P
ParanoidAndroid

  • Joined Jan 11, 2023
  • In F-Droid vulnerability allows bypassing certificate pinning

    ParanoidAndroid

    ParanoidAndroid F-Droid's security is a point but when F-Droid builds the app it is more or less guaranteed, that the app was build from the source code. This is not the case when Obtainium is the installation-source because the signature that can be verified has nothing to do with the Code.

    The bigger question here is do you trust them to take care of everything for you or not? If you trust them enough then use them.

    ParanoidAndroid If my assumption is correct I don't get why I should trust many developers when using Obtainium instead of only trusting F-Droid. Isn't the Security compromised with each app that is installed and updated via Obtainium?

    As I said you are still trusting the developers to an extent especially since as mentioned F-Droid's security checks are rather... Bad and ineffective currently.

    In terms of obtainium you are partially correct especially if you do not manually verify them yourself. The concept of the way obtainium is often suggested over F-Droid is that you don't have a extremely insecure source managing all of your apps. Obtainium isn't necessarily insecure or secure in the sources that it connects to (depends on the source of course) but it does have issues that have been discussed which while don't make it a necessarily insecure option they do make it a problematic option as how it handles things in my honest opinion is not a good nor reliable way to obtain apps unless as a last resort which is why I mainly use RSS and just do everything manually including the verification processes.

    There's evidently reasons why GrapheneOS doesn't actually recommend or suggest Obtainium.

    Because just like F-Droid it is problematic except in some different ways. The only problematic thing they really share is that they both break the Android trust model due to them both being able to basically add any third party source they want while technically being a app store.

    Me personally I avoid Obtainium as much as possible except for places where RSS feeds cannot cover. Which so far is only one application so I would say that is going pretty well. And even then I plan to resolve that to where I can get rid of obtainium entirely.

    Point being. I trust myself enough to where I can manage everything myself. Because if a developer all of a sudden turns malicious and ships a malicious update. Or the app is spyware. Well I'm rather confident in my ability to be able to notice and detect that and then when I do it's time to pull the app from my Device and feeds. And for the installation process after being notified of an update I use Vanadium to download it (wouldn't trust any browser with lesser security for such a task) and then do check and verify it if possible and then after installation keep a really close eye for any suspicious activity for the initial week of installation. Of course. I do plan to shift from RSS to Accrescent as it matures but until then...

    But I know everyone is different and you may not be as confident in doing so. Which is perfectly fine and understandable! After all that's a pretty big position to take for most and some people may just simply not be able to do it for one reason or another.

    That's precisely the point I'm trying to make about F-Droid is do you feel like you yourself trust it enough to let it manage your apps despite it's security issues? You can listen to people go back and fourth about pros and cons but not every solution is for everyone. There are legitimate reasons to use F-Droid as are there legitimate reasons to use any app source.

    Think for yourself. Do you trust yourself to manage your apps more or F-Droid? Because that's basically what you have to do with Obtainium or RSS is manage security yourself.
    Come to your own conclusion on what you yourself want to use. What you think is better for you. Cause honestly this Obtainium versus F-Droid stuff is just going to keep going on and on cause both sides have issues. And it's precisely these reasons why I am not giving you a suggestion myself.

    Hope this extra info and explanation helps you make a decision!

          • In F-Droid vulnerability allows bypassing certificate pinning

            ParanoidAndroid directly from Source: You need to trust the developer and the Source that the uploaded binary is safe

            Do keep in mind you technically have to trust the developer no matter what app source you use. As there's always a possibility of malware slipping through no matter the source. And also a benefit of getting it directly from the source yourself is if provided you are willing to do so you can take steps and precautions to manually verify it yourself. Which is quite nice as it places a factor of trust in yourself rather than putting ALL of your trust in app sources.

            Ultimately in terms of you asking guidance on how to proceed.. Well it's genuinely a matter of two things.

            1. Your threat model
            2. What you value most

            Following up from 1. As in what are you trying to protect yourself from and how severe or dangerous is the threat to you?
            Following up from 2. As in what do you value most? Security? Privacy? Overall control? Feature theatre? Minimalism? The list goes on and on of things people can value more than other things.

            Point is I wouldn't say it's necessarily dumb to keep using F-Droid if your threat model and priorities do not demand good security. It's your call. Just do always keep it's massive issues in mind if you do. That should go for any method too always keep in mind of the issues or shortcomings it has.

            I will say though in terms of mainly wanting to use FOSS software you could subscribe to F-Droid's RSS news feed! I never really see people talk about this but it's a genuinely good way to still engage with FOSS apps without having to have F-Droid installed because general F-Droid news aside it tells you about certain big noteworthy App changes, what apps got updated though I would suggest ignoring the updates part since it's been discussed several times that F-Droid lags behind pretty badly on updates. And most importantly what new apps got added! Which would be important in trying to discover new FOSS apps. And then of course you can use the F-Droid website to find quick links to the app's source to read more about it or install it from there. This method allows you to still easily engage with FOSS apps but without the necessity of having F-Droid badly compromising your security.
            Even if you use/continue to use F-Droid though I'd say the you should still use the RSS feed or check the news section of their site every now and then. It's quite informative!

              • In F-Droid vulnerability allows bypassing certificate pinning

                ParanoidAndroid Can you please explain what the implications are?

                Yes. None. There are no implications for end-users of the official F-Droid repositories, since the vulnerable functionality isn't even used. Third-party repositories you add yourself might be vulnerable, but I don't know to what extent or how.

                The vulnerability is in server code, so client apps like the F-Droid app are not affected either.

                • In Why can an App access files and locations outside of StorageScope?

                  ParanoidAndroid try to create a file in that directory. If you can't, other (user installed) apps can't either. Spoiler: no need to try, it doesn't work anyway.