F-Droid apk signing key (SHA1) is vulnerable to SHAttered attack

The FDroid apk signing key still uses SHA1 despite its vulnerability to the SHAttered attack and others like it. While this subject was touched upon in a previous thread it it might be prudent to start looking for a way to move to a more secure hash function. This may be seen as low risk, but its still a risk.

4 Likes

There is a follow up attack on SHA-1 recently announced this year a month ago making the transition from the hash more urgent.

2 Likes

cc/ @hans I know you guys at The Guardian Project take security seriously.

Android 4.2 and older do not support SHA256 signatures at all, so
switching the APK signature means entirely dropping support for Android
4.2 and older. That’s the only reason I know why we haven’t done it
already.

Also, it is not a particularly high priority since there are also GPG
signatures on the APKs, and the there is the index signatures that signs
the SHA-256 of every APK in a repo. Then there is also good HTTPS
config. Plus the upcoming F-Droid v1.8 will drop TLSv1.0 and TLSv1.1
entirely on devices that support it.

For more info: https://f-droid.org/docs/Security_Model

4 Likes

I have added all these in my latest v13 https://f-droid.org/en/packages/com.oF2pks.applicationsinfo/ ; full signature is “unpack” (issuer…) and 3x sha1 sha256 & md5 certificates are calculated (F-Droid index-v1 shows certificate sha256 algorithm : _signer_).

Even on latest aosp/oem Pie roms, ~half of system apps are built in SHA1withRSA including Webview, others components are on MD5withRSA.

(Will also add these info in waiting screen in v8 https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/ plus shasum 256 of apk’s file as also shown in F-Droid index-v1 : _hash_ )

@hans , I’ve also added detection of _usesCleartextTraffic , maybe this could be set to false for both fdroidClient & fdroidPriviledge in their androidmanifest.xml ?

Mastodon