In case anyone here is interested, I wrote an analysis of the /e/OS app installer, focusing on signature verification and privacy issues. Their installer provides apps from F-Droid (and other sources) via a third party server, CleanAPK.org. In an attempt to provide tamper protection, the installer tries to determine which apps originate from F-Droid, so that it can check their signatures using the F-Droid public key. The current version (released on october 28) makes this determination by sending a GET request to
https://f-droid.org/en/packages/PACKAGE_NAME/
for each app that users are about to install or update. F-Droid will see an increase in these requests as a consequence, I don’t know how significant it will be.
I don’t really understand why they don’t just always check if it’s signed by F-Droid because F-Droid keeps the key on an air-gapped machine so… it’s not like non-F-Droid apps can ever be signed with the F-Droid key. But whatever
Yes, they could at least use a HEAD request. In any case, this method is ineffective, because the attacker can change the package name to bypass signature verification.
PS: Thanks for Catima! I’ve been using it for a while, it’s perfect at what it does.
There was some action, but it didn’t solve the problem. As I understand it, they are working on a proper solution, this was just a misplaced band-aid.
Call me confused. Over the last several weeks, did e ROM developers pretend to work on and fix the Nervuri issues, first publicized around Oct. 29, without really fixing them? An analysis of the /e/OS app installer | nervuri