(no title)
Wonderfall | 4 years ago
However, for the security model to be respected, each app repository should represent a single source. The device and user management APIs expect that in Android. F-Droid fundamentally bypasses the trust boundaries in that regard by allowing multiple repositories to coexist within a single client.
Not to mention it also results in a terrible UX given that the application IDs are often reused but signed by another party.
lolinder|4 years ago
This is exactly the point that I was questioning, so it sounds like I understood their point just fine. Do you have a citation for this assertion?
The paper from Google doesn't even mention a repository as a concept.
Here's what it does say:
> Untrusted code is executed on the device. One fundamental difference to other mobile operating systems is that Android intentionally allows (with explicit consent by end users) installation of application (A) code from arbitrary sources, and does not enforce vetting of apps by a central instance.
The Android security model is based on the idea that you can install arbitrary APKs from literally anywhere. If I download an APK through Chrome and install it, I might turn around and download another APK from a different website. If anything, Chrome is more arbitrary in its sourcing of APKs. How does F-Droid break the security model but Chrome doesn't? Alternatively, how does Google allow Chrome to break its own security model?
And again, what is your source for your claim? I'm reading the actual document from Google, and it appears to say exactly the opposite of what you're saying.
Wonderfall|4 years ago
Chromium is a particular case, but is still equally considered an untrusted source unless explicitly allowed. Of course, the security model takes into account that apps can be installed from anywhere. That's why they're signed and they're running in their own restricted sandbox.