ImranR98 / Obtainium

Get Android app updates straight from the source.
https://obtainium.imranr.dev
GNU General Public License v3.0
7.95k stars 175 forks source link

[Feature Request] Option to run APK through VirusTotal #462

Open meichthys opened 1 year ago

meichthys commented 1 year ago

Since we rely on the security of many different maintainers github/gitlab/etc accounts, I see a potential issue if a single one of those accounts are compromised, a new malicious APK could be released and therefore installed by obtainium. It would be nice if we had the option to run the url link to the APK through VirusTotal prior to installation for at little peace of mind. The VirusTotal API seems like it would allow this, and even offers a special privilege for higher quotas for a use case like this: https://support.virustotal.com/hc/en-us/articles/115002100149-API

Mr-Bajs commented 1 year ago

I won't feel that comfortable adding closed source scanning tools though. I would rather se that as an security flaw and a potential threat in terms of privacy.

meichthys commented 1 year ago

I dont think there would be a security flaw since we would not be uploading the apk, but rather passing in the public url of the apk and receiving a response that could then be formatted and displayed to the user.

I do see reason for a privacy concern since virustotal would see the apps you are installing, so this feature should probably be disabled by default👍

Unfortunately i don't know of any opensource alternatives. I dont think ClamAV has a comparable service atm.

Mr-Bajs commented 1 year ago

Acoring to Virustotal own privacy policy they collect a bunch of information and also shares this info to third parties.

schklom commented 1 year ago

One way to mitigate this privacy issue is to proxy these requests. For example, the user could specify a SOCKS5 proxy, or a warning could tell the user that it would be better to use a VPN before doing it.

Or ideally, @ImranR98 could run a default proxy on e.g. a free Oracle VPS, or a $5/month Linode VPS. To make this more efficient, the VPS could also cache results for e.g. 1 day. But that's a lot of extra work.

c--- commented 1 year ago

I think it would be better to simply offer different installer options the way Aurora Store does. The App Manager option in particular is very useful because it can show known trackers and has optional Virus Total checks. Or any other installer the user wants could be used with more or less functionality or privacy.

freispiel commented 1 year ago

I am not in agreement with the skepticism expressed here: In my opinion, running apks through VirusTotal and reviewing non-zero analysis results before continuing with the installation/update could be the essential security feature of Obtainium! Having VT as additional security layer seems to be the best option to address repojacking and other real-life threats.

For all I care, make it optional. I for one would rather share some usage-related data with VT than having to miss out on their service. (I guess since everybody would need to obtain and user their personal VT API key, this could anyway only be implemented as optional feature.)

jayb-g commented 1 year ago

I also think this is an essential feature and came here to create a feature request for same but saw that it's already there but not implemented yet. This feature is indeed much needed. I am still holding out on installing apps from apkmirror/apkpure and such for the very same reason, and just tracking them for now.

In my opinion, running apks through VirusTotal and reviewing non-zero analysis results before continuing with the installation/update could be the essential security feature of Obtainium! Having VT as additional security layer seems to be the best option to address repojacking and other real-life threats.

I feel the same way. Since we as Obtainium users don't rely on third party app stores like Play or Amazon, there has to be a safety check available for users if they want. What if one of the github repos/other app sources is compromised? There's no safety against that as of now.

Another thing we can do to make it safer is by checking apk signature of non Play app sources with that of apps on Play if it matches or not(just as an additional data point for safety checklist) [or simply just show the signature of the apk before installing] . But I don't know if that might be more complicated to implement. So i'll create a separate issue for that.

lorenharrington commented 1 year ago

Unfortunately, the state of the art these days is to literally throw every AV engine at the problem..

I think we might find that a lot of people's workflows include or expect the use of VT when downloading APKs from sites such as the ones obtainium supports. To not include support on some level greatly reduces the app's overall utility.

jayb-g commented 8 months ago

Or maybe use Hypatia if its installed to scan the apk locally?

freispiel commented 6 months ago

I don't think Hypatia is a good alternative. Even its developer recommends not to use it: https://www.reddit.com/r/DivestOS/comments/11bb57e/comment/j9xc7i9/

jayb-g commented 6 months ago

@freispiel The fact that they do not recommend simply means(as conferred from your link) that they feel its not needed. Although they clearly state in the same thread that its technically fully functional and better than having alternate antivirus softwares which harvest data for profit. A FOSS alternative is not same.

