Posts and replies

*sigh*

F-Droid now claims PoC 5a is not an "actionable security vulnerability" because "APKs signed by v1-only are not even installable on latest Android versions". This is false. As long as targetSdk < 30 (and e.g. the official F-Droid client has 29) they will install just fine. I even confirmed this by installing my PoC APK on Android 13-15 just in case, something they apparently neglected to bother with before making that claim.

They are now claiming they can't use my patches as-is because of "code quality issues" (private apis). Which... applies to exactly one patch, the one they actually merged 8 months ago.

Because the only way to fix the vulnerability was to monkey patch androguard (and an updated version is still not available in Debian, nor has the Debian stable fdroidserver package received any patches, despite those packages being maintained by the F-Droid team, so that monkey patch is still needed).

They are also downplaying the impact by insisting this vulnerability is only a problem for third party repositories relying on fdroidserver; which even if true is showing a concerning disregard for the security of repositories of other projects relying on fdroidserver.

I have no words to describe how little remaining faith I now have in F-Droid's security and code review processes.

I wrote an overview of the situation with the F-Droid certificate pinning bypasses (without technical details of the exploits themselves as that's covered by the README):

https://github.com/obfusk/fdroid-fakesigner-poc/blob/master/OVERVIEW.md