Project

General

Profile

Issue #1890

Make Replicant's main app store a "known source" instead of an "unknown sources"

Added by Kurtis Hanna 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
09/09/2018
Due date:
% Done:

0%

Resolution:
Device:

Description

On a fresh Replicant install, when you go to update or install apps via F-Droid, you get this error message:

"Install blocked
For security, your phone is set to block installation of apps obtained from unknown sources"

If possible, Replicant should be modified so that F-Droid is viewed as the main app store and the user should only have to toggle the "Allow installation of apps from unknown sources" button in the Settings if they are trying to install an app that isn't from F-Droid.

I believe that after you install your first app from F-Droid you can turn Unknown Sources back off in the settings, and still be able to install and update anything you want from within the app store, which is preferable to do from a security point of view. However, the user isn't prompted to turn the setting back off.

History

#1 Updated by Kurtis Hanna 3 months ago

This post by Moxie from Open Whisper Systems talks about themes related to this: https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13447074

#2 Updated by Kurtis Hanna 3 months ago

This was discussed a bit here, but no one provided a proper answer: https://stackoverflow.com/questions/18660395/known-source-but-not-from-google-play

#3 Updated by Fil Bergamo 3 months ago

I personally have zero knowledge about the app signing process and where the "known sources" are stored in the android system.

Now, being that we have complete control over the entire code base of our distribution, there is theoretically nothing to stop us achieving what you suggest.

The macro-steps would be as following:
1. determine how the app signature trust system works in android
2. change the trust model as needed by our requirements (needs deciding an official app distribution mechanism first)
3. locate the spot(s) in Replicant's code base where the trust model is implemented
4. change the implementation according to point 2.

A first (superficial) research I've made suggests that the "stock" trust model design is heavily bound to Google's infrastructure (Play and other services).
It seems like the only documented option for "alternative distributions"(sic) is to have the user manually enable "untrusted sources".
I'm most probably wrong as I didn't search that well.. but at a first glance it seems like the only option we're left with is to redesign a broader model of trust independent of any specific vendor.

resources:
https://source.android.com/security/apksigning/v2.html#verification
https://developer.android.com/distribute/marketing-tools/alternative-distribution
https://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html

Also available in: Atom PDF