Project

General

Profile

Issue #1890

Make Replicant's main app store a "known source" instead of an "unknown sources"

Added by Kurtis Hanna about 1 year ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
09/09/2018
Due date:
% Done:

100%

Estimated time:
Resolution:
Device:

Description

On a fresh Replicant install, when you go to update or install apps via F-Droid, you get this error message:

"Install blocked
For security, your phone is set to block installation of apps obtained from unknown sources"

If possible, Replicant should be modified so that F-Droid is viewed as the main app store and the user should only have to toggle the "Allow installation of apps from unknown sources" button in the Settings if they are trying to install an app that isn't from F-Droid.

I believe that after you install your first app from F-Droid you can turn Unknown Sources back off in the settings, and still be able to install and update anything you want from within the app store, which is preferable to do from a security point of view. However, the user isn't prompted to turn the setting back off.

History

#1

Updated by Kurtis Hanna about 1 year ago

This post by Moxie from Open Whisper Systems talks about themes related to this: https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13447074

#2

Updated by Kurtis Hanna about 1 year ago

This was discussed a bit here, but no one provided a proper answer: https://stackoverflow.com/questions/18660395/known-source-but-not-from-google-play

#3

Updated by Fil Bergamo about 1 year ago

I personally have zero knowledge about the app signing process and where the "known sources" are stored in the android system.

Now, being that we have complete control over the entire code base of our distribution, there is theoretically nothing to stop us achieving what you suggest.

The macro-steps would be as following:
1. determine how the app signature trust system works in android
2. change the trust model as needed by our requirements (needs deciding an official app distribution mechanism first)
3. locate the spot(s) in Replicant's code base where the trust model is implemented
4. change the implementation according to point 2.

A first (superficial) research I've made suggests that the "stock" trust model design is heavily bound to Google's infrastructure (Play and other services).
It seems like the only documented option for "alternative distributions"(sic) is to have the user manually enable "untrusted sources".
I'm most probably wrong as I didn't search that well.. but at a first glance it seems like the only option we're left with is to redesign a broader model of trust independent of any specific vendor.

resources:
https://source.android.com/security/apksigning/v2.html#verification
https://developer.android.com/distribute/marketing-tools/alternative-distribution
https://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html

#4

Updated by Hans-Christoph Steiner 11 months ago

F-Droid works well without "Unknown Sources" if the F-Droid Privileged Extension is built into the ROM. I thought Replicant already did that. Copperhead, Fairphone Open and Lineage-for-MicroG all do that.

https://gitlab.com/fdroid/privileged-extension/#how-do-i-build-it-into-my-rom

#5

Updated by Kurtis Hanna 11 months ago

I think that our stable release does this, but I don't think that we are doing this in our nightly releases. We'll have to fix that.

#6

Updated by Andrés D 3 months ago

Hans-Christoph Steiner wrote:

F-Droid works well without "Unknown Sources" if the F-Droid Privileged Extension is built into the ROM. I thought Replicant already did that.
https://gitlab.com/fdroid/privileged-extension/#how-do-i-build-it-into-my-rom

The problem is that in the development branch the extension doesn't get integrated into the ROM. I don't see anything different with the stable branch, and I think that we are doing what is documented in the privileged extension howto page. We need to understand why this is happening.

#7

Updated by Joonas Kylmälä about 1 month ago

  • Status changed from New to Resolved
  • Target version changed from Replicant 6.0 0005 to Replicant 6.0 0004
  • % Done changed from 0 to 100

Also available in: Atom PDF