As mentioned in the release notes for /e/OS v0.19, I reported some problems in how the /e/ app installer handles app verification. Although many of them have been addressed, the installer is still vulnerable and still has some privacy issues. You can find the details at:
“Apps”, the /e/ app installer, downloads applications from CleanAPK, an intermediary which provides apps that originate from F-Droid and elsewhere.
Since apps are not downloaded directly from F-Droid or Google Play, the installer takes certain measures to protect against tampering. Unfortunately, these measures can be bypassed in the majority of cases. This means that CleanAPK (or whoever compromises it) can get maliciously modified apps installed on /e/ users’ devices, either when the user is installing a new app or during the update process.
Such an attack can be targeted at specific users, based on device information which the installer reveals to the CleanAPK server every time it checks for updates: the list of installed apps, device model, build ID, Android version and installed languages. If the installer is configured to install updates automatically (as is the default), CleanAPK can push apps to users’ devices in the background. It can install new apps, but can not replace installed apps with different ones.
The team tackled many of the issues I reported (/e/OS v0.19 contains the fixes), but as of today (Oct 29 2021), the fundamental problem remains unsolved and the attacks described above are still possible.
The write-up shows how users can protect themselves against these potential attacks.
It also presents signs that CleanAPK uses APKPure as a source for apps.
Let me know if you have any questions.
PS: I am limited to 2 links/post, so I’ve had to remove many links.
Interesting research, thanks for posting it. Just wondering what are the odds of a weakness in the app installer being used against a large number of /e/ users? Would this be of general interest to hackers given it’s small user base?
Interesting analysis, and one more reason to use F-Droid and Aurora store, and disable Automatic updates in Apps.
A couple of points.
You don’t address what is for me the major question about Apps: who - which person or organisation - controls CleanAPK.org and where are they based. There is no information on their website - a single page as far as I can see - which addresses these question. Why would anyone trust an organisation that will not disclose these things?
The new name ‘Murena’ does not refer to the operating system. It refers to the phones which are sold by the /e/ foundation and which run the /e/OS operating system. In the same way that ‘iOS’ is the name of Apple’s phone operating system and ‘iPhone’ is the name of the phones that run 'iOS`. When picking holes in /e/OS code, it’s worth getting these things right (IMHO)
The user base is certainly large enough to be tempting for attackers. Let’s just hope the tempation is outweighed by the effort required to compromise CleanAPK’s server.
I don’t trust CleanAPK, nor do I fully trust any app provider. What I’m interested in is minimising the risk of compromise. The more intermediaries you have, the greater the risk, unless the app installer provides technical guarantees that apps are identical to those from the original source. If it does, then the main reason to distrust CleanAPK goes away.
Look at Debian, for instance. Debian software repositories have mirrors all around the world, but the package manager verifies signatures to ensure that the software you receive has not been tampered with. F-Droid also has mirror servers based on the same principle.
This is not the only point of concern with third party mirrors, though. Privacy is also an issue, since the mirror knows (at a minimum) which IP address requested which software package and when. Of course, if you’re downloading directly from the source, then it receives the same information, which may not be what you want if that source is Google Play.
Another issue is that a third party can hold back security updates, leaving you with vulnerable apps. I haven’t mentioned this, but it’s worth considering, especially since CleanAPK could only withhold updates for specific users and specific apps.
/e/ developers may be interested to look into The Update Framework project, as it tackles many problems related to update security.
Hi @nervuri first of all thanks for detecting the issue in the App Installer and sharing the details with the development team. The team will be looking into all your suggestions and work on implementing them. Have created an issue on gitlab where these suggestions can be tracked.
Hi @nervuri, thanks for your report. Is more secure to download apps from the developer’s website, maybe github, or is it better F-Droid and others? What do you think? Thanks
In the ideal case, you would read and understand the source code, then compile the app yourself. But that’s a tall order.
Aside from that, I would put F-Droid first, by far. This is because F-Droid folks do more than simply build the app from source. They also weed out proprietary libraries, clearly point out anti-features and strive for reproducible builds. Plus, F-Droid is committed to libre software and couldn’t be more transparent without becoming invisible.
If F-Droid is not an option, then it depends on how much you trust the app’s developer. If you trust the dev, build the app from source or use the provided APK (and remember to keep it up to date). Otherwise, I would say it’s better to fetch the app from Google Play (via Aurora, perhaps), because Google has malware checks in place.
There is, however, something that /e/ “Apps” offers which F-Droid and Aurora don’t: the embedded privacy score (calculated by CleanAPK) and list of trackers (detected by Exodus Privacy). […]
Correction: Aurora does provide the list of trackers detected by Exodus. Also, I should have mentioned that F-Droid tags apps with the “Tracking” anti-feature when appropriate. So the text now reads:
/e/ “Apps” provides an embedded privacy score (calculated by CleanAPK) and list of trackers (detected by Exodus Privacy). However, the way in which CleanAPK calculates the privacy score is not clearly documented and I found it to be misleading at times (for instance, Tor Browser has a lower privacy score than Facebook Lite). Aurora Store also provides a list of trackers detected by Exodus Privacy. As for F-Droid, it lets you know when an app tracks and reports your activity, which is determined using a computer-assisted human review in which an Exodus Privacy report is taken into account. F-Droid checks for other anti-features as well.
I’ve been thinking about what kind of behavior the /e/ app installer encourages. When opening /e/ “Apps”, the user is greeted with a list of mostly proprietary applications with attractive images, but full of trackers. /e/ is essentialy promoting these apps and, in doing so, leads its users (especially the novices) down the wrong path. A privacy-focused system encouraging users to give up their privacy.
Instead of that, the front page could contain entirely privacy-respecting free software, à la F-Droid. Users could still install whatever they wanted, but they would have to look for the junk, not have it pushed on them.
Great idea! And it would be very easy to implement: Apps already has a Show applications setting, allowing the user to choose all apps, only open source apps or only PWAs. Making only open source apps the default choice (and the first item in the list instead of the second) would be a quick win.
I think it is worth creating a 'Feature request` issue in gitlab for this.
Of course a better solution is to use F-Droid as the default app store in /e/OS, perhaps with Aurora Store already installed so that users can find the Android apps they expect to find if they don’t like the open source alternatives.
But /e/ have decided not to do that 'because legal reasons` (spurious ones IMHO, but I am not a lawyer ), instead choosing to implement their own buggy apps store app, which pulls its non-FOSS apps from the anonymous cleanapk.org
As one can read yes I have spoken of a pure “thought”. No assertion!
The secrecy that is made around the apps app and cleanapk can already sometimes give rise to such a thought.
Also the analysis that nervuri has created does not bring confidence in the matter.
The app installer sends defacto data. (An analysis of the /e/OS app installer | nervuri).
/e/ claims that no data is collected or sent: “We don’t scan your data on your phone or in the cloud, we don’t log or track your GPS location, we don’t collect what you’re doing with your apps. We never will.” (https://e.foundation/)
Again, as I said, a pure thought. Not an assertion.
Can anyone provide proof to the contrary? Would /e/ not be well advised to comment to refute such speculation? But nothing happens, unfortunately.
If, however, it is desired that one should not raise criticism but only join in the praise, then so be it. But also has nothing to do with freedom…
That would exclude proprietary apps from search, unless you change the setting. I would prefer that, but my suggestion is more moderate, as it would only apply to the main screen of “Apps”.