I'm sure I must be missing something obvious. Any thoughts and directions appreciated. And thanks for the outstanding project that is GrapheneOS!

[deleted]

atmz
You are not missing anything.
Except accrescent app store maybe

[deleted]

You don't have to verify the Checksum or Certificate fingerprint if you trust the source (e.g. App Store, GitHub, Developer's site, etc.) of the APK/App, since HTTPs would prevent tampering by other malicious actors.

atmz I'm surprised there's no app that comes from GrapheneOS or other (good) paranoid people out there that goes "hey, let's check every single one of these APKs for know-good verifiable signatures".

There are some apps you can use to check the Checksum of an installed app, and there was some app for comparing an (maybe SHA-256?) checksum to the expected (untampered) one, but I forgot its name.

[deleted]

atmz I'm surprised there's no app that comes from GrapheneOS or other (good) paranoid people out there that goes "hey, let's check every single one of these APKs for know-good verifiable signatures".

That's not how it works. Probabaly no one has the resources to maintain a huge database of checksum/certificate fingprint of every single app. And there isn't any "know-good verifiable signatures", every APK has its own checksum/certificate fingerprint.

atmz

[deleted] yes, but then I have to blindly trust the store. Which isn't very healthy; I trust, but want to verify - just in case. Being able to verify also opens up the possibility of getting the app from anywhere, so less centralization on hands of app stores.

GrapheneOS

atmz

Showing app id and signing key fingerprints at install time is already planned:

https://github.com/GrapheneOS/os-issue-tracker/issues/211

GrapheneOS has a planned feature for supporting a static pinning database too, but this is at odds with how some app developers and especially F-Droid choose to build and distribute apps:

https://github.com/GrapheneOS/os-issue-tracker/issues/989

Every variant of an app is supposed to have a unique app id, such as how we have app.grapheneos.camera for the variant in GrapheneOS and our app store but the Play Store variant is app.grapheneos.camera.play since it's signed with different signing keys and may need changes for the Play Store at some point. There are no differences between either build at the moment, but using a separate app id is still very important. Since the signing key is separate, reusing the same app id would be broken and would block you from installing one variant in one profile and the other variant in another profile due to packages being shared by the package manager across each profile with the app installed. The package manager enforces signing key pinning where a new signing key requires a key rotation proof and downgrade protection enforcing versionCode is greater than or equal to the currently installed version. It should be possible to pin a single set of signing keys for an app variant for each app id, with rare cases of key rotation as the only reason there would need to be multiple keys pinned for an id. Unfortunately, many developers and packagers disregard best practices and reuse the same app id for different app variants. We'd need to deal with this by making sure we include all the key fingerprints with a description of the app variant using them.

F-Droid and the Play Store bootstrap trust on their own and this wouldn't really be useful with them since both mainly use their own signing keys. F-Droid and the Play Store are both extremely problematic for introducing this kind of pinning system. F-Droid builds apps themselves and signs the vast majority with their own keys but uses the upstream app id instead of an F-Droid prefixed app id. For a small subset, they use the developer signatures. Play Store has always had developers upload apps signed with their own keys but began offering an optional Play Signing system for the Play Store to only use the developer keys as upload verification keys and resign the apps with Play Store keys. Play Store moved to asking developers to upload app bundles instead of APKs and generates the APKs from them on their own which requires using Play Signing, and they ended up making this mandatory for all new apps along with heavily recommending it for existing apps. Many developers who were already using the Play Store have continued using their own signing keys as the app signing keys but most developers will eventually be using Play Signing. Play Signing allows developers to request a key rotation for the keys used for fresh installs but doesn't currently use the standard Android key rotation system to replace the keys for existing installs. Android versions don't support key rotation and they've never integrated support for Android's app key rotation support into the Play Store.

If apps depend on a service, they could also use hardware key attestation. For example, a messaging app could provide a toggle to share attestations with a contact and the status could be shown for each of your sessions. It can be used to show that the session is from a device with a locked bootloader with a verified OS and app variant. It can show a green status for using the stock OS or an approved alternate OS along with the same thing for the app itself since hardware attestation can chain verification to the OS through the OS and provides the app id and signing key fingerprints for the app in the hardware attestation which is provided to the secure element or TEE by the OS. Apps could also use this feature in their services and could display a status display for your sessions when you view them.

atmz

[deleted] You don't need a database of app checksums, but a database of signing certificates. This should be orders of magnitude smaller and I'd be surprised if it was bigger than a few Gb. Found something at https://github.com/ashishb/android-security-awesome but looks like most of the projects that do things like this are commercial. Oh well.

[deleted]

atmz This should be orders of magnitude smaller and I'd be surprised if it was bigger than a few Gb.

An checksum is obviously smaller than an Signing Certificate, because the Signing Certificate contains so many things like SHA-1, SHA-256 and MD5 fingerprint(s), Owner, Issuer, Serial No., etc.

88dotorg

Obtainium is the app maybe you looking for, please have a look the options it has and how to install a certain app.

Foggy

88dotorg The problem with Obtanium is how to find the legit source of the app in the first place. I can go to a GitHub repo, but how do I know it’s the right one and not some random fork? I can Google, but what if that random repo managed to SEO its way to the top of Google?

Effectively the only way I can think of is to look for enough Reddit/XDA/whatever threads to form a consensus, and then hope they aren’t outdated because the pre-fork version is unmaintained or now full of malware.

It seems like a hard problem to solve without some degree of curation. Maybe curation is what’s needed, I don’t know.

DeletedUser29

Foggy My main method when possible, is to either go to the app's F-droid and/or Play Store page which usually has the Github link (or their webpage). Works for most apps since almost all apps are on either or.

Freedomain

It seems to me a solution could be to expand the "apps" app to wrap github and provide a secure way to verify select projects once downloaded.

dgzeij

As so many have said: This is such a big mess.

I expect there to spawn something more soon (tm) now that Obtanium is getting traction and widespread adoption.

All these Github app lists worked for getting ideas, but hardly helps in verifying if that is the actual developer or just a random fork. So far the best way to "verify" is to do the searchengine crawler method of looking at how many and % are linking to the same repo, but even this can be manipulated easily.

So maybe something like Accrecent would be one solution. But for my own sake I'm not sure if I would put all my trust in them, couse I still would have to do all the verifications, with or without Accrecent, and now having Accrecent verification on top.

Tbh it would be great if we could get an open source push notification server that could be selfhosted, and the counterpart phone app, so we could manage and control all notification and communications by ourselves. And a one-click add/replace this on the Github repo source when we package the app ourselves. This would eliminate most concern we have about the info chain, and simultaneously lower the battery consumption when moving from all apps updating separately to a common push manager. Then the biggest remaining question would be the original repo and how trustworthy it is, not to mention how to find it.

In either way we need more and better tools.