If you run a binary repo using fdroidserver and plan to update to the latest code, make sure to first study https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1466 and https://gitlab.com/fdroid/fdroidserver/-/issues/1128 In short, despite of multiple warnings, changes were applied which will reject several legit and absolutely fine APKs, e.g. such using key rotation. You will no longer be able to keep those in your repo once you've updated fdroidserver to that. Cases might be few, so you might be affected or not, but please check to make sure.
@IzzyOnDroid in the F-Droid dev collection of roughly 260,000 APKs, both proper apps and malware, I have not found any that matches those conditions. If anyone knows of any, please post out!
There is a dynamic that arises when there is a growing difference between the amount of maintenance required and available developer time. The maintainers need help to keep up. Until then, they need to ensure that the essentials are maintained. That in turn makes it harder for others to contribute, because the maintainer cannot afford to take any risks that might trigger unexpected work sometime later. So the maintainers have less time to review, less time to help complete merge requests, etc 1/
@IzzyOnDroid@obfusk@fdroidorg you just published this wide open, yet before, you wouldn't even send us the POC code that you had? I think you two need to learn what #ResponsibleDisclosure means.
@IzzyOnDroid@obfusk@fdroidorg Part of the bug was known 11 months ago. The new proof-of-concept shows key details that were not previously known nor reported in the issue. Those were just dumped to the public. We asked for that yesterday, and you didn't send it to us, but withheld it to now publicly dump it. That code was posted to GitHub yesterday: https://github.com/obfusk/fdroid-fakesigner-poc/commits/master/
You could have just sent us that link yesterday before tooting it, that would have been better.
@IzzyOnDroid@obfusk@fdroidorg All I'm asking is for #ResponsibleDisclosure. The tone you sense was my panic as I scrambled to figure out the proof-of-concept to ensure that #FDroid users are kept safe. Signature verification is a key part of that. I cleared my schedule this morning to deal with this.
If a binary repo maintainer is not careful about where they get their APKs and relies completely on AllowedAPKSigningKeys to verify the APKs, then this is an important issue.
@IzzyOnDroid@fdroidorg I'm happy to see @obfusk continuing with the very important work on #APK signature analysis and the related tooling. I was worried she had stopped working on it after quitting F-Droid. That work is bigger than F-Droid, it is otherwise missing in the Android ecosystem.
MonsterMusic: local music player with equalizer & more
Recording WebCam: cam that shoots images and videos and can upload them to a server of your choice
Further, fdroidserver has been updated to the latest code with the repo name bug adjusted and an extra security patch applied. Details on the latter follow as soon as its author has them published, and will hopefully be picked up by @fdroidorg then as well.
@IzzyOnDroid@fdroidorg I looked around but could not find any message from you about this anywhere. If you think this is an important security bug, then please submit what you have ASAP so we can handle it. #ResponsibleDisclosure
I keep brooding on the way the xz backdoor was enabled in significant part via weaponizing the FOSS culture of shitty behavior and abuse.
Yes, there're other pathologies at work here (the big tech capitalist pillaging of the commons, etc).
But what is striking is that the uncool, mean standards of FOSS conduct that many of us have decried for years, & that many defended as authentic, tough, etc., ended up not just being exclusionary loser behavior, but a significant attack surface.
@Mer__edith seems pretty off base to call that FOSS culture. In my 30 years of working in FOSS, the people who are actually immersed in FOSS are much nicer and more helpful than in general. It is the people who treat FOSS contributors of any kind as some kind of service provider that are the shitty ones. Way back, I worked in corp tech support, and got treated shitty. So often, I see people laying on that kind of crap on volunteer FOSS devs on the internet. That is not FOSS culture.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
@sehe@gentoobro Free software passion projects are wonderful things. Payment often kills the passion that makes them great. Maintenance of infrastructure is not a passion project and that is what we all should be paying for. I see the #EU moving towards this kind of funding. There are many opportunities for doing this well: for example, orgs like #NSA get billions to improve #cyber-defense. But they are subordinate to the offensive side who want the 0days. This needs to be exactly the opposite.
@setiathome@kuketzblog@IzzyOnDroid Leider nicht, aber wir haben das selber entdeckt. Ich verstehe nicht was "LibraryCheck" genau ist. F-Droid issuebot benutzt fdroid/suss für non-free libraries, Exodus ETIP für Tracking, und @IzzyOnDroid hat selber iod-scan-apk.php entwickelt als Teil von issuebot. Was ist übrug?
Nice idea to check usesCleartextTraffic, but that particular check isn't worth much since, as the docs say:
> This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present.
Sounds like the IzzyOnDroid scanner would not catch android:usesCleartextTraffic="false" then in the Network Security Policy, sets <base-config cleartextTrafficPermitted="true" />. From what I've seen, most apps use Network Security Policy anyway.
The #DigitalMarketsAct mandates Meta to "enable end users to freely choose to opt-in to [combining or cross-using personal data] by offering a less personalised but equivalent alternative".
When I pointed out to Meta that by offering users to either #consent to #SurveillanceAds or pay € 275 per year for #Instagram & #Facebook isn't "equivalent alternative" they said, Meta has to do that because of #GDPR 😤 Really??
@santiago@ilumium hmm, I don't think that's entirely true. Google makes a lot of money at very high profit margins from Google Play. They are not DMA compliant, they just have a very different strategy than Apple. #Android started how being open source to attract developers, so Google built their monopoly upon a more open platform. To do so, they've mastered dark patterns, nudging, and security as monopoly enforcement integrated into the best tech in key areas (e.g. search).
#Debian has been moving more towards the deb.debian.org mirror which is provided by a single CDN company, #Fastly. It works well, but also feeds an enormous amount of #metadata to a single company, and it can be used to track computers and maybe even people. And the privacy policy in effect is unclear. Fastly says the #privacy policy of the "subscriber" applies, but the privacy policy for deb.debian.org is not listed anywhere I could find. Anyone have any insight here?
@andydavies@neil I'm looking for actual privacy policies since those would be legally binding and the company could be help liable for violations. I've seen a lot of language like that, it promises little, since it has broad, vague exceptions like "except where explicitly stated in the Documentation and related to the functional performance of the services". Like, if some gov asks nicely for data, would handing it over be considered "functional performance of the services"?
Joined the Signal username land grab, got the usual handle. Question arises: Best practices on posting/sharing. At the moment you have to know my phone # to Signal me, but that’s very easy to figure out. So, initially inclined to just post the username. Hmmmmmm…
@timbray Using a well known username for #Signal is a recipe for receiving lots of spam. I'll bet that's the main reason why Signal does not currently have much spam. I'm pretty sure I'm not going to use my public handle. Signal does well with smaller numbers of people and less active chats. Very active chats or large groups are quite painful in my experience as compared to @element Signal's use case is communicating with people you know, while #Matrix#IRC#Mastodon are for big/active groups
@austin@dreua@timbray right, just like with an email address or even a phone number. My point is that people should assume that this Signal username has all the same downsides as other systems with user-selected identifiers and treat it accordingly.
@vitriolix I've watched a bit, #Putin is sure good at "truthiness"! He gives this whole lecture about various kings etc then says things like "In 1939... western Ukraine was to be given to Russia. Thus Russia, which was then named USSR, regained its historical lands". Except the USSR was never Russia, it was many states including the Russian Soviet Federative Socialist Republic and the Ukrainian Soviet Socialist Republic, which were always distinct entities in the USSR. I call bullshit