AkaneTan / Gramophone

A sane music player built with media3 and material design library that is following android's standard strictly.
GNU General Public License v3.0
1.17k stars 61 forks source link

[FR] Publish on a secure app store #283

Closed graphene1over closed 1 month ago

graphene1over commented 1 month ago

TOFU and side-loading Currently the only way to obtain this app is through downloading the releases from GitHub or fdroid, in both cases, it is impossible to verify the validity of the app, as in one case an app store isn't used at all, and in the other one is used which has significant security issues.

the best solution Publish the app on GPlay, or Accrescent.

Both Verify the download and use certificate pinning, Accrescent additionally has strict requirements for permissions an app asks for.

However, Accrescent is currently in whitelist-only alpha, and probably not a good choice for now, it's better to wait until it's in beta or stable.

quick and easy solution while this solution will be a lot worse in terms of security as compared to publishing on a secure App store, publishing the signing certificate hash independently from GitHub, for example on another website, or a social media post. Users then can use AppVerifier to ensure the validity of their app.

Additional context Accrescent is mirrored in the GrapheneOS App store, a system App included with the AOSP-based OS, which employs additional hardening and is arguably the most secure OS currently available.

Therefore, any app installed from Accrescent has a trust chain all the way to the OS signing keys. AppVerifer is available on there.

nift4 commented 1 month ago

I'd not call Google Play particularily trustworthy. We're actually preparing for publishing there, and they forced us to give up our private signing key to them (well, I made a new one for Google Play because I did not want to give it up, but yeah). F-Droid has reproducible builds enabled, and fdroiddata also has the signature: https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/org.akanework.gramophone.yml?ref_type=heads#L85 So you just need to verify the APK you're installing has that signature, as only the developers (and github CI, if you distrust them it's probably in your best interest to build the app yourself) have that private key, and you're good.

graphene1over commented 1 month ago

@nift4, I recommend you first read the article I linked, you don't seem to understand what my points are.

https://privsec.dev/posts/android/f-droid-security-issues/

As for distrusting GitHub, the reason is that your, or another contributor's account might be hacked, I hope you're using passkeys, but even if you are, there is a possibility of that happening, therefore the signing certificate hash must be published independently of the release.

To be entirely clear, I understand that I have to trust the developer.

nift4 commented 1 month ago

"The trusted party problem" - Gramophone is one of those apps published with reproducible builds and is developer-signed. There's no need to trust F-Droid as long as you verify the signature.

"Slow and irregular updates" - Gramophone, being part of the reproducible builds program, doesn't need to be signed on the airgapped server by the F-Droid team. As long as our builds are reproducible, they're published in ~1 week which is fine for regular feature updates

"Low target API level (SDK) for client & apps" - Gramophone currently targets Android 14, and we'll update to 15 once I get my hands on a physical device running A15.

All that aside, if you don't want to use F-Droid, which of course is a matter of your free choice, the trusted signature hash can be obtained in two places:

  1. https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/org.akanework.gramophone.yml?ref_type=heads#L85 - a repository on another platform where I don't have push access to
  2. right here in this message: f451197ad7b80bd1bc981ba38a2c49d471856fb38bcc333676d6e8f8f3ce5d6e

As long as these two match, you can use any tool of your choice to verify the APK indeed has that signature. Once you installed the APK, thanks to Android's trust-on-first-install, you can install subsequent updates without worrying as Android will verify the same key is used to sign any future updates.

We are working on publishing on Google Play if you prefer that app store, however, that APK will have a different signature. Once the time comes, I am happy to provide the signature hash for the Google Play version as well.

Does this answer your question?