Project

General

Profile

Actions

Issue #1890

closed

Make Replicant's main app store a "known source" instead of an "unknown sources"

Added by Kurtis Hanna over 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
09/09/2018
Due date:
% Done:

100%

Estimated time:
Resolution:
Device:
Grant:
Type of work:

Description

On a fresh Replicant install, when you go to update or install apps via F-Droid, you get this error message:

"Install blocked
For security, your phone is set to block installation of apps obtained from unknown sources"

If possible, Replicant should be modified so that F-Droid is viewed as the main app store and the user should only have to toggle the "Allow installation of apps from unknown sources" button in the Settings if they are trying to install an app that isn't from F-Droid.

I believe that after you install your first app from F-Droid you can turn Unknown Sources back off in the settings, and still be able to install and update anything you want from within the app store, which is preferable to do from a security point of view. However, the user isn't prompted to turn the setting back off.

Actions #1

Updated by Kurtis Hanna over 5 years ago

This post by Moxie from Open Whisper Systems talks about themes related to this: https://github.com/signalapp/Signal-Android/issues/127#issuecomment-13447074

Actions #2

Updated by Kurtis Hanna over 5 years ago

This was discussed a bit here, but no one provided a proper answer: https://stackoverflow.com/questions/18660395/known-source-but-not-from-google-play

Actions #3

Updated by Fil Bergamo over 5 years ago

I personally have zero knowledge about the app signing process and where the "known sources" are stored in the android system.

Now, being that we have complete control over the entire code base of our distribution, there is theoretically nothing to stop us achieving what you suggest.

The macro-steps would be as following:
1. determine how the app signature trust system works in android
2. change the trust model as needed by our requirements (needs deciding an official app distribution mechanism first)
3. locate the spot(s) in Replicant's code base where the trust model is implemented
4. change the implementation according to point 2.

A first (superficial) research I've made suggests that the "stock" trust model design is heavily bound to Google's infrastructure (Play and other services).
It seems like the only documented option for "alternative distributions"(sic) is to have the user manually enable "untrusted sources".
I'm most probably wrong as I didn't search that well.. but at a first glance it seems like the only option we're left with is to redesign a broader model of trust independent of any specific vendor.

resources:
https://source.android.com/security/apksigning/v2.html#verification
https://developer.android.com/distribute/marketing-tools/alternative-distribution
https://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html

Actions #4

Updated by Hans-Christoph Steiner over 5 years ago

F-Droid works well without "Unknown Sources" if the F-Droid Privileged Extension is built into the ROM. I thought Replicant already did that. Copperhead, Fairphone Open and Lineage-for-MicroG all do that.

https://gitlab.com/fdroid/privileged-extension/#how-do-i-build-it-into-my-rom

Actions #5

Updated by Kurtis Hanna about 5 years ago

I think that our stable release does this, but I don't think that we are doing this in our nightly releases. We'll have to fix that.

Actions #6

Updated by Andrés D over 4 years ago

Hans-Christoph Steiner wrote:

F-Droid works well without "Unknown Sources" if the F-Droid Privileged Extension is built into the ROM. I thought Replicant already did that.
https://gitlab.com/fdroid/privileged-extension/#how-do-i-build-it-into-my-rom

The problem is that in the development branch the extension doesn't get integrated into the ROM. I don't see anything different with the stable branch, and I think that we are doing what is documented in the privileged extension howto page. We need to understand why this is happening.

Actions #7

Updated by Joonas Kylmälä over 4 years ago

  • Status changed from New to Resolved
  • Target version changed from Replicant 6.0 0005 to Replicant 6.0 0004
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF