[guardian-dev] Manipulating App Bundles

Michael Rogers michael at briarproject.org
Sat Jun 27 07:06:18 EDT 2020


On 22/06/2020 15:53, Marcus Hoffmann wrote:
> Hi,
> 
> (I work on F-Droid)
> 
> On 22.06.20 13:20, Mark Murphy wrote:
>> On Sun, Jun 21, 2020, at 22:20, John Sullivan wrote:
>>> Just a quick comment on that last part. It may be worth mentioning for 
>>> a fuller picture that F-Droid signs the builds themselves because they 
>>> build them themselves. They publish all of the source that they are 
>>> building as well as the server software that does the build. Doesn't 
>>> mean things are 100% reproducible, but it might be relevant to mention.
>>
>> The *intent* is for F-Droid to build the apps themselves solely from the original sources. With sufficient motivation ("those are lovely kneecaps you got there -- it would be a pity if we had to break them"), F-Droid could be convinced to deliver altered apps. And, as with the Google App Bundle scenario, there is nothing to stop them. That then puts the onus on app developers or the broader ecosystem to detect this, and I don't know if anyone is looking. Perhaps people are looking and I just don't know about it -- if you know of people who are, I'd love to hear about them!
> 
> A targeted attack would be harder for F-Droid as you have no control
> from which mirror a client will pull an updated index and no accounts or
> other information beside the IP to identify a target. Untargeted attacks
> should be relatively easy to detect as it's only the package index file
> that needs to be monitored (and it is by various bots, etc.)
> 
> But yes, we are working on a real solution to this, where different
> entities build the same packages indenpendent from each other and the
> client only installing an update once he got enough rebuilder
> attestations from trusted parties.

It's worth mentioning that F-Droid also has a fantastic but not much
used feature that allows an app to be signed with the developer's own
key, as long as F-Droid can reproduce the supplied binary exactly from
the published source. We use this for publishing the same Briar binaries
through F-Droid and Google Play.

In theory Google could do something similar (without requiring the
original APK to be built reproducibly): the developer would build the
universal APK as usual, use bundletool to generate all the variant APKs,
sign them, and upload the signatures along with the universal APK (and
presumably some metadata, like the bundletool version) to Google Play.
Google would then generate the same variant APKs and apply the
developer's signatures.

Or, even simpler, the developer could just upload the variant APKs. A
few hundred MB of bandwidth isn't a big cost to exclude the possibility
of targeted backdoors...

Cheers,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x11044FD19FC527CC.asc
Type: application/pgp-keys
Size: 18015 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20200627/c102d809/attachment.key>


More information about the guardian-dev mailing list