Skip to main content

2 days ago I reported about a #security patch having been applied to the IzzyOnDroid F-Droid repo aka #IzzySoftRepo – but I didn't give much details. After it was tested now at the IoD test & staging area, and running smoothly for two days for the public one, I reported back to its author @obfusk that all seems smooth, and she decided to make POC & patch public. You can find the full details at github.com/obfusk/fdroid-fakes… & openwall.com/lists/oss-securit… now. @fdroidorg @eighthave be welcome using it!

1/2


GitHub - obfusk/fdroid-fakesigner-poc: F-Droid Fake Signer PoC

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.
GitHub
#security #IzzySoftRepo @Hans-Christoph Steiner @F-Droid @Fay 🏳️‍🌈
in reply to IzzyOnDroid ✅

IzzyOnDroid ✅
IzzyOnDroid ✅

2/2 @obfusk @fdroidorg @eighthave

In essence, quoting from the POC:

> […] As a result, it is trivial to bypass the AllowedAPKSigningKeys certificate pinning, as we can make fdroidserver see whatever certificate we want instead of the one Android/apksigner does. Note that we don't need a valid signature for the APK (we really only need a copy of the DER certificate, though having another APK signed with the certificate we want to use makes things easy).

@Hans-Christoph Steiner @F-Droid @Fay 🏳️‍🌈
in reply to IzzyOnDroid ✅

Hans-Christoph Steiner
Hans-Christoph Steiner
you just published this wide open, yet before, you wouldn't even send us the POC code that you had? I think you two need to learn what #ResponsibleDisclosure means.
#responsibledisclosure
in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅
PS: Had that issue not been wide in the open for almost a year, giving the impression to be not important, we had of course approached @fdroidorg with a confidential issue first. But that signaled it would be ignored as well. As is gitlab.com/fdroid/fdroidserver… opened 10/2022, POC available (& linked there) since 1/2023. Affecting reproducible builds. A lot of evil stuff could be injected that way, as was outlined, also in my latest articles. So please don't call *US* irresponsible @obfusk

APK Signing Block considerations (#1056) · Issues · F-Droid / fdroidserver · GitLab

Some considerations regarding the APK Signing Block and how F-Droid handles Reproducible Builds. Block types
GitLab
@F-Droid @Fay 🏳️‍🌈
in reply to IzzyOnDroid ✅

Hans-Christoph Steiner
Hans-Christoph Steiner

Part of the bug was known 11 months ago. The new proof-of-concept shows key details that were not previously known nor reported in the issue. Those were just dumped to the public. We asked for that yesterday, and you didn't send it to us, but withheld it to now publicly dump it. That code was posted to GitHub yesterday: github.com/obfusk/fdroid-fakes…

You could have just sent us that link yesterday before tooting it, that would have been better.


Commits · obfusk/fdroid-fakesigner-poc

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.
GitHub
in reply to Hans-Christoph Steiner

Hans-Christoph Steiner
Hans-Christoph Steiner

I see this was reported to #androguard yesterday github.com/androguard/androgua…

Did you give them any advanced warning?


handles duplicate block IDs in APK Signing Block differently from Android/apksigner · Issue #1030 · androguard/androguard

If you manipulate an APK's Signing Block to have e.g. duplicate v2 Signature Blocks, Android and apksigner will only see the first, but androguard will only see the last (since it uses the ID as a ...
GitHub
#androguard
in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅
I totally get it that you're not happy with the current situation (for what it's worth, we haven't been for years). But now going to "dig up things" about @obfusk trying to put the blame on her after having ignored her and her advice for so long is not a nice thing to do. Please stop that. This is not about doing dirty laundry in public but about getting long standing issues solved. @fdroidorg
@F-Droid @Fay 🏳️‍🌈
in reply to IzzyOnDroid ✅

Hans-Christoph Steiner
Hans-Christoph Steiner

All I'm asking is for #ResponsibleDisclosure. The tone you sense was my panic as I scrambled to figure out the proof-of-concept to ensure that #FDroid users are kept safe. Signature verification is a key part of that. I cleared my schedule this morning to deal with this.

Thanks to @obfusk to doing the hard work of the proof-of-concept and the patch. I posted my preliminary analysis of the issue on gitlab.com/fdroid/fdroidserver…

1/2


Potential security hazard: `apk_signer_fingerprint()` looks at certs in reverse order that Android checks them (#1128) · Issues · F-Droid / fdroidserver · GitLab

Take a look at apk_signer_fingerprint(): def get_first_signer_certificate(apkpath):...
GitLab
#fdroid #responsibledisclosure @Fay 🏳️‍🌈
in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅
I hold no grudge against you, just in case you sensed something like that in my tone. But after being ignored for so long, we needed to be sure it finally gets done. So thanks for addressing those issues now! @obfusk @fdroidorg
@F-Droid @Fay 🏳️‍🌈
in reply to IzzyOnDroid ✅

Hans-Christoph Steiner
Hans-Christoph Steiner
I'm happy to see @obfusk continuing with the very important work on #APK signature analysis and the related tooling. I was worried she had stopped working on it after quitting F-Droid. That work is bigger than F-Droid, it is otherwise missing in the Android ecosystem.
#apk @Fay 🏳️‍🌈
in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅
and I am *very* happy having @obfusk and @SylvieLorxu supporting me and the #IzzySoftRepo – I couldn't think of anyone better. And haven't heard of anyone better known in the area of this and also of reproducible builds than Fay, or anyone who can hold a candle to Sylvia. Yes, both mostly worked in the background – but I guess you already got a clue what F-Droid lost having them leave.
#IzzySoftRepo @Sylvia @Fay 🏳️‍🌈
in reply to Hans-Christoph Steiner

Hans-Christoph Steiner
Hans-Christoph Steiner

They key takeaway is:

If a binary repo maintainer is not careful about where they get their APKs and relies completely on AllowedAPKSigningKeys to verify the APKs, then this is an important issue.

2/2

in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅
Pardon me? Not done yet with blaming? Now it's sloppy security on my end? "relies completely": did you ignore all my messages to you the past weeks? Including the blog posts at Kuketz and especially android.izzysoft.de/articles/n… outlining what security measures were just put into place at my repo *ADDITIONALLY* to those already in effect for years – which are still mostly missing at your end? So my key takeaway again is you don't listen, as so often in the past, sorry. @obfusk @fdroidorg

Zusätzliche APK-Checks im IzzyOnDroid Repo

Nachdem der Library-Scanner nun seit mehreren Jahren im IzzyOnDroid Repo im Einsatz ist war es an der Zeit, einige zusätzliche APK-Prüfungen zu etablieren.
IzzyOnDroid
@F-Droid @Fay 🏳️‍🌈
in reply to IzzyOnDroid ✅

Hans-Christoph Steiner
Hans-Christoph Steiner
That was not directed at you, that was my takeaway from the analysis I posted in the 1/2 post. The TL;DR.
in reply to Hans-Christoph Steiner

IzzyOnDroid ✅
IzzyOnDroid ✅
Ah – in that case, apologies. Yes, it was the context – and the idea sounded too absurd TBH, especially with AllowedAPKSigningKeys not even existing that long (and I doubt except for @fdroidorg and IoD, any repo uses it at all. @obfusk
@F-Droid @Fay 🏳️‍🌈