Hi all,

Interesting problem. An open-source project gets their app removed from google play, so they post a message on mastodon that -for the time being- you can download the app via direct download.

I post a reply saying that directing people to a direct link is not a good idea, as hackers could start doing the same to spread malwhere, better use an official repo (like f-droid, where they are already on).

A typical problem of somebody who writes a genuine post, but without realising it himself writes something that is very close to what a phishing message would look like.

However, this got me thinking. What you want to avoid is that people get used to the idea that it is OK to download and install apps from a random URL. But if you point people to f-droid, they need to also download the apk for that, and configure the security on your phone that apk’s downloaded via <browser> may be installed.

I guess, the later should surely be avoided as most people will then leave that option enabled. (I had to search deep into the security setting to find the option to switch it off again).

What are your opinions on this? What would be the best way to do this and not teach people bad security habbits?

Direct download or f-droid? Other ideas? Is there a good sollution for this?

Kr.

  • redknight@infosec.pub
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    3 months ago

    Unfortunately this is a moving target, depending on what you define as your trust anchor.

    Is your anchor the original Team? Fdroid with the (reproducible) build? Something else?

    depending on the answer, the “good” solution is probably different from mine

  • lemmyng
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    Rant: We’re living in a time where curl | bash has become normalized. This generation’s security practices are fucked.

    Back to the topic: I see it as a problem of not enough education and too much trust. People are not taught how to verify the authenticity and legitimacy of software, and put too much trust in claims of authority. It’s not just a consumer problem either, look at the CrowdStrike incident: people in the industry knew it was shit, but the decision makers kept trusting it because they are a big name. How did they become a big name? The same way a lot of other companies do, by bribing the early decision makers into using them.

    Back to consumers: it doesn’t help that there’s no first class sandboxing features. Both Android and iOS rely heavily on app store controls. Sure, there are some system controls, but the user has barely any agency over them.

    • kristoff@infosec.pubOP
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Well, in principe I do not see that much different between ‘curl | bash’, ‘sudo apt-get install’ or installing an app on your phone. In the end, it all depends on trust.

      Considering how complex software has become and on how many libraries from all over the internet any application that does more then ‘hello world’ depend, I do not see how you can do if you are not prepared to put blind trust into some things.

      Concerning CrowdStrike, I am just reading an book on human behaviour (very interesting for everybody who is interested in cybersecurity), and I am just on the chapter about the fear of deciding with unknown parameters vs. the fear of not deciding at all. Any piece of software will brake at some point, so will you wait forever to find something that will not have any vulnerabilities?

  • jaredj@infosec.pub
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    A name I’ve seen in connection with this issue is Obtainium. From a cursory look, it appears this just streamlines checking for and getting apk’s from GitHub release pages and other project-specific sources, rather than adding any trust. So maybe it just greases the slippery slope :)

    Security guidelines for mobile phones, and therefore policies enforced by large organizations (think Bring-Your-Own-Device), are likely to say that one may only install apps from the platform-provided official source, such as the Play Store for Android or the Apple App Store for iOS. You might say it’s an institutionalized form of “put[ting] too much trust in claims of authority.” Or you might say that it’s a formal cession of the job of establishing software trustworthiness to the platform vendors, at the mere expense of agency for users on those platforms.

    People are not taught how to verify the authenticity and legitimacy of software

    Rant: Mobile computing as we know it is founded on the rounding off of the rough corner of user agency, in order to reduce the amount users need to know in order to be successful, and to provide the assurances other players need, such as device vendors, employers, banks, advertisers, governments, and copyright holders. See The Coming War on General Computation, Cory Doctorow, 2011. Within such a framework, the user is not a trustworthy party, so the user’s opinion of authenticity and legitimacy, however well informed, doesn’t matter.

    • kristoff@infosec.pubOP
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Obtainium seems to have a very interesting take on this. Thanks for the link! I will check it out 👍

  • gencha@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    It’s good to have established release channels that don’t rely on third parties in the first place. Everything beyond that is for convenience and strictly optional.

    • kristoff@infosec.pubOP
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      The problem is here is this: how is a user supposted to know if the official website of an application is organicmaps.app, organic-maps.app, organicmaps.org or github.com/organicmaps?

      And even if she/he knows, hackers do ways to make you look the other way. The funny thing in this case is that the original author complained that the app was removed from google playstore, and did so on the fosstodon mastodon-server. Although I guess this was not at planned, he made the almost perfect social-engineering post. :-)

      • gencha@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        I totally agree with you on the phishing aspect. Good thinking.

        I would prefer it if people already knew the domain from prior association. I still download desktop software regularly on the developer website, even though I am also aware that this is not without safety concerns. I know this is an unrealistic expectation at this point, but I dislike that the Google/Apple Stores have more trust, even though they regularly publish fake apps or apps with security/privacy issues.

        Ultimately, publish on multiple channels regularly and let your users be aware of alternatives. Then they are enabled to switch when they need to, and it might also be easier for new users to recognize which release channels are official

  • lurch (he/him)@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    I don’t trust f-droid as well, because some of its apps crash the (un)installer and can therefore never be removed.

    However, you need a trustworthy party and they have to digitally sign the APK after checking the code (changes) and compiling it themselves. They can also sign messages they send to the public.

    • kristoff@infosec.pubOP
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      2 months ago

      Hum , interesting point. If you are a hacker, would you not prefer software to be spread out everywhere so people would be even more confused what is the real source for some application?

      I guess people would then just depend on their search engine