The FDroid apk signing key still uses SHA1 despite its vulnerability to the SHAttered attack and others like it. While this subject was touched upon in a previous thread it it might be prudent to start looking for a way to move to a more secure hash function. This may be seen as low risk, but its still a risk.
There is a follow up attack on SHA-1 recently announced this year a month ago making the transition from the hash more urgent.
1 Like
Android 4.2 and older do not support SHA256 signatures at all, so
switching the APK signature means entirely dropping support for Android
4.2 and older. That’s the only reason I know why we haven’t done it
already.
Also, it is not a particularly high priority since there are also GPG
signatures on the APKs, and the there is the index signatures that signs
the SHA-256 of every APK in a repo. Then there is also good HTTPS
config. Plus the upcoming F-Droid v1.8 will drop TLSv1.0 and TLSv1.1
entirely on devices that support it.
For more info: Security Model | F-Droid - Free and Open Source Android App Repository
4 Likes
I have added all these in my latest v13 apps_Packages Info - Updated ApplicationsInfos (² | F-Droid - Free and Open Source Android App Repository ; full signature is “unpack” (issuer…) and 3x sha1 sha256 & md5 certificates are calculated (F-Droid index-v1 shows certificate sha256 algorithm : _signer_).
Even on latest aosp/oem Pie roms, ~half of system apps are built in SHA1withRSA including Webview, others components are on MD5withRSA.
(Will also add these info in waiting screen in v8 ClassyShark3xodus - Scan apps for warnings | F-Droid - Free and Open Source Android App Repository plus shasum 256 of apk’s file as also shown in F-Droid index-v1 : _hash_ )
@hans , I’ve also added detection of _usesCleartextTraffic , maybe this could be set to false for both fdroidClient & fdroidPriviledge in their androidmanifest.xml ?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.