|
|
Subscribe / Log in / New account

Distributions

Reproducible Android app builds

By Nathan Willis
February 18, 2015

The subject of reproducible builds is a popular topic of late in the free-software world, with major projects—such as Debian and Tor—making it a high priority. Although compiling verifiable, reproducible binaries on desktop and server systems is a significant engineering problem, there is even more complexity to the problem on mobile platforms, where a single vendor can act as gatekeeper and can impose rules on the app-distribution model that get in the way. Nevertheless, F-Droid and the Guardian Project have undertaken an effort to make reproducible builds feasible for Android apps, so that users can independently establish that the packages they install correspond to the source code that is published.

The Guardian Project develops security- and privacy-enhanced mobile apps: encrypted text chat, encrypted voice calling, Tor-based web browsing, and so forth. Although there are a few Guardian Project applications that run on other platforms, most of its apps target Android. All of the source code is available, but—naturally enough—the users for whom security and privacy are most critical may also have cause to be suspicious that an app installed via the Google or Amazon app store has been compromised.

This is where F-Droid, an entirely free-software Android app repository, comes into the picture. Every app package published in the F-Droid repository can be built from source, because only apps under free-software licenses are allowed. Thus, choosing apps from F-Droid does make it theoretically possible for users to verify not just that the package has not been tampered with since it was built, but that the app's binary corresponds to a specific source code release. Of course, a similar guarantee would accompany having users compile apps locally themselves, but that defeats the purpose of having an app repository altogether.

Furthermore, Android apps are supposed to carry a signature from the developer, not from the repository. Historically, F-Droid has used per-app signing keys to sign the .apk packages that it distributes—but those signatures are, in a sense, weaker than a signature from the upstream app developer, since some sort of alteration could have been made to the code by the repository. If it could be shown that the upstream source release compiles into a binary that is bit-for-bit identical to the one served up by the repository, though, that would also allow the user to rest assured that no malicious code has been inserted and nothing important has been removed or altered.

This is essentially the approach under development. The F-Droid publication framework downloads a signed binary app from the upstream developer, then builds a new .apk itself from the upstream source bundle and build recipe. The publication system then compares its (unsigned) .apk to the payload portion of the .apk bearing the upstream signature. If the two match, then users can see that the code was not tampered with during the F-Droid's build process. There are several tools available for checking the signature of an Android app, though the feature is not exposed during normal installation.

For this process to work, of course, both the upstream app developer and the F-Droid build system must use the same reproducible build process to create the .apk file in question. The Guardian Project has been working on this task since early 2014. In June of that year, the first reproducible build was released: Lil'Debi version 0.4.7.

Lil'Debi is a developers' tool, not an end-user application; it bootstraps a chroot-ed Debian environment on an Android phone. But the exercise proved that the deterministic build process was possible, with a few caveats—namely, that compatible versions of the JDK and other build tools be used on each system. The build process requires a few additional precautions to produce bit-for-bit identical builds. Specifically, the contents of the .apk file must be sorted into the same order for each build, and faketime must be used to ensure that the timestamps match. After Lil'Debi's 0.4.7 release, the Guardian Project released a shell script for users to compare two .apk files with.

On February 11, the F-Droid published its first verifiable, reproducible Guardian Project app: Checkey, a tool for checking Android app signatures. At present, the Checkey .apk provided through the F-Droid repository is the binary built and signed by the Guardian Project; the package has just been verified to generate the same hash as the binary built by F-Droid. The long-term plan, however, is to deliver the F-Droid binary with the upstream project's signature extracted and then re-attached, then signed a second time with the F-Droid signing key. GnuPG supports checking multiple signatures in a single file, so long as the same cipher preferences are used for both signatures.

Moving forward, the Guardian Project's LocationPrivacy app and the LEAP Encryption Access Project's BitMask app are the next two apps to be built using the reproducible build process. Ultimately, the F-Droid project hopes to make its reproducible build system available to users at large, so that anyone can independently verify that an .apk package has not been altered between its upstream release and when it was downloaded by the user.

Android users who are concerned about app integrity may not amount to a majority in the mobile application space, but the special cases of today often have a way of becoming the widespread concerns of tomorrow. Even if F-Droid remains the only mobile-app distributor to offer verifiable app packages, users stand to benefit from having somewhere to turn for increased security.

Comments (none posted)

Brief items

Distribution quotes of the week

Alas, the resulting distribution is still hopelessly compromised by the NSA, who might be even worse than Lennart Poettering. To see how deep the tendrils of US government infiltration go, just try removing libselinux1, and marvel at how much concerted malevolent effort has gone into destroying your freedom.
-- Russ Allbery

Unfortunately cryptography is [as] strong as the weakest link, and in the WoT [web of trust] the weakest link is weaker than not having the key signed at all because a signature that doesn't exist doesn't introduce noise. Debian tries to get around this by insisting your key is signed by somebody it does "know" (ie, DD). Sadly, not all DD's are complete pains in the arse, and Debian security ends up being as weak as the weakest of them.
-- Russell Stuart

Makulu is, in my opinion, an unusual creation. It is a distribution which bucks current trends in visual themes, in default applications and in focus. It is a platform that is both fairly stable (thanks to its Debian base) and experimental. I am a little surprised a 64-bit build is not available, but for now a 32-bit build with PAE will probably suit the needs of most people. Makulu is, in my opinion, worth trying just because it is marching to the beat of its own drum and doing a pretty good job of being a general purpose desktop operating system too.
-- Jesse Smith (DistroWatch review)

Comments (none posted)

End of the m0n0wall project

The first version of m0n0wall, a FreeBSD-based firewall distribution, was released 12 years ago. Now Henri Salo has announced an end to the project. "m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can."

Full Story (comments: none)

Distribution News

Debian GNU/Linux

DebConf15: Call for Sprints

The DebConf15 team has issued a call for sprints. The team will be hosting sprints (providing logistics for working space, food and accommodation) during the week of DebCamp (August 10-14). There may also be sprints during DebConf (August 15-22). Both DebCamp and DebConf will be held in Heidelberg, Germany.

Full Story (comments: none)

Debian Trademark Team

Debian project leader Lucas Nussbaum has announced that, after nearly 2 years of activity, the Debian Trademark Team is now official. Richard Hartmann, one of the delegated members of the team, has posted an introduction to the team. Other members include Brian Gupta and Joe Healy.

Comments (none posted)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Linux for Astronomers (Linux Journal)

Over at Linux Journal, Joey Bernard looks at Distro Astro, which is a Linux distribution for astronomy. It collects programs of interest to those running telescopes and planetariums, including various image collection and processing applications. "After aiming your telescope, you need to collect some images or do some astrophotography. While you can do some of this with software like KStars, you have software specifically designed to do image capture. Some, like wxAstroCapture, are specifically written for use in astronomy. With it, you can set up automatic guiding and batch image collection. You then can go have a nice hot cup of coffee while your telescope collects your data. To help you keep track of all of these observations, you can use the Observation Manager, a logging program to maintain your records."

Comments (9 posted)

Page editor: Rebecca Sobol
Next page: Development>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds