An analysis of the /e/OS app installer

In case anyone here is interested, I wrote an analysis of the /e/OS app installer, focusing on signature verification and privacy issues. Their installer provides apps from F-Droid (and other sources) via a third party server, CleanAPK.org. In an attempt to provide tamper protection, the installer tries to determine which apps originate from F-Droid, so that it can check their signatures using the F-Droid public key. The current version (released on october 28) makes this determination by sending a GET request to

https://f-droid.org/en/packages/PACKAGE_NAME/

for each app that users are about to install or update. F-Droid will see an increase in these requests as a consequence, I don’t know how significant it will be.

Also see the previous forum discussion.

5 Likes

They really just use the website and… expect HTTP 200?

That seems… kinda insensible.

First off, it’s a waste of data, because you don’t need all the HTML you get.

Secondly, there is an API? https://f-droid.org/api/v1/packages/me.hackerchick.catima

I don’t really understand why they don’t just always check if it’s signed by F-Droid because F-Droid keeps the key on an air-gapped machine so… it’s not like non-F-Droid apps can ever be signed with the F-Droid key. But whatever :slight_smile:

2 Likes

Thank you for exposing this, after “only” 5 months of inaction after reported privately.

via a third party server

Can I just say, this will probably turn out to be one of the biggest lies told by eelo.

PS. The check is in the mail.

Yes, they could at least use a HEAD request. In any case, this method is ineffective, because the attacker can change the package name to bypass signature verification.

PS: Thanks for Catima! I’ve been using it for a while, it’s perfect at what it does.

1 Like

There was some action, but it didn’t solve the problem. As I understand it, they are working on a proper solution, this was just a misplaced band-aid.

Call me confused. :wink: Over the last several weeks, did e ROM developers pretend to work on and fix the Nervuri issues, first publicized around Oct. 29, without really fixing them? https://nervuri.net/e/apps

A few days earlier on Oct. 26, they announced it was fixed or about to be fixed: “The fix has been added to v0.19” https://community.e.foundation/t/e-os-v0-19-is-coming/35725#security-updates-2

but on Nov. 7, in weekly forum updates, they said they were tracking two open issues. https://community.e.foundation/t/week-45-development-and-testing-updates/36248#apps-installer-updates-4

On Dec. 5, they say “Post the current development and testing, developers will take up these issues.” https://community.e.foundation/t/week-49-development-and-testing-updates/36998#apps-store-updates-5

On Dec. 12, the issues are still open, with no progress seen, but the weekly “development and testing update” dropped it? https://community.e.foundation/t/week-50-development-and-testing-updates/37155

Is this the behavior of a company you can trust?

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.