My F-droid app was updated a couple of days ago and it just came up with a couple of vulnerability warnings in the update tab:
“We found a vulnerability with … We recommend uninstalling this app immediately”
I hadn’t seen this kind of warning in F-Droid before so the first thing I want to do is check it’s legit. If this is a new feature, it would be good to have a blog post on f-droid.org introducing it. That way we can be confident it’s expected behaviour in the app, and that the warnings ought to be taken seriously.
One of the apps I was warned about was Snikket. According to a reply in the Snikket chat room:
this issue is caused by fdroid choosing to use an older version of libwebrtc… It’s only present in fdroid builds… And only matters at all if you use calls
I also have a similar warning for Simple File Manager. According to this issue discussion on their repo, this is also caused by the F-droid build using an older version of a library:
If this is correct, the vulnerability warnings would have been more useful if they had supplied this information, rather than implying the app developers were at fault. In the case of Snikket, it could have said the vulnerability related to calling and suggested I avoid that feature until the problem is fixed, rather than telling me to immediately uninstall the app.
This was my doing, most of the app authors involved had months of notice.
The KnownVuln anti-feature has no way to expand on what it entails besides amending the app description, which for most apps is pulled directly from the app’s fastlane metadata stored in their source code repository.
It’s years old, just that these are few and far between, they usually end up archived but now the apps are current and developed so they stick out more.
I think it would be very helpful if F-Droid contained details about what was found when it flags an app. For example, https://monitor.f-droid.org/anti-feature/KnownVuln ought to list what vulnerability was found in each app.
As a newcomer to F-droid, Android, and indeed smartphones in general the explanations for the warning in respect of Simple File Manager are very vague. They say there may be a vulnerability, which implies also that there may not. Can we have some certainty please. Does it or does it not have a vulnerability?
I’m not sure where you got the message “there may be a vulnerability”. The message in the F-Droid client is “We found a vulnerability with Simple File Manager Pro. We recommend uninstalling this app immediately.”. There is no “may” in there.
Ah, I see what you mean now. That document isn’t meant for end-users, it’s more meant for tech people to discuss the details.
But let me get through them one-by-one:
Preface:
This is a list of dependencies and apps that may have known vulnerabilities
Not all apps in the list have real vulnerabilities
These apps may not actually expose the vulnerable functionality
Not every vulnerability is in code paths the app actually takes
These apps may have mechanisms in places to mitigate the vulnerable functionality
Some apps may have their own checks to not run dangerous code
The primary focus is F-Droid variants of the apps, upstream versions may not be impacted
Sometimes the F-Droid version is slightly different from the “regular” version of the app.
- com.github.tibbi:AndroidPdfViewer:da57ff410e using PDFium@32b639d from 2016-01-14
- Implementer Libraries:
- https://github.com/tibbi/AndroidPdfViewer/blob/da57ff410e3fb7bba831f5c7816834f2ed2d638d/android-pdf-viewer/build.gradle#L13
- https://github.com/DineroRegnskab/PdfiumAndroid/commits/pdfium-android-1.9.2
- Report: Issues are disabled, not reported
- Report: Issues are disabled, not reported
- Note: prebuilts are unclear, may actually be based off of M90 from 2021-03 instead
- Status: Has ~5 or ~55 known security issues depending on note above
- Dependent Apps:
- Simple File Manager Pro 6.14.3
- Reference: https://github.com/SimpleMobileTools/Simple-File-Manager/blob/6.14.3/app/build.gradle#L68
- Report: https://github.com/SimpleMobileTools/Simple-File-Manager/issues/619
AndroidPdfViewer may be based on a PDFium from 2016 or from 2021, not 100% sure, so it’ll either have 5 or 55 known vulnerabilities.
In Simple File Manager’s case, it’s using a known unsafe PDF reader. Given PDFs are an extremely complex format, this could have bad results. Luckily Simple File Manager doesn’t have internet access so it’s unlikely any data could be directly stolen from your device with an evil PDF file, but it has complete filesystem access which could be dangerous. I am not the person who researched this, so I’m not sure which exploits are actually doable in Simple File Manager Pro. But it seems the next version will (hopefully) have fixed it.
Simple File Manager doesn’t have internet access so it’s unlikely any data could be directly stolen from your device with an evil PDF file,
fwiw it doesn’t need Internet or file permission, the PDF file itself can be the payload that can exploit the library to gain code execution to then exploit a system or kernel vulnerability to escape the sandbox or escalate privileges in ways to cause damage to the user/system.
It’s great to see the F-Droid team taking security so seriously, and the vulnerability warnings are a wise feature to have.
There seems to have been some confusion about whether it was the dev using that outdated library, or if it was the F-Droid build process using that library, despite the dev having switched to a newer version of the library. Same with Snikket. Perhaps there’s some way to tweak the communication between the F-Droid team and app devs to avoid the confusion that led to these two warnings?
Also, I agree with @sorenstoutner that it would improve the UX of vulnerability warnings if they linked to a web page on f-droid.org or another official site with more details about the vulnerability.
Thanks for this. I got the Snikket upgrade today and it appears to have fixed the problem for that app. Hopefully the same will happen for SFM soon.
That sounds a bit like confusion to me I’m guessing that Matt would have got a blog post up before the warning appeared if he knew the F-Droid app would be advising people to uninstall the app.
Full disclosure: I have done a bit of paid work for Snikket, sorry I neglected to mention that in the OP.
The Simple File Manager application was updated two days ago and I have re-installed it, so my thanks to the developer. Curiously the vulnerabity warning appeared again, but on the assumption that it has not been updated to reflect the new status I have ignored it.
I’m guessing that Matt would have got a blog post up before the warning appeared if he knew the F-Droid app would be advising people to uninstall the app.