As mentioned in the release notes for /e/OS v0.19, I reported some problems in how the /e/ app installer handles app verification. Although many of them have been addressed, the installer is still vulnerable and still has some privacy issues. You can find the details at:
“Apps”, the /e/ app installer, downloads applications from CleanAPK, an intermediary which provides apps that originate from F-Droid and elsewhere.
Since apps are not downloaded directly from F-Droid or Google Play, the installer takes certain measures to protect against tampering. Unfortunately, these measures can be bypassed in the majority of cases. This means that CleanAPK (or whoever compromises it) can get maliciously modified apps installed on /e/ users’ devices, either when the user is installing a new app or during the update process.
Such an attack can be targeted at specific users, based on device information which the installer reveals to the CleanAPK server every time it checks for updates: the list of installed apps, device model, build ID, Android version and installed languages. If the installer is configured to install updates automatically (as is the default), CleanAPK can push apps to users’ devices in the background. It can install new apps, but can not replace installed apps with different ones.
The team tackled many of the issues I reported (/e/OS v0.19 contains the fixes), but as of today (Oct 29 2021), the fundamental problem remains unsolved and the attacks described above are still possible.
The write-up shows how users can protect themselves against these potential attacks.
It also presents signs that CleanAPK uses APKPure as a source for apps.
Let me know if you have any questions.
PS: I am limited to 2 links/post, so I’ve had to remove many links.