| FYI your comment was marked [dead], I vouched for it because I think it contributes to the conversation. Update: I think you must have been caught in some automatic system because every comment (including your account's first) was already marked [dead] but not [flagged]. This does not seem to have been users flagging you or anything, maybe you use an IP previously used by a troll or so? Or a keyword detector in the first comment set it off (e.g. since the words "You're wrong," might trigger he-said, she-said conversation when taken by itself) maybe? Idk. /update. > This is a bit exaggerated. Yes, I was mostly joking in that cited part, that's why I added "(jk)" :). I understand there's much more to it than just that, it just read funnily to me. (Not meant as laughing 'at' you! Hope it didn't come across like that.) > once you ensured the authenticity, the source doesn't matter as much. Yes, but that's TOFU. Secure in most cases, but if it's used all the time, an attacker will catch today's lucky ten thousand (xkcd.com/1053) who first download a certain app or who just (re)installed their phone. Hence my suggestion of something like PGP, where the authenticity can be established more reliably than having everyone hope it wasn't compromised on first download. (It's a good alarm mechanism though, if suddenly everyone else's update fails, so any compromise of app signing keys wouldn't be long-lived. But I do feel like the article argues for a much higher security standard than TOFU.) Alternatively with f-droid, the CA system is used, and TOFU doesn't go away. If the CA system is compromised, there are still the app signing keys. Conversely, if the signing keys are compromised, the attacker also still needs to compromise the distribution channel or server. |
(Also I would like to correct myself on my previous comment: I meant "GPG" as the reference implementation of the OpenPGP standard, not "OpenGPG". I was very tired.)
> I understand there's much more to it than just that, it just read funnily to me. (Not meant as laughing 'at' you! Hope it didn't come across like that.)
No worries, irony doesn't hurt.
> Yes, but that's TOFU. Secure in most cases, but if it's used all the time, an attacker will catch today's lucky ten thousand (xkcd.com/1053) who first download a certain app or who just (re)installed their phone.
By authenticity I meant that you can already use apksigner to verify the fingerprint of the signature. For instance, Signal publishes the fingerprint on their website: https://signal.org/android/apk/
Since the APK published on the website is the same as the one published on Play Store, I think this can be a nice way to ensure the package hasn't been tampered with. A properly configured HTTPS server should be the baseline, with CAA and CT to ensure it wouldn't be easy for an attacker to issue rogue certificates for the website. Of course, this is still involving a TOFU model like you said with any CA system in the end.
Therefore, having certificate pinning by default for the app repository should be a nice progress to deter several types of MITM attacks (rather than placing too much trust in the distribution infrastructure). This comes nicely along the app signature system which inherently follows the TOFU model on Android.
Alternatively, GrapheneOS (as a hardened OS) has the idea to ship a database of known-good signature fingerprints for top used apps such as Signal or Element. This would be hard to do for apps that also have a third-party F-Droid build due to them reusing the package IDs in most cases (the OS can also whitelist the signatures for those, but this isn't ideal).