Requesting Modification to the f-droid Security Model

As there is no proper way for f-droid users to establish the root of trust that would be required to verify the apps they install from f-droid are legit I would like to propose some improvements that might help mitigate.

Firstly every app on the site should have SHA256 checksum along with it’s pgp signature in it’s description dialogue.

Secondly f-droid app should be hardcoded to self check its own package signature and calculate its own apk checksums and display them in its own ‘about’ dialogue so users can compare that with those on the f-droid website and with results from their own checksum calculator.

Thirdly f-droid app should display those same package signature and checksum results for each app it downloaded and installed so the user can compare with f-droid website and their own checksum calculator.

Bottom line. If f-droid app’s own built in dialogue calculates the same package sigs and checksums as the f-droid website and the checksums also match the users own third party checksum calculator there can be only one conclusion. The installed apps are the same as those that were built by f-droid.

1 Like

That won’t help. A malicious app could just still display a valid checksum. All the modifications you suggest also depend on trusting the F-Droid apk (it could display a valid checksum and still download another file).

I think the F-Droid app already verifies the checksums automatically. So as long as you trust the original F-Droid apk you installed, everything should already be fine.

“as long as you trust the original F-Droid apk you installed”

My entire point is about creating a means by which to trust the f-droid apk that is downloaded and installed is actually the one created by f-droid as per the published source code and not a malicious substitute and similarly all the other hosted apps.

Then you have to check that you trust the F-Droid apk before installing (the F-Droid website shows the signature). There is nothing the app could display that would actually make it more trustworthy because a malicious app can just display whatever it wants.

5 Likes

The fdroidclient apk is signed and you may download the pub key to verify it from the website.

The index and the apks, although downloaded from mirrors, are signed and verified by the fdroidclient. So I think the chain of trust is strong enough.

3 Likes

There is. Checksum in the description dialog of the same site that provides the APK is useless, PGP signature is the proper way.

1 Like

Checksum verification is not a security practice.
Here is why: If an attacker gets access to a download page and replaces a download APK file, they will also replace its checksum.

5 Likes

If pgp signature is the proper way then why are there no apps that can check if an apk was really signed by the correct signing key and why does the command line method return multiple warnings about the f-droid apk. That is about as proper as saying my security is bullshit and you can check that with my linux command line bullshit detector and just ignore all the subsequent warnings they are just more bullshit.

Because your previous request didn’t get traction with a developer who had time or motivation to create it?

Or F-Droid and Android Installer already do it for you, without giving you the “proof” you wish to see. Have you tried installing an app apk from one source or F-droid repo’, then attempting an update from another? You would find it will complain about signature mismatch.

Or ClassyShark3xodus already shows you the info.

Why are you people so hostile to the idea of improving the security model ? What is your motivation for being involved?

I wouldn’t say I’m hostile to improving the security model. I’m just against adding things that provide a false feeling of security without actually being more secure.

8 Likes

Yeah it’s a good idea to improve security, but also not necessarily the best way to implement that.

PGP Signatures are only useful in specific use case scenarios, it’s just as easy to change a signature if you have access to changing the download page.

The hypothetical scenario is that F-Droid are already hacked.

F-Droid already does provide a valid signature checksum, the signature checksum is similar in this scenario to using a PGP Key, the key is only provided by the developer : the signature if modified would change the key and therefore change the checksum.

If you believe One Way Decryption Key provided by a hacked website is more secure than a package and signature checksum provided by the same hacked website then I’m not sure what to say.

I suggest you to learn about PGP and how private and public keys work.

In that case signature will not match with F-Droid public key which is provided by key pools servers.
And a legit F-Droid client will detect it too.

The checksum is used to verify the integrity of a file and check for possible data corruption, it is not a security method as such.

1 Like

How do you think a signed app is a security feature when no one can verify the signing key used to sign the app is legit because every app on f-droid is signed with a different key?

All apps are signed with their own unique signing key, but:

  • all apps are signed with the same PGP key
  • all app’s metadata in the repository are signed with the same repo key

If you want to verify an app to ensure it was the one that F-Droid compiled you can either:

  • verify the PGP key
  • verify the repo key, and compare the hashes in metadata
2 Likes