Issue #1890
closedMake Replicant's main app store a "known source" instead of an "unknown sources"
100%
Description
On a fresh Replicant install, when you go to update or install apps via F-Droid, you get this error message:
"Install blocked
For security, your phone is set to block installation of apps obtained from unknown sources"
If possible, Replicant should be modified so that F-Droid is viewed as the main app store and the user should only have to toggle the "Allow installation of apps from unknown sources" button in the Settings if they are trying to install an app that isn't from F-Droid.
I believe that after you install your first app from F-Droid you can turn Unknown Sources back off in the settings, and still be able to install and update anything you want from within the app store, which is preferable to do from a security point of view. However, the user isn't prompted to turn the setting back off.
Updated by Kurtis Hanna over 6 years ago
This post by Moxie from Open Whisper Systems talks about themes related to this: https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13447074
Updated by Kurtis Hanna over 6 years ago
This was discussed a bit here, but no one provided a proper answer: https://stackoverflow.com/questions/18660395/known-source-but-not-from-google-play
Updated by Fil Bergamo about 6 years ago
I personally have zero knowledge about the app signing process and where the "known sources" are stored in the android system.
Now, being that we have complete control over the entire code base of our distribution, there is theoretically nothing to stop us achieving what you suggest.
The macro-steps would be as following:
1. determine how the app signature trust system works in android
2. change the trust model as needed by our requirements (needs deciding an official app distribution mechanism first)
3. locate the spot(s) in Replicant's code base where the trust model is implemented
4. change the implementation according to point 2.
A first (superficial) research I've made suggests that the "stock" trust model design is heavily bound to Google's infrastructure (Play and other services).
It seems like the only documented option for "alternative distributions"(sic) is to have the user manually enable "untrusted sources".
I'm most probably wrong as I didn't search that well.. but at a first glance it seems like the only option we're left with is to redesign a broader model of trust independent of any specific vendor.
resources:
https://source.android.com/security/apksigning/v2.html#verification
https://developer.android.com/distribute/marketing-tools/alternative-distribution
https://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html
Updated by Hans-Christoph Steiner almost 6 years ago
F-Droid works well without "Unknown Sources" if the F-Droid Privileged Extension is built into the ROM. I thought Replicant already did that. Copperhead, Fairphone Open and Lineage-for-MicroG all do that.
https://gitlab.com/fdroid/privileged-extension/#how-do-i-build-it-into-my-rom
Updated by Kurtis Hanna almost 6 years ago
I think that our stable release does this, but I don't think that we are doing this in our nightly releases. We'll have to fix that.
Updated by Andrés D over 5 years ago
Hans-Christoph Steiner wrote:
F-Droid works well without "Unknown Sources" if the F-Droid Privileged Extension is built into the ROM. I thought Replicant already did that.
https://gitlab.com/fdroid/privileged-extension/#how-do-i-build-it-into-my-rom
The problem is that in the development branch the extension doesn't get integrated into the ROM. I don't see anything different with the stable branch, and I think that we are doing what is documented in the privileged extension howto page. We need to understand why this is happening.
Updated by Joonas Kylmälä about 5 years ago
- Status changed from New to Resolved
- Target version changed from Replicant 6.0 0005 to Replicant 6.0 0004
- % Done changed from 0 to 100