Text on signature spoofing is misleading

[mar-v-in]

The current text about signature spoofing is misleading:

MicroG is a common alternative to Google Play Services. It is often used to get rid of Google's tracking, but most people do not realise that this can potentially worsen security as it requires signature spoofing support which allows apps to request to bypass signature verification. This subverts the security model and breaks the application sandbox as an app can now masquerade itself as another app to gain access to the app's files. In a system with signature spoofing, it is impossible to know anything — there is no way to trust that an application is genuinely what it claims to be and it is impossible to build a strong security model upon this.

• allows apps to request to bypass signature verification: With signature spoofing, signatures are verified by the OS as usual. If apps implement signature verification themselves (for whatever reason) those would work as usual as well. Signature spoofing pops in after the OS verified the signature as usual when third-party apps ask the OS what the signing certificate of another app is without actually verifying it.
• an app can now masquerade itself as another app to gain access to the app's files: The masquerading of signature spoofing does not extend to the package management. This means that app updates must still be signed using the same key that signed the to-be-updated app - even if that app used signature spoofing. The only situation where an app with signature spoofing might be able to gain access to files that it shouldn't be allowed to get access to, is when other apps on the same system forward private files to another app that they (based on signature) assume to be authorized to receive those files. This is against the best practices outlined in the official Android security guide (which suggests using a signature restricted permission instead, which is managed by the package manager and thus would not be affected by the signature spoofing patch)
• there is no way to trust that an application is genuinely what it claims to be and it is impossible to build a strong security model upon this: First of all, it is trivial for apps to find out if another app has the signature spoofing permission and thus could spoof signature using the widely available signature spoofing patches. It is also possible for apps to verify signatures themselves instead of just requesting them, if it must be assured that the signature is valid and done using a specific key. However, I'm also not completely certain what kind of "trust" you're envisioning here: On a device owned and controlled by the user, apps can't trust that the user did not intentionally modify the device to better fit their own needs. A device where this is possible would not be in control by the user.

I'm here because someone claimed wrong things and linked to your website as a source. While your description is mostly not wrong per se, it is misleading enough for people to read it wrong.

[thestinger]

Of course, that makes sense. As an external party, you currently only have the word of one party. Nowadays, you need evidence more than usual.

Many people have seen it for themselves and ample evidence has been provided. If you choose to support abusers and help push their inaccurate talking points then that's your choice and you'll be held accountable for that too.

[735trv]

@thestinger

Yes, it has, but I have no interest in trying to prove something to malicious trolls.

It's not about proving anything. It's more about verifying it. By releasing the source code or reproducible builds, people can verify something. You' have also published the Auditor app so that people can verify the integrity of the operating system. These things are good things. I think you will agree. Why shouldn't the attacks on GrapheneOS or you be documented for anyone to verify?

Their leadership is involved in harassment and bullying. @mar-v-in is involved in spreading misinformation and making underhanded attacks.

A leader should deescalate and not the opposite. No matter what the other side does. Or do you think that escalation on the Ukrainian border is currently the best way?

[thestinger]

Claiming that I'm the one escalating things is a total joke. The people escalating are the ones engaging in that ridiculously aggressive and underhanded behavior. I don't see how anything that we've done compares to even the fact that they published a 1 hour video completely full of misrepresentations and fabrications very focused on bullying me and directing more harassment towards me. There's no coming back from that, sorry.

[thestinger]

@735trv

No matter what the other side does.

Defending yourself is not escalation. I'm not interested in your victim blaming and gaslighting. I have no interest in interacting with an obvious troll. Your choice if you want to be blocked and banned from the GrapheneOS community.

[735trv]

@thestinger

That is exactly the point. I have only your words so far. Publish the cases in the GrapheneOS or you were attacked. You don't have to publish everything, but a small part would be enough. Maybe one case per person/organization. I think you would be much more successful with that than with other things. I don't know if the donors would like to see a part of the development time used for such actions.

I have no interest in interacting with an obvious troll.

Why am I a troll?

Your choice if you want to be blocked and banned from the GrapheneOS community.

You can do that, but first I have to ask you something: Why are you threatening me?

[735trv]

Doesn't matter. Forget it and do what you think is the best for you and the project.

[thestinger]

You're a concern troll who showed up here being manipulative from the beginning. It's straightforward and plainly visible.

[735trv]

It's okay if you think that.

[ghost]

@735trv You've been blatantly concern trolling in other issues posted in this repo and derailing legitimate conversations with other trolls. It's not a surprise you're doing it here.

[735trv]

Absolutely. That's why I tried to de-escalate at the beginning.

Again, it would be very helpful if someone documented and published the attacks so that others could verify it. It's not about credibility or every single attack as a logfile, but the desire for verification by others. Basically, I think it's true and the GrapheneOS project is under attack. Why not. The GrapheneOS project is not a bad idea and is listed as "Recommended" by various websites or people. As I said, I like to use open source software because I can check the source code and have reproducible builds. There I can verify an application. If I don't understand the code, I can pay someone to do an audit to verify the application. Why should anyone not be able to verify the attacks on GrapheneOS?

I think we all agree that time is very valuable, right? In my opinion, the best way would be to publish a few of these attacks on the website and not waste any more time on them. The people who want to verify it can do it and you have more time for development.

[thestinger]

@thestinger Calm down. The comment doesn't mention CalyxOS or GrapheneOS roll_eyes

Nothing about how you got involved here is de-escalation but rather concern trolling.

[akc3n]

Why should anyone not be able to verify the attacks on GrapheneOS?

@735trv About 7500+ people can verify the attacks on GrapheneOS that witness it consistently and progressively happening in our community.

[735trv]

Okay, to summarize we can say that evidences are collected but not published. If you are part of the community, you can verify the attacks on GrapheneOS.

Thanks for the information :+1: