I accidentally found another security vulnerability in fdroidserver whilst working on something related to IzzyOnDroid.
We warned them months ago but were ignored *sigh*
"Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass"
β§
Fay π³οΈβπ
in reply to Fay π³οΈβπ • • •*sigh*
F-Droid now claims PoC 5a is not an "actionable security vulnerability" because "APKs signed by v1-only are not even installable on latest Android versions". This is false. As long as targetSdk < 30 (and e.g. the official F-Droid client has 29) they will install just fine. I even confirmed this by installing my PoC APK on both Android 13 and 14 just in case, something they apparently neglected to bother with before making that claim.
Fay π³οΈβπ
in reply to Fay π³οΈβπ • • •They are now claiming they can't use my patches as-is because of "code quality issues" (private apis). Which... applies to exactly one patch, the one they actually merged 8 months ago.
Because the only way to fix the vulnerability was to monkey patch androguard (and an updated version is still not available in Debian, nor has the Debian stable fdroidserver package received any patches, despite those packages being maintained by the F-Droid team, so that monkey patch is still needed).
They are also downplaying the impact by insisting this vulnerability is only a problem for third party repositories relying on fdroidserver; which even if true is showing a concerning disregard for the security of repositories of other projects relying on fdroidserver.
I have no words to describe how little remaining faith I now have in F-Droid's security and code review processes.
Fay π³οΈβπ
in reply to Fay π³οΈβπ • • •I wrote an overview of the situation (without technical details of the exploits themselves as that's covered by the README):
github.com/obfusk/fdroid-fakesβ¦
fdroid-fakesigner-poc/OVERVIEW.md at master Β· obfusk/fdroid-fakesigner-poc
GitHub