An analysis of the /e/OS app installer

nervuri · November 7, 2021, 5:27pm

In case anyone here is interested, I wrote an analysis of the /e/OS app installer, focusing on signature verification and privacy issues. Their installer provides apps from F-Droid (and other sources) via a third party server, CleanAPK.org. In an attempt to provide tamper protection, the installer tries to determine which apps originate from F-Droid, so that it can check their signatures using the F-Droid public key. The current version (released on october 28) makes this determination by sending a GET request to

https://f-droid.org/en/packages/PACKAGE_NAME/

for each app that users are about to install or update. F-Droid will see an increase in these requests as a consequence, I don’t know how significant it will be.

Also see the previous forum discussion.

TheLastProject · November 7, 2021, 9:03pm

They really just use the website and… expect HTTP 200?

That seems… kinda insensible.

First off, it’s a waste of data, because you don’t need all the HTML you get.

Secondly, there is an API? https://f-droid.org/api/v1/packages/me.hackerchick.catima

I don’t really understand why they don’t just always check if it’s signed by F-Droid because F-Droid keeps the key on an air-gapped machine so… it’s not like non-F-Droid apps can ever be signed with the F-Droid key. But whatever

anon46495926 · November 8, 2021, 7:03am

Thank you for exposing this, after “only” 5 months of inaction after reported privately.

via a third party server

Can I just say, this will probably turn out to be one of the biggest lies told by eelo.

PS. The check is in the mail.

nervuri · November 8, 2021, 8:53am

Yes, they could at least use a HEAD request. In any case, this method is ineffective, because the attacker can change the package name to bypass signature verification.

PS: Thanks for Catima! I’ve been using it for a while, it’s perfect at what it does.

nervuri · November 8, 2021, 8:55am

There was some action, but it didn’t solve the problem. As I understand it, they are working on a proper solution, this was just a misplaced band-aid.

anon46495926 · December 18, 2021, 3:27pm

Call me confused. Over the last several weeks, did e ROM developers pretend to work on and fix the Nervuri issues, first publicized around Oct. 29, without really fixing them? An analysis of the /e/OS app installer | nervuri

A few days earlier on Oct. 26, they announced it was fixed or about to be fixed: “The fix has been added to v0.19” /e/OS v0.19 is coming! - Announcements - /e/OS community

but on Nov. 7, in weekly forum updates, they said they were tracking two open issues. Week 45: Development and Testing Updates - Development Updates - /e/OS community

On Dec. 5, they say “Post the current development and testing, developers will take up these issues.” Week 49 : Development and Testing Updates - Development Updates - /e/OS community

On Dec. 12, the issues are still open, with no progress seen, but the weekly “development and testing update” dropped it? Week 50 : Development and Testing Updates - Development Updates - /e/OS community

Is this the behavior of a company you can trust?

system · February 16, 2022, 3:27pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.