An analysis of the /e/OS app installer

In case anyone here is interested, I wrote an analysis of the /e/OS app installer, focusing on signature verification and privacy issues. Their installer provides apps from F-Droid (and other sources) via a third party server, In an attempt to provide tamper protection, the installer tries to determine which apps originate from F-Droid, so that it can check their signatures using the F-Droid public key. The current version (released on october 28) makes this determination by sending a GET request to

for each app that users are about to install or update. F-Droid will see an increase in these requests as a consequence, I don’t know how significant it will be.

Also see the previous forum discussion.


They really just use the website and… expect HTTP 200?

That seems… kinda insensible.

First off, it’s a waste of data, because you don’t need all the HTML you get.

Secondly, there is an API?

I don’t really understand why they don’t just always check if it’s signed by F-Droid because F-Droid keeps the key on an air-gapped machine so… it’s not like non-F-Droid apps can ever be signed with the F-Droid key. But whatever :slight_smile:


Thank you for exposing this, after “only” 5 months of inaction after reported privately.

via a third party server

Can I just say, this will probably turn out to be one of the biggest lies told by eelo.

PS. The check is in the mail.

Yes, they could at least use a HEAD request. In any case, this method is ineffective, because the attacker can change the package name to bypass signature verification.

PS: Thanks for Catima! I’ve been using it for a while, it’s perfect at what it does.

1 Like

There was some action, but it didn’t solve the problem. As I understand it, they are working on a proper solution, this was just a misplaced band-aid.

Call me confused. :wink: Over the last several weeks, did e ROM developers pretend to work on and fix the Nervuri issues, first publicized around Oct. 29, without really fixing them?

A few days earlier on Oct. 26, they announced it was fixed or about to be fixed: “The fix has been added to v0.19”

but on Nov. 7, in weekly forum updates, they said they were tracking two open issues.

On Dec. 5, they say “Post the current development and testing, developers will take up these issues.”

On Dec. 12, the issues are still open, with no progress seen, but the weekly “development and testing update” dropped it?

Is this the behavior of a company you can trust?


This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.