Skip to main content

If you run a binary repo using fdroidserver and plan to update to the latest code, make sure to first study gitlab.com/fdroid/fdroidserver… and gitlab.com/fdroid/fdroidserver… In short, despite of multiple warnings, changes were applied which will reject several legit and absolutely fine APKs, e.g. such using key rotation. You will no longer be able to keep those in your repo once you've updated fdroidserver to that. Cases might be few, so you might be affected or not, but please check to make sure.

Potential security hazard: `apk_signer_fingerprint()` looks at certs in reverse order that Android checks them (#1128) · Issues · F-Droid / fdroidserver · GitLab

Take a look at apk_signer_fingerprint(): def get_first_signer_certificate(apkpath):...
GitLab
in reply to IzzyOnDroid ✅

IzzyOnDroid ✅
IzzyOnDroid ✅

Those changes are currently only applied to the master branch and didn't yet go to any release or distribution packages. They were supposed to fix a #security issue, but not to break some binary repos, which is what the applied patches might do. Find the originally proposed and recommended patches at github.com/obfusk/fdroid-fakes… – and also see e.g. tech.lgbt/@obfusk/112306314357… for some additional background.

Fay 🏳️‍🌈

2024-04-21 00:12:41


I just posted an update to my "PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass" post to oss-security:

openwall.com/lists/oss-securit…

Original post:

openwall.com/lists/oss-securit…

GitHub repo with patches, PoCs, and a script to scan for potentially affected APKs:

github.com/obfusk/fdroid-fakes…



GitHub - obfusk/fdroid-fakesigner-poc: F-Droid Fake Signer PoC

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.
GitHub

#security
in reply to IzzyOnDroid ✅

Hans-Christoph Steiner
Hans-Christoph Steiner
in the F-Droid dev collection of roughly 260,000 APKs, both proper apps and malware, I have not found any that matches those conditions. If anyone knows of any, please post out!
in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅

@eighthave We've pointed out everything in the discussions. Just take an APK with key rotation, for example. And there are APKs in the apksig test suite for which get_jar_signer_certificate() fails. It should be easy to create an APK for which this code fails, as shown by the apksigner source code we linked.

Apart from that, as pointed out in the discussion, I'm not the expert here but just the messenger. And from that I've withdrawn, sorry. Can't anymore.

@Hans-Christoph Steiner
in reply to IzzyOnDroid ✅

IzzyOnDroid ✅
IzzyOnDroid ✅

So now it happened. Luckily, at #IzzyOnDroid we've used the proposed patches and thus are not affected – but if you run the latest fdroidserver with the "official patches", you will be: Occtax performed a key rotation. Went smooth here at IzzyOnDroid – but failed with the official code when we cross-checked.

@fdroidorg should be aware of that as we've told them. See gitlab.com/fdroid/fdroidserver… for details. So you cannot have such APKs in your repo anymore at all even if you don't pin any keys.


Potential security hazard: `apk_signer_fingerprint()` looks at certs in reverse order that Android checks them (#1128) · Issues · F-Droid / fdroidserver · GitLab

Take a look at apk_signer_fingerprint(): def get_first_signer_certificate(apkpath):...
GitLab
#izzyondroid @F-Droid
in reply to Billie

IzzyOnDroid ✅
IzzyOnDroid ✅
@Billie got nothing to do with that, so no. But you can check the linked issue for details. @fdroidorg
@Billie @F-Droid