Olf0
commented
7 years ago A variant of suggestion 2 above was an feature of the Aptoide client v6 and v7, but was taken out in Aptoide v8!
It was in Aptoide's settings of these versions under "Filter Updates (Don't show updates for applications with different signatures)".
Furthermore, it is unclear in the Aptoide client v8 UI, if a signature check still is performed (I persumed "not", and above findings support that). Silently eliminating a security relevant feature does not increase trust in and the reputation of Aptoide!
And I concur with suggestion 2, that this should definitely default to "on" (in contrast to Aptoide v6 & v7, IIRC), as many not so tech-savvy people will happily follow the statement (by taking this suggestion as an instruction), which follows a failed signature check when updating an app by Android's APK installer: "... You must uninstall the installed APK in order to install this one." (or so).
So please bring back this feature (i.e. setting), and the suggestion 2 is obsolete.
Thanks for maintaining and enhancing the Aptoide client, as Aptoide is a absolutely valuable addition to Android's "ecosystem" (especially when avoiding Google services).
P.S.: I strongly support suggestion 1 as well. Not using HTTPS is really not appropriate anymore these days.
P.P.S.: WRT the storage location suggestion above, one consideration may be, that space on internal storage is usually more limited than on SD-card, and Aptoide defaults to 0,2 GB of App cache (which should be rather slightly increased than decreased, IMO).
P.P.P.S: An small enhancement of the text for the "Filter Updates" option: "Do not show updates for apps with different signatures"
Aptoide does not seem to verify signatures of downloaded packages, nor does it use SSL to download packages, which means the packages themselves could be trivially tampered with, while they are downloaded from a store.
I just tried it myself, by modifying an APK that Aptoide had downloaded (changed a graphic) and then hitting Update on the Aptoide package screen. Aptoide happily opened the installer, which (of course) told me that the APK was corrupted.
A more sophisticated version of the same attack would involve someone tampering with the APK download, then re-signing the APK with a different signature so the package appears to be valid. Aptoide will happily let the user install this modified APK and not warn him at all.
In my opinion Aptoide should at least do the two following things:
There's an objection that could be raised against these suggestions, insofar as Android the OS itself will not let the user install a package whose signature does not comply with the chain of signatures in its package manager trust store. But we must remember that Aptoide is a store that many people (millions?) use with either root access or with "Allow Unknown Sources" turned on (both of which, in effect, defeat the OS-level signing security mechanism). So this "signature pinning" feature would protect all of these users from an attack that most Aptoide users are particularly at risk for.
Of course, it would also be real good if Aptoide used the internal storage instead of using the "sdcard" storage to store its downloads. That way other forms of tampering (local tampering by a malicious app with storage permission access) could be defeated as well.
Thanks in advance.