Re: [guardian-dev] FYI: Code Transparency

Mon, 05 Jul 2021 07:30:01 -0700 



Mark Murphy:

On Wed, Jun 30, 2021, at 12:55, Nathan of Guardian wrote:

Thanks for the always thorough and thoughtful updates and analysis, Mark.


Happy to help, and thanks for the kind words!


Wouldn't it be possible to build a library that we include in our apps
that inspects the APK files at runtime on a device, and looks for the
transparency files in the APK, and even checks the hashes. This could be
done as a "App Integrity Check" on first run.


The app packager (Google, Amazon) could remove the code that does that check, 
or at least nerf it. For example, replace:

if (isMyAppOK()) {
   proceed()
} else {
   abandonShip()
}

with:

if (true) {
   proceed()
} else {
   abandonShip()
}

The premise here is that because they have app signing authority, then they 
have the technical capability to modify anything that they want in the App 
Bundle (APK for Amazon). You start to get into the same sort of arms race that 
developers fight and lose with those who try to reverse-engineer apps.

The combination of your proposed library and a robust obfuscation system might 
help prevent bulk modification of apps. That starts to impose other limits 
(e.g., can't use Crashlytics for bug reporting, because then you're uploading 
the de-obfuscation maps to Google). It also won't block a determined attacker 
who is going after a few specific apps (e.g., intelligence agency of a country 
that strong-arms Google into distributing tampered apps).

I think that the library that you propose will almost "fall out of" work to 
create a library for checking the integrity of other apps. Having it probably won't hurt.



Thanks Mark for championing this cause!  Its funny to see after years of F-Droid 
getting criticized for having this model, now Google is forcing it.  And F-Droid 
now supports the reproducible builds requirement for any APK signature type.  I 
think the signature copying is starting to work well enough that we could start 
doing reproducible builds even when the upstream developer isn't trying to.


.hc


--
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org






















					Reply via email to