Ideas for the Next Phase¶

Why FDroid?¶

There are two main approaches to keeping apps updated: an "app store" model and a "self-update" model. The "app store" model is generally the approach taken by package management systems that are integrated into the core OS, so for example the Debian package management system, Apple App Store, Google Play, etc. Many apps instead include a way that they can update themselves, for example Firefox, Chrome, etc. The self-update model puts more control in the hands of the app's developer, while the app store model puts more control in the hands of the user.

• technically, it is possible to do all the same things with both models, so to understand the strengths and weaknesses, we need to focus on the user experience.

• F-Droid is the best developed alternative app store for Android that is free software.
• it already is translated into many languages, including Arabic, Chinese, Farsi, Uigher, and Spanish.

With the app store model, it is much easier for the user to decide when and what to update since all updates are presented in a single UI. This UI is also the same UI that users use for getting new apps and removing installed apps.

Users operating in high risk areas generally have more awareness of what their current risks are than the developers of the software in question, for example which networks are safer and which are more heavily monitored, or which networks can be traced to the user versus ones which are more anonymous.

For example, if a user wants to ensure that all app downloads and updates go through Tor, with F-Droid, they can just set the proxy in the F-Droid settings, root access is not required.

• HTTPS
• tor hidden service
• amazon S3 and other cloud services
• local wifi to on-device repos
• bluetooth to on-device repos
• OTRDATA
• SDCard

The way that the current f-droid.org app repository is structured has a major weakness: all apps there are signed by a specific f-droid.org key rather than the developer's official release key. This means that there are two valid APKs for each released version of an app, but they have conflicting keys. This is not a design feature of f-droid.org, but rather a side effect of the goal of verifying that the apps are built entirely from freely available source code. The f-droid.org team is working on turning this weakness into a major strength: with fdroid verify, the f-droid.org build infrastructure will build APKs from source as it always has done, but instead of signing the APK with an f-droid.org key, it will instead verify that the developer's APK matches exactly the APK built by f-droid.org. And since it matches, the developer's original signature can be freely swapped into the APK built by f-droid.org. This turns f-droid.org into a build verification service, reproducing builds made by the original developer while eliminating the duplicate f-droid.org key.

• like Tor Browser Bundle's reproducible build process, except it will be also deterministic most of the time
• for pure Java Android apps, this is not difficult to setup
• for apps with native components, it is also possible, we have done it with out Lil' Debi app

Modules of work¶

Build and Distribution Integration¶

- Deteriminstic builds sound like some pedantic technical process that only the most low level hackers would love. And indeed, getting software to builds exactly the same each time is such a process. But once that process is in place, it can drastically simplify the process of delivering secure software. Projects like Tor and Guardian Project go to great lengths to build releases on machines that have never touched the network, are stripped down to the bare minimum, and are generally difficult to use. If the build process was deterministic, then a release build can be made on any machine, and then verified by various other machines also building that same release.

The FDroid central build server is already set up to be build verification service, so if it is easy for developers to integrate their releases with the FDroid tools, then the FDroid central build server will act as a automatic build verification service. That central build server is all free software, so anyone can set up their own build verification service.

- full stack deterministic build process
- deterministic builds for relevant Debian packages
- contributes to TAILS

• following gitian's model, make automated method for creating VMs for the build system
• standardize on Debian/jessie to ease deterministic build process

Hardening All The Way Down¶

The final piece of the puzzle of free, open source software providing open and auditable software is the process of verifying that given source code produces a given app, every time. This is generally known as "Reproducible Builds" or "Deterministic Builds". When anyone build an app themselves and then see it is exactly the same app as the developer has released, they know that all they only need to look at the source code to prove that the app is safe and secure. This is unfortunately a difficult and very manual process.

Luckily, it is a process that is very ripe for automation. For Android apps, the first step is to verify that the Java code generates the same APK as the official release. The problem is that everyone builds their Android apps using the software that builds and releases, so they are all using the same binaries which could all contain and implant the same code on every machine. So then the Android tools should be built in a reproducible way, and the system that the Android tools relies on should also be built in a reproducible way. Debian has started work on supporting reproducible builds, and indeed that is a feature that the TAILS and Tor Browser Bundle authors have requested.

This module of work is focused on providing reproducible builds all the way down the toolchain from apps to Debian itself. Debian already has the process prototyped, key pieces of the Android SDK are already included in Debian, and the FDroid tools already provide fdroid verify for comparing a locally built Android app to the developer's release. The remaining work is finishing the prototypes and making sure everything is integrated and working.

• https://summit.debconf.org/debconf14/meeting/78/reproducible-builds-for-debian/

• Backend Developer:
• Release Engineer:
• Tutorial Writer:

Peer-to-peer Malware Tools¶

Android tools like Lookout, BlueBox Security's scanner, and Google's APK scanner have shown that local scanners can catch lots of malware without requiring network access. For Android, the most serious exploits like Master Key and FakeID, can be detected by scanning the APK alone. There is also free demo code for doing this. This code can be incorporated into FDroid to catch most malware the first time it hits FDroid on a device.

There are also generic techniques for spotting malware based on comparing APKs that claim to be the same version (versionCode) of the same app (packageName). When two devices swap app information, each device can compare the APKs installed to the information received from the other device. If there are two APKs that have the same packageName and versionCode but have different hashes, then one of them is likely to be either corrupt or malware. FDroid can take this information and prompt the user with actions to take, like uploading to a malware scanning service, uninstalling, or temporarily disabling the app until it can be verified.

