From 074cd93406fd52f904799d467b7c3be282d9e2b0 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Fri, 25 Feb 2022 03:28:32 +0100 Subject: [PATCH] add info about amazon and huawei --- content/posts/fdroid-issues.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/posts/fdroid-issues.md b/content/posts/fdroid-issues.md index 744fa65..f34963a 100644 --- a/content/posts/fdroid-issues.md +++ b/content/posts/fdroid-issues.md @@ -36,6 +36,12 @@ F-Droid's answer, interesting yet largely unused, is [build reproducibility](htt Google's approach is [code transparency for app bundles](https://developer.android.com/guide/app-bundle/code-transparency), which is a simple idea addressing some of the concerns with Play App Signing. A JSON Web Token (JWT) signed by a key private to the developer is included in the app bundle before its upload to Play Store. This token contains a list of DEX files and native `.so` libraries and their hashes, allowing end-users to verify that the running code was built and signed by the app developer. Code transparency has known limitations, however: not all resources can be verified, and this verification can only be done manually since it's not part of the Android platform itself (so requiring a code transparency file cannot be enforced by the OS right now). Despite its incompleteness, code transparency is still helpful, easy to implement, and thus something we should see more often as time goes by. +> What about other app repositories such as Amazon? + +[To my current knowledge](https://developer.amazon.com/docs/app-submission/understanding-submission.html#code_wrapper), Amazon app repository has always been wrapping APKs with their own code (including their own trackers), and this means they were effectively resigning submitted APKs. If you understood correctly the information above, Google can't do this for apps that haven't opted in Play App Signing. As for apps concerned by Play App Signing, while Google could technically introduce their own code like Amazon, they wouldn't do that without telling about it since this will be easily noticeable by the developer and more globally researchers. They have other means on the Android app development platform to do so. Believing they won't do that based on this principle is not a strong guarantee, however: hence the above paragraph about code transparency for app bundles. + +Huawei AppGallery seems to have a [similar approach](https://developer.huawei.com/consumer/en/doc/distribution/app/20210812) to Google, where submitted apps could be developer-signed, but newer apps will be resigned by Huawei. + ## 2. Slow and irregular updates Since you're adding one more party to the mix, that party is now responsible for delivering proper builds of the app: it's a common thing among traditional Linux distributions and their packaging system. They have to catch up with *upstream* on a regular basis, but very few do it well (Arch Linux comes to my mind). Others, like Debian, prefer making extensive *downstream* changes and delivering security fixes for a subset of vulnerabilities assigned to a CVE (yeah, it's as bad as it sounds, but that's another topic).