zlacker

[return to "F-Droid Fake Signer PoC"]
1. kuschk+X8[view] [source] 2025-01-04 00:07:27
>>pabs3+(OP)
While none of that applies to F-Droids primary use case (the primary F-Droid repo builds all apps from source itself), it nonetheless looks like they failed to correctly handle the issue.

The only reason this didn't turn into a disaster was pure luck.

◧◩
2. NotPra+HK[view] [source] 2025-01-04 07:42:36
>>kuschk+X8
From what I can understand the attack scenario is as follows:

1. User downloads an app from F-Droid that supports reproducible builds.

2. The developer's account is compromised and submits an app with a different-than-expected signing key.

3. A new user installs the app (existing users aren't affected due to Android's enforcement of using the same signing key for updates).

4. This user is (external to the app) contacted by the attacker and directed to install an update to the app from them. The update contains malicious code.

F-Droid's response is concerning but this attack scenario seems pretty unlikely to work in practice.

[go to top]