[guardian-dev] FYI: Code Transparency

Hans-Christoph Steiner hans at guardianproject.info
Mon Jul 5 10:29:44 EDT 2021



Mark Murphy:
> On Wed, Jun 30, 2021, at 12:55, Nathan of Guardian wrote:
>> Thanks for the always thorough and thoughtful updates and analysis, Mark.
> 
> Happy to help, and thanks for the kind words!
> 
>> Wouldn't it be possible to build a library that we include in our apps
>> that inspects the APK files at runtime on a device, and looks for the
>> transparency files in the APK, and even checks the hashes. This could be
>> done as a "App Integrity Check" on first run.
> 
> The app packager (Google, Amazon) could remove the code that does that check, or at least nerf it. For example, replace:
> 
> if (isMyAppOK()) {
>    proceed()
> } else {
>    abandonShip()
> }
> 
> with:
> 
> if (true) {
>    proceed()
> } else {
>    abandonShip()
> }
> 
> The premise here is that because they have app signing authority, then they have the technical capability to modify anything that they want in the App Bundle (APK for Amazon). You start to get into the same sort of arms race that developers fight and lose with those who try to reverse-engineer apps.
> 
> The combination of your proposed library and a robust obfuscation system might help prevent bulk modification of apps. That starts to impose other limits (e.g., can't use Crashlytics for bug reporting, because then you're uploading the de-obfuscation maps to Google). It also won't block a determined attacker who is going after a few specific apps (e.g., intelligence agency of a country that strong-arms Google into distributing tampered apps).
> 
> I think that the library that you propose will almost "fall out of" work to create a library for checking the integrity of other apps. Having it probably won't hurt.

Thanks Mark for championing this cause!  Its funny to see after years of F-Droid 
getting criticized for having this model, now Google is forcing it.  And F-Droid 
now supports the reproducible builds requirement for any APK signature type.  I 
think the signature copying is starting to work well enough that we could start 
doing reproducible builds even when the upstream developer isn't trying to.

.hc


-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556


More information about the guardian-dev mailing list