Polishing the Peer-to-peer Swap¶

With the first round of Bazaar, we added a wide range of app swapping capabilities to the FDroid app store. Users can create an app store on their device, then use Wifi, NFC, and/or Bluetooth to swap local app stores with whoever they encounter. The core functionality is mapped out and implemented already. The next step is to survey users and conduct user studies to figure out how the whole swapping experience can be make more understandable with fewer gotchas.

• UI Developer:
• UX Designer:
• Tutorial Writer:
• Backend Developer:

Trusted Outside App Channel for iOS where iTunes is blocked/filtered¶

• Tie into Cydia App Store/Hockeyapp/etc
• Apple iTunes is blocked in Iran, other places
• Apple iTunes is censored in China, including OTF's app
• p2p distribution support when possible

Cydia is a long-running, self sustained alternative app store for rooted iOS devices (an alternative app store is only possible iOS if the device is rooted, unlike Android). It has a very active developer community with about 1000 individual app repos. It does not include any of the common circumvention techniques that we recently added to FDroid like support for Tor and peer-to-peer app swapping.

While the software in each store would only work in the specific platforms, the core concepts are the same. Including work on Cydia would make sense in terms of cross-pollenation of ideas and shared project management resources.

All sorts of notes¶

There is a wide range of great software being developed that allow activists, journalists, etc. to use their mobile devices for private, secure communications and operations. And Google Play provides a secure and established way for distributing apps all over the world. But in many high risk areas like China or Iran, Google Play is entirely unavailable. Google Play is also built to track it's users, and that data is all stored by Google, which means that a number of governments have access to that data, via legal orders or by breaking into Google's systems.

People around the world have found all sorts of creative way of distributing apps and files when they cannot access Google Play, but these are fraught with issues: alternative app stores are a awash in malware, most ways of sending apps and files via the internet can be easily spoofed and monitored, and not many people know how to operate when the internet is completely unavailable.

• deterministic builds are an arcane technical process that makes it much easier to deliver secure software
• add support for making it the default app store in ROMs like Replicant, Omni, etc
• moving f-droid.org/repo from centralized trust to deterministic build verifying infrastructure
  • fdroid verify already passes many apps
  • fdroid.org/repo uses official dev's
• developer support for setting up their own (cydia is an example of what it could become: it has ~1000 developer repos)
• make FDroid have a modern, easy, attractive client UI
• fdroid is already sustainable, we will speed development, and contribute to the maintenance
• fdroid's main reason for the central repo is to have a repo of software that is verified to be free software, they don't want to have their own signing keys
• fdroid is a IaaS, any free software can be hosted on f-droid.org
• fdroid is also free software for building your own app store with build/verify service
• tie into user-generated data like openintegrity.org
• fdroid as app store kit
• efforts to tap into
  • making FDroid app store for Replicant, etc
  • fdroid verify
  • androidobs
  • openintegrity.org
• automatically trigger release builds based on signed tag
• replace hockeyapp, Play Beta, etc
  • include crash submissions
  • automatic nightly build repo
  • in-app bug reports
• include basic repo server that uses modern crypto instead of TLS-CA (PAKE or whatever)

• make your own app store kit
  • app stores for high risk threat models
  • all free aptoide
  • approach various existing app stores about using fdroid
• deterministic full stack
  • `fdroid verify`

• tools for people to curate repos
  • `fdroid remote`
  • `remotes = {}` in config.py

• why not update framework embedded in an app?
  • app store update model gives users control over updates
  • updates in APK gives users less control
  • high risk users will know best what will put them at risk and what will work
  • single experience for many different ways of transferring APKs

• tie into user generated content to verify APKs
  • crypto-link APK on local device to public data repo
  • combine user-generated data with data mining and observation
  • build upon existing research projects:
    • https://openintegrity.org/
    • https://androidobservatory.org/
    • https://guardianproject.info/code/weatherrepo/

• integrated translation management
  • FDroid/Google Play description and changelog in metadata
  • in standard, easily translatable format
  • if possible, automatic updating to Google Play

• use cases
  • humanitarian teams, when infrastructure is depleted due to disasters

• threats
  As our experience with helping Tibetan activists has taught us, and the leaks from FinFisher and other sources have shown, it is usually quite easy for an organization with network level or country-wide network access to exploit browser bugs to install software on target computers. A developer of circumvention software is a high-value target for a state-level actor since one exploit can infect that developer's software, which will then be distributed with an included backdoor implanted by the initial exploit of the developer. Best practice is to use dedicated machines for building and signing apps, but that is not practical for small scale developers, and can take a lot of time to setup. When using a deterministic build process, the software can be built on an exploited machine, then verified by trusted sources. The Fdroid tools are available for people to set up their own verification server, and the f-droid.org repository is also available to provide this service as a third party. This means that people can get automatic verification without having to setup their own infrastructure.
• Pwn-To-Own competition is always won by browser exploits

• use hardware security modules as part of workflow
  • Linux kernel commits require one http://www.linux.com/news/featured-blogs/203-konstantin-ryabitsev/784544-linux-kernel-git-repositories-add-2-factor-authentication

• why focus on android?
  • android is the biggest platform
  • android is the cheapest smart phone platform
  • android allows for anybody to run an app store
  • almost all app stores only address a single platform (iTunes, Google Play, etc)
  • Cydia is a well developed alternative app store for iOS
  • the technical problems line up cleanly along platform lines

• concept note was light on use cases, add lots
• research use cases of developers in challenged environments
  • want needs do they have that are different than developers in places with internet freedom
  • add in note about Iran-focused dev outreach project
• discuss how focusing on GP/Psiphon/Amnesty developer use cases will directly benefit users in target locations
• send email with possible extensions
  • full paranoid build stack
  • media handling in app store (parallel to Courier/Paik effort)
  • Blackberry or Windows Mobile running Android apps interesting at all?
  • ties to Cydia?