Vulnerability warnings in F-droid app

My F-droid app was updated a couple of days ago and it just came up with a couple of vulnerability warnings in the update tab:

“We found a vulnerability with … We recommend uninstalling this app immediately”

I hadn’t seen this kind of warning in F-Droid before so the first thing I want to do is check it’s legit. If this is a new feature, it would be good to have a blog post on introducing it. That way we can be confident it’s expected behaviour in the app, and that the warnings ought to be taken seriously.

One of the apps I was warned about was Snikket. According to a reply in the Snikket chat room:

this issue is caused by fdroid choosing to use an older version of libwebrtc… It’s only present in fdroid builds… And only matters at all if you use calls

I also have a similar warning for Simple File Manager. According to this issue discussion on their repo, this is also caused by the F-droid build using an older version of a library:

If this is correct, the vulnerability warnings would have been more useful if they had supplied this information, rather than implying the app developers were at fault. In the case of Snikket, it could have said the vulnerability related to calling and suggested I avoid that feature until the problem is fixed, rather than telling me to immediately uninstall the app.

1 Like

This was my doing, most of the app authors involved had months of notice.

The KnownVuln anti-feature has no way to expand on what it entails besides amending the app description, which for most apps is pulled directly from the app’s fastlane metadata stored in their source code repository.

The reasons are all listed in the MaintainerNotes and also here:

1 Like

It’s years old, just that these are few and far between, they usually end up archived but now the apps are current and developed so they stick out more.

See the whole discussion here: Flag many apps with KnownVuln (!11496) · Merge requests · F-Droid / Data · GitLab

I think it would be very helpful if F-Droid contained details about what was found when it flags an app. For example, ought to list what vulnerability was found in each app.


That would be really good if it is feasible to implement for F-Droid. :+1: :crossed_fingers:

As a newcomer to F-droid, Android, and indeed smartphones in general the explanations for the warning in respect of Simple File Manager are very vague. They say there may be a vulnerability, which implies also that there may not. Can we have some certainty please. Does it or does it not have a vulnerability?

1 Like

I’m not sure where you got the message “there may be a vulnerability”. The message in the F-Droid client is “We found a vulnerability with Simple File Manager Pro. We recommend uninstalling this app immediately.”. There is no “may” in there.

Simple File Manager Pro does have a vulnerability, this is written in the metadata’s MaintainerNotes which sadly doesn’t have a way to be shown in the client yet: metadata/ · 92fc88669dd6ffad96727548e2d0fa922e627010 · F-Droid / Data · GitLab

The summary is that the Simple File Manager Pro developer was notified August 2nd that they’re using an outdated PDF rendering library with known security vulnerabilities on Embedded PDFium is dated, has ~5/~60 CVE's · Issue #619 · SimpleMobileTools/Simple-File-Manager · GitHub and Flag many apps with KnownVuln (!11496) · Merge requests · F-Droid / Data · GitLab.

It looks like the developer may have fixed this issue a few days ago for a future release: Embedded PDFium is dated, has ~5/~60 CVE's · Issue #619 · SimpleMobileTools/Simple-File-Manager · GitHub

1 Like

Thanks for the explanation. I now have a better, if incomplete, understanding of the matter. “May” came from this

which was linked to earlier in the discussion.

Ah, I see what you mean now. That document isn’t meant for end-users, it’s more meant for tech people to discuss the details.

But let me get through them one-by-one:


  • This is a list of dependencies and apps that may have known vulnerabilities

Not all apps in the list have real vulnerabilities

  • These apps may not actually expose the vulnerable functionality

Not every vulnerability is in code paths the app actually takes

  • These apps may have mechanisms in places to mitigate the vulnerable functionality

Some apps may have their own checks to not run dangerous code

  • The primary focus is F-Droid variants of the apps, upstream versions may not be impacted

Sometimes the F-Droid version is slightly different from the “regular” version of the app.

	- com.github.tibbi:AndroidPdfViewer:da57ff410e using PDFium@32b639d from 2016-01-14
		- Implementer Libraries:
				- Report: Issues are disabled, not reported
		- Report: Issues are disabled, not reported
 		- Note: prebuilts are unclear, may actually be based off of M90 from 2021-03 instead
		- Status: Has ~5 or ~55 known security issues depending on note above
		- Dependent Apps:
			- Simple File Manager Pro 6.14.3
				- Reference:
				- Report:

AndroidPdfViewer may be based on a PDFium from 2016 or from 2021, not 100% sure, so it’ll either have 5 or 55 known vulnerabilities.

In Simple File Manager’s case, it’s using a known unsafe PDF reader. Given PDFs are an extremely complex format, this could have bad results. Luckily Simple File Manager doesn’t have internet access so it’s unlikely any data could be directly stolen from your device with an evil PDF file, but it has complete filesystem access which could be dangerous. I am not the person who researched this, so I’m not sure which exploits are actually doable in Simple File Manager Pro. But it seems the next version will (hopefully) have fixed it.


Thank you so much for those details which are
very reassuring.

1 Like

Here’s a dev perspective (also read update next): Snikket Blog | Notes on the F-Droid security warning


Simple File Manager doesn’t have internet access so it’s unlikely any data could be directly stolen from your device with an evil PDF file,

fwiw it doesn’t need Internet or file permission, the PDF file itself can be the payload that can exploit the library to gain code execution to then exploit a system or kernel vulnerability to escape the sandbox or escalate privileges in ways to cause damage to the user/system.

1 Like

It’s great to see the F-Droid team taking security so seriously, and the vulnerability warnings are a wise feature to have.

There seems to have been some confusion about whether it was the dev using that outdated library, or if it was the F-Droid build process using that library, despite the dev having switched to a newer version of the library. Same with Snikket. Perhaps there’s some way to tweak the communication between the F-Droid team and app devs to avoid the confusion that led to these two warnings?

Also, I agree with @sorenstoutner that it would improve the UX of vulnerability warnings if they linked to a web page on or another official site with more details about the vulnerability.

Thanks for this. I got the Snikket upgrade today and it appears to have fixed the problem for that app. Hopefully the same will happen for SFM soon.


The devs were aware of the flagging since August, there’s no confusion. Maybe they did not expect the message to sound so grave I guess. :person_shrugging:

1 Like

That sounds a bit like confusion to me :slight_smile: I’m guessing that Matt would have got a blog post up before the warning appeared if he knew the F-Droid app would be advising people to uninstall the app.

Full disclosure: I have done a bit of paid work for Snikket, sorry I neglected to mention that in the OP.

Yup, as said “just that these are few and far between” so we’re not used to see them.

There’s some work in progress and we might need to signal them better

The Simple File Manager application was updated two days ago and I have re-installed it, so my thanks to the developer. Curiously the vulnerabity warning appeared again, but on the assumption that it has not been updated to reflect the new status I have ignored it.

Next version update of SFM will remove the warning.

The warning is already removed. Please update your index.