Magisk: potentially significant security risk through the use of modules

Hi everyone,

I wanted to change to Bromite’s system-webview, and the only remaining way would be to try to use the Magisk-module.
So I researched a bit about those and found what appeared to me a significant risk that could affect f-droid users as well.

The maintainers of the modules have direct admin access to their official Magisk-modules repo section and can upload there directly:

"Once approved, your module will be cloned to Magisk-Modules-Repo, and a collaboration invitation will be sent to your email so you have admin permissions to the module.

Removal

Once you accepted the invitation for collaboration on GitHub, you have admin permission; this means you can delete the module yourself via GitHub.

Important Notes

You should update your module directly to the repo on Magisk-Modules-Repo, NOT your personal repo! Your personal repository hosting your module will not be used by Magisk in any way."

From:

Which means -if I got that correct-, that an attacker could write a useful module, get through the initial filter process of the Magisk creator and get admin access to their module on the official Magisk-modules-repo, make a few valid updates to be on the safe side to gain trust – and then for example begin to implement malicious code, or load such from an external resource – even just temporarily through a resource on a server they have control over.

That’s what it looks like to me now, and if that is correct, it strikes me as a huge security risk, for one because Magisk will always run with root access and is particularly deep ingrained into the system.

That type of risk might not be obvious for everyone using the f-droid Magisk version, as the modules are specifically mentioned as features in the description, so one could think those were certainly safe, but from what I assume that might not at all be the case. Again this is only if my assumptions are correct, so if I did overlook something, please correct me (I want to use that webview-changer module myself after all!)

I don’t know if the modules update themselves automatically – but if they do, this would make the potential threat even more serious.

Possible Solutions:

One could repackage the most popular modules into f-droid repackaged apps – a bit like it is the case with the debloater:

– which apparently works as a Magisk module as well.

And I think it would not hurt to put a security-related warning in regards to the Magisk modules on f-droids Magisk site, so nobody uses them without being aware of the risks. There is already a warning on the Magisk-site that non-free addons are promoted, but I think this could be misleading in this instance, as this might make it look like a license-issue when it really is also and probably even more importantly a security issue – if my assumptions are correct.