F-Droid

Linux.conf.au 2018

Peter Serwylo (peter@serwylo.com)

F-Droid: The private, secure app store

by Peter Serwylo (@serwylo, peter@serwylo.com)

F-Droid: https://f-droid.org
Slides: https://pserwylo.gitlab.io/fdroid-lca-2018

Android

Yay, a well backed Linux based OS for mobile!

Android Open Source Project
(AOSP)

ROMs

Current ROM situation

But...

Software situation?

F-Droid

An alternative to Google Play

Amazon

Mi store

AppVn

Aptoid

Cafe Bazaar

QQ

Mobogenie

a.d.cn

F-Droid: The "app store"

F-Droid: the "package manager"

What is F-Droid?

Plus a number of other things

Privacy, Security, and Freedom

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Inclusion criteria

All applications in the repository must be Free, Libre and Open Source software
https://f-droid.org/en/docs/Inclusion_Policy/

Request for Packaging

Build metadata

Categories: Games License: GPL-3.0 Description: ... ...

Build metadata

Repo Type:git Repo:https://github.com/lexica/lexica Build:0.10.0,1000 commit=v0.10.0 subdir=app gradle=yes

Flag any anti features

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Buildserver VM

Building thousands of apps, especially with automated and/or unattended processes, could be considered a dangerous pastime from a security perspective
https://f-droid.org/docs/Build_Server_Setup/

Maven problems

Maven problems

Verification Servers

...automatically reproduce official releases published by f-droid.org to ensure that everything in the release APK came from the source code, and nothing was inserted or included during the build process
https://f-droid.org/docs/Verification_Server/
https://verification.f-droid.org/
See Chris Lamb's LCA 2018 talk on diffoscope

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Android Signing Model

Typical Signing Process

Dev machine:

Good Signing Process

Build machine:

Airgapped machine:

Paranoid Great Signing Process

https://f-droid.org/docs/Building_a_Signing_Server/

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Reproducible builds

F-Droid can verify that an app is 100% free software while still using the original developer’s APK signatures
https://f-droid.org/docs/Reproducible_Builds/

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Verifying signed metadata

Pinned certificates for f-droid.org and guardianproject.info

Pinned certificates

app/src/main/res/values/default_repos.xml (link)

<?xml version="1.0" encoding="utf-8"?>
<resources>
<string-array name="default_repos">
  <item>F-Droid</item>
  <item>https://f-droid.org/repo</item>
  <item>3082035e308...</item> <!-- pubkey -->
  ...

Per-ROM pinned certificates

Feature request: Please allow to preset additional repositories in the ROM
https://gitlab.com/fdroid/fdroidclient/issues/843

Verifying signed metadata

Embedding certificate fingerprints in repository URLs

https://grobox.de/fdroid/repo?fingerprint=28e14fb3b280bce8f...

Verifying signed metadata

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Distributing metadata + respecting privacy

Leaking identifying information to servers

Cookieless Cookies

Abusing etags for tracking users

https://lucb1e.com/rp/cookielesscookies/

Repository mirrors

Not setup for f-droid.org yet (issue #46)

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Distributing apps

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

Installing apps

How does Google Play do it? It is blessed.

How does F-Droid do it?

Package Manager

Unknown Sources

Unknown Sources (8.0+)

Privileged Extension

Privacy, Security, and Freedom

  1. Sourcing an application
  2. Building packages
  3. Signing packages
  4. Distributing metadata
  5. Distributing apps
  6. Installing apps

History repeating

Thanks!

Peter Serwylo (peter@serwylo.com)

F-Droid: https://f-droid.org
Slides: http://preview.tinyurl.com/fdroid-lca-2018

Popular F-Droid repositories

F-Droid.org 1000s of free and open source apps, built by F-Droid

IzzyOnDroid 100s of free and open source apps, mostly those unavailable in F-Droid.org

Others Anyone is free to publish their own repository

An app store without internet!

Security scanning

Scanning over 2000 open source apps for vulnerabilities

The "White-Label" Client