top | item 30507185

(no title)

nosedief | 4 years ago

Although I'd like to applaud any alternative to Google Play the approach F-Droid pursues does not fit a serious security model. F-Droid builds are custom signed and can be made by random parties without proper auditing after initial review.

Also, it is stuck on old APIs and won't allow the use of Android's new unattended update feature (UPDATE_PACKAGES_WITHOUT_USER_ACTION) and requires intrusive privileged system access to do that.

A more serious flaw opposing the Android security model is the fact that an app store is supposed to feed from a single repository which F-Droid does not adhere to.

Also, often these repos are poorly maintained, rarely updated and often conflict with Play Store packages because they use identical app ids.

All they care about is to be free from "evil proprietary components" which comes at a great cost of security and inescapably privacy.

It's just not a good choice for these and additional reasons such as building a ton of their apps unattendedly on a potentially malicious server.

discuss

pserwylo|4 years ago

> F-Droid builds are custom signed and can be made by random parties without proper auditing after initial review.

F-Droid follows a similar model to traditional linux package managers which has shown time anda gain the they are both trustworthy and secure (or at least, they offer the user the freedom to choose the level of trust they have in the package signers).

When installing from a Debian repo, I'm typically installing a package that is not build/signed by the upstream developer. I am implicitly (in the case of a default install) trusting the Debian developers signing practices or explicitly (if you add a third party repo). This means you trust both those in charge of the building/packaging/signing as well as the upstream developers. The same is true of F-Droid.

Of course, the notable exception is that F-Droid also supports upstream packages signed by the developer if the builds are verifiably reproducible.

nosedief|4 years ago

There is a difference in your Linux desktop workstation and your most private device. Desktop systems are not nearly as secure and should not be seen as such, and Linux surely at the tail end.

People using F-Droid might not be aware that they are trusting a third party as they think it is a trusted distribution channel, relying on the information stated on the client app or website.

lolinder|4 years ago

Do you have a citation for your claims about the Android security model?

The only things I can find about app stores in the paper by Google[0] run directly counter to your idea:

> Android explicitly supports installation of apps from arbitrary sources, which led to the development of different app stores and the existence of apps outside of Google Play.

And this:

> Both users and developers are part of an open ecosystem that is not limited to a single application store. Central vetting of developers or registration of users is not required.

And as far as signing goes:

> In order to ensure that it is the app developer and not another party that is consenting, applications are signed by the developer. This prevents third parties — including the app store — from replacing or removing code or resources in order to change the app’s intended behavior

[0] https://arxiv.org/abs/1904.05572

Wonderfall|4 years ago

You misunderstood what they said. Indeed, Android can have multiple app repositories and this is an integral part of its security model design.

However, for the security model to be respected, each app repository should represent a single source. The device and user management APIs expect that in Android. F-Droid fundamentally bypasses the trust boundaries in that regard by allowing multiple repositories to coexist within a single client.

Not to mention it also results in a terrible UX given that the application IDs are often reused but signed by another party.

ranger207|4 years ago

This sounds like the traditional Linux packaging model: one repo with software built by distro maintainers, additional repos added by the user with software built by whoever. I don't see any problems with it

nosedief|4 years ago

The Android security model strictly forbids it. This should be enough of a problem as it is the very foundation to establish security for the system's user.

rpdillon|4 years ago

I don't understand the definition of 'repository' here:

> A more serious flaw opposing the Android security model is the fact that an app store is supposed to feed from a single repository which F-Droid does not adhere to.

Also, where is this documented? I read through several security pages (e.g. https://source.android.com/security/overview) and can't find any reference to a 'repository' or the idea that F-Droid is not secure because it aggregates apps from many sources. I think I'm misunderstanding your point entirely...any links to more detail would be very interesting to me.

eighthave|4 years ago

That may be true if you are sideloading F-Droid. Our security model focus is based on integrating F-Droid into the ROM, like with CalyxOS. This method is proven to provide better security than Google Play devices, since by default, all apps are open source and reviewed by humans. For example https://f-droid.org/2020/03/04/f-droid-is-a-key-source-for-a...

temptemptemp111|4 years ago

[deleted]

_joel|4 years ago

[deleted]