If we talk strictly about Obtainium, having an option to check with hypatia before installing an apk wouldn't be bad in any way, on the contrary it would be at least somewhat better than not checking apk at all. Especially when you're downloading apks from different repos and whatnots using Obtainium as a third party app store which doesn't(/can't) have any checks or antimalware or developer policies of its own. Even Google is known to have all these things and still ends up hosting malware apps which are removed frequently.

The issue is about using hypatia or any other FOSS alternative, so that at least known malwares won't be installable using Obtainium.

jayb-g commented 1 month ago

A recent incident with BreezyWeather App.

Had it not been a false positive, imagine the impact it would have made on people not using Google Play or any other antiviruses on Android and are just directly downloading apks from github(or say apps like obtainium). Open source apps would be safe is a faulty assumption. Out of 10-20 apps that you are using, you never know how, when and which ones would be infected in future. Blindly(as its already a trusted software) and silently installing updates(which might be infected) adds to the problem.

Popular foss App App Manager also integrates virustotal. If its possible then why not(except for reduced privacy in case of virustotal)? Virustotal or hypatia both can be good options. Hypatia would be better in terms of privacy but not sure how soon it would be able to detect newly discovered malwares given that such detections should be time sensitive. Ideally any other well maintained foss solution for detection would do.

Adhjie commented 1 day ago

So are there a possibility of Obtainium having 2 flavors or versions of the .apk, besides the other flavors for app-stores, automated it like how ReVanced teams done their patches?

Take this as a suggestion so don't feel burden by this, I'm just describing it here based on the current state of online security's RSS/CC YT Channel/blogs, AVs scanners (Though, I'm clueless on mobile AVs, current setup of mine are Kaspersky, and Malwarebytes when I really need it, since it's heavy on mobile), etc. I know, it is not an easy task without PR helps; but I could only do proposals since I can't code either.

So my proposals for the flavor is Obtainium-libre (Hypatia?) (or other kind of labels?) and Obtainium-Non-Libre (VirusTotal?), or other catchy package name.

How about sharing code with other developers, e.g., VirusTotal API integration, apks split installer integration from SAI into AppManager by MuntashirAkon (So many features could be implemented/collabed with each other since both are app managers, although license probably need to be agreed upon first, more copylefted for collab or current one are fine?)?

Different flavors of apps by Aves, KeePassDX, etc. in other FOSS projects.

PR-is-welcome tag by Hail dev: https://github.com/aistra0528/Hail/issues?q=is%3Aopen+is%3Aissue+label%3A%22PR+welcome%22

Situations are always changing whether it is going full copyleft to defend against fork contender but still going OS:Bitwarden (as an anti-thesis, there are KeePass forks to choose as a fallback backup using guides by TroubleChute, Awesome Privacy, Security, Awesome-List pages in GitHub)

Turning a new leaf, though it is sudden:Fossify old app: https://github.com/SimpleMobileTools/General-Discussion/issues/241 (At least this one is not ghosting like Reddit direct image extension) Refactoring of old app into app 2.0:SD Maid SE

Criteria scale between OS okay, any audit (of PrivacyGuides and other similar sites' criteria of audited, CRXcavator DIY auditor?), Hypatia, Shizuku vs Okay clean track record so far so good enough CS (Close Source apps) that are good enough to be use (inspired by a Reddit post title:

), e.g., X-Plore, ZArchiver, Files by Marc (along with documentsui barebone, but doesn't always work to access data and obb folders against Shizuku and AppManager), Wizfile (until DocFetcher index is seamless), VirusTotal, Kaspersky and others tested by Security YT channel: https://www.youtube.com/watch?v=3co-80OeHQE , https://www.youtube.com/watch?v=Sf2UdT53yFw ?

These apps are not set in stone, so why not flow with the Zeitgeist (trend) and dynamically changing, bringing the good features, avoiding bad SOP or OpSec?

ImageGlass case/example is solved, not sure how it would be rated in awesome list, and PrivacyGuides, but it's a track record problem. Not a current problem.

Forgot to mention, always ask both developers and the AVs companies that flagged any apps about actual viruses or false positive cases: many examples from varied ranges of developers/apps:

Closed Source Apps:

If the privacy, security, anonymity aspects are to be held of utmost important then make different versions/flavors of the apps. If it's too cumbersome, how about a toggle, with the default settings after installation being the most barebone with just core functionality? For example AppManager has internet feature disabled by default, and this is only for VirusTotal feature right now.

Links:

backup of the log: https://github.com/Adhjie/Adhjie-Discussion/discussions/4#discussion-7429743

Edits: wording changes, last one was too forceful.