hhmx.de

· Föderation EN So 21.07.2024 07:36:11

@jak2k We can't recommend using F-Droid due to extremely poor security practices throughout their client, repository design and infrastructure. The developers have an anti-security attitude and have demonstrated thoroughly untrustworthy behavior.

We're going to be supporting Accrescent and helping them get what they need to reach a stable release and provide a huge number of apps with the support of the app developers.

People are free to use F-Droid on GrapheneOS but we won't promote it.

Föderation EN So 21.07.2024 08:50:11

@GrapheneOS
Hmm, how can the repository design be insecure? Everything is loaded over https and APKs are signed. Isn't that already secure? A growing number of apps are now also build reproducable.

Are there more information somewhere about this?

Föderation EN So 21.07.2024 10:31:37

@jak2k
Accrescent also signes the repository so their servers are untrusted.
accrescent.app/features
@GrapheneOS

Föderation EN Di 23.07.2024 08:48:03

@niko4u @jak2k

F-Droid attempts to do repository metadata signing but both the approach they take and implementation is quite flawed.

Transport security via HTTPS using WebPKI doesn't only trust their server. It also trusts every CA and sub-CA without a way to monitor abuse since unlike a browser there isn't enforced Certificate Transparency. We pin root keys and backup keys for our services in our apps but of course it's not what's relied on for verifying App Store repository metadata.

Föderation EN Di 23.07.2024 09:41:06

@niko4u @jak2k @GrapheneOS How much extra security does that add though? Seems to me to be very little since you're still trusting the maintainers whose keys are embedded in the app.

Föderation EN So 21.07.2024 10:34:22

@jak2k reproducible builds have nothing to do with security

Föderation EN So 21.07.2024 10:57:30

@idkrn
On fdroid only reproducible builds can be signed by the developer as far as I know.
@jak2k

Föderation EN So 21.07.2024 11:56:22

@niko4u what does that do for security when we can just get it from the dev directly

Föderation NL Di 23.07.2024 07:28:12

@jak2k @GrapheneOS I too would like to know.

Föderation EN Di 23.07.2024 08:43:14

@jak2k

They still build and sign nearly all the apps themselves, and are not migrating towards using that approach. Regardless of whether it's their own builds with their own signatures, F-Droid is still responsible for securing the initial download. It has poor security throughout the design and implementation.

You can read privsec.dev/posts/android/f-dr as a starting point but it doesn't cover most of our technical concerns with F-Droid. We also have major concerns about the people in charge of it.

Föderation EN Di 23.07.2024 09:44:29

@GrapheneOS @jak2k Is that worse than Google Play, which forces* developers to give up their private keys to Google?
The GOS community seems to think so but I've never understood why.

*Or at least, they were planning on doing that a while ago. Have they gone ahead with it?

Föderation EN Di 23.07.2024 17:46:41

@GrapheneOS
What about @IzzyOnDroid's repo? As far as I know, the APKs there are directly from the devs.

Föderation EN Di 23.07.2024 20:53:26

@jak2k that's correct: all from their official distributions, signed by their own keys, and several additional checks applied on top to make sure they're as safe as possible: signing keys pinned, library checks, manifest checks, signing block checks, and much more; see e.g. android.izzysoft.de/articles/n @GrapheneOS