Reproducible Android app builds

The subject of reproducible builds is a popular topic of late in the free-software world, with major projects—such as Debian and Tor—making it a high priority. Although compiling verifiable, reproducible binaries on desktop and server systems is a significant engineering problem, there is even more complexity to the problem on mobile platforms, where a single vendor can act as gatekeeper and can impose rules on the app-distribution model that get in the way. Nevertheless, F-Droid and the Guardian Project have undertaken an effort to make reproducible builds feasible for Android apps, so that users can independently establish that the packages they install correspond to the source code that is published.

The Guardian Project develops security- and privacy-enhanced mobile apps: encrypted text chat, encrypted voice calling, Tor-based web browsing, and so forth. Although there are a few Guardian Project applications that run on other platforms, most of its apps target Android. All of the source code is available, but—naturally enough—the users for whom security and privacy are most critical may also have cause to be suspicious that an app installed via the Google or Amazon app store has been compromised.

This is where F-Droid, an entirely free-software Android app repository, comes into the picture. Every app package published in the F-Droid repository can be built from source, because only apps under free-software licenses are allowed. Thus, choosing apps from F-Droid does make it theoretically possible for users to verify not just that the package has not been tampered with since it was built, but that the app's binary corresponds to a specific source code release. Of course, a similar guarantee would accompany having users compile apps locally themselves, but that defeats the purpose of having an app repository altogether.

Furthermore, Android apps are supposed to carry a signature from the developer, not from the repository. Historically, F-Droid has used per-app signing keys to sign the .apk packages that it distributes—but those signatures are, in a sense, weaker than a signature from the upstream app developer, since some sort of alteration could have been made to the code by the repository. If it could be shown that the upstream source release compiles into a binary that is bit-for-bit identical to the one served up by the repository, though, that would also allow the user to rest assured that no malicious code has been inserted and nothing important has been removed or altered.

This is essentially the approach under development. The F-Droid publication framework downloads a signed binary app from the upstream developer, then builds a new .apk itself from the upstream source bundle and build recipe. The publication system then compares its (unsigned) .apk to the payload portion of the .apk bearing the upstream signature. If the two match, then users can see that the code was not tampered with during the F-Droid's build process. There are several tools available for checking the signature of an Android app, though the feature is not exposed during normal installation.

For this process to work, of course, both the upstream app developer and the F-Droid build system must use the same reproducible build process to create the .apk file in question. The Guardian Project has been working on this task since early 2014. In June of that year, the first reproducible build was released: Lil'Debi version 0.4.7.

Lil'Debi is a developers' tool, not an end-user application; it bootstraps a chroot-ed Debian environment on an Android phone. But the exercise proved that the deterministic build process was possible, with a few caveats—namely, that compatible versions of the JDK and other build tools be used on each system. The build process requires a few additional precautions to produce bit-for-bit identical builds. Specifically, the contents of the .apk file must be sorted into the same order for each build, and faketime must be used to ensure that the timestamps match. After Lil'Debi's 0.4.7 release, the Guardian Project released a shell script for users to compare two .apk files with.

On February 11, the F-Droid published its first verifiable, reproducible Guardian Project app: Checkey, a tool for checking Android app signatures. At present, the Checkey .apk provided through the F-Droid repository is the binary built and signed by the Guardian Project; the package has just been verified to generate the same hash as the binary built by F-Droid. The long-term plan, however, is to deliver the F-Droid binary with the upstream project's signature extracted and then re-attached, then signed a second time with the F-Droid signing key. GnuPG supports checking multiple signatures in a single file, so long as the same cipher preferences are used for both signatures.

Moving forward, the Guardian Project's LocationPrivacy app and the LEAP Encryption Access Project's BitMask app are the next two apps to be built using the reproducible build process. Ultimately, the F-Droid project hopes to make its reproducible build system available to users at large, so that anyone can independently verify that an .apk package has not been altered between its upstream release and when it was downloaded by the user.

Android users who are concerned about app integrity may not amount to a majority in the mobile application space, but the special cases of today often have a way of becoming the widespread concerns of tomorrow. Even if F-Droid remains the only mobile-app distributor to offer verifiable app packages, users stand to benefit from having somewhere to turn for increased security.