In case anyone here is interested, I wrote an analysis of the /e/OS app installer, focusing on signature verification and privacy issues. Their installer provides apps from F-Droid (and other sources) via a third party server, CleanAPK.org. In an attempt to provide tamper protection, the installer tries to determine which apps originate from F-Droid, so that it can check their signatures using the F-Droid public key. The current version (released on october 28) makes this determination by sending a GET request to
for each app that users are about to install or update. F-Droid will see an increase in these requests as a consequence, I don’t know how significant it will be.
Also see the previous forum discussion.
They really just use the website and… expect HTTP 200?
That seems… kinda insensible.
First off, it’s a waste of data, because you don’t need all the HTML you get.
Secondly, there is an API? https://f-droid.org/api/v1/packages/me.hackerchick.catima
I don’t really understand why they don’t just always check if it’s signed by F-Droid because F-Droid keeps the key on an air-gapped machine so… it’s not like non-F-Droid apps can ever be signed with the F-Droid key. But whatever
Thank you for exposing this, after “only” 5 months of inaction after reported privately.
via a third party server
Can I just say, this will probably turn out to be one of the biggest lies told by eelo.
PS. The check is in the mail.
Yes, they could at least use a HEAD request. In any case, this method is ineffective, because the attacker can change the package name to bypass signature verification.
PS: Thanks for Catima! I’ve been using it for a while, it’s perfect at what it does.
There was some action, but it didn’t solve the problem. As I understand it, they are working on a proper solution, this was just a misplaced band-aid.
Call me confused. Over the last several weeks, did e ROM developers pretend to work on and fix the Nervuri issues, first publicized around Oct. 29, without really fixing them? https://nervuri.net/e/apps
A few days earlier on Oct. 26, they announced it was fixed or about to be fixed: “The fix has been added to v0.19” https://community.e.foundation/t/e-os-v0-19-is-coming/35725#security-updates-2
but on Nov. 7, in weekly forum updates, they said they were tracking two open issues. https://community.e.foundation/t/week-45-development-and-testing-updates/36248#apps-installer-updates-4
On Dec. 5, they say “Post the current development and testing, developers will take up these issues.” https://community.e.foundation/t/week-49-development-and-testing-updates/36998#apps-store-updates-5
On Dec. 12, the issues are still open, with no progress seen, but the weekly “development and testing update” dropped it? https://community.e.foundation/t/week-50-development-and-testing-updates/37155
Is this the behavior of a company you can trust?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.