Tomáš Pospíšek's Notizblock

Trusting APKs from third party mirrors

Intro, rationale

Let's suppose you need a smarphone but do not want Google to be monitoring 247365 every breath you take, every move you make and every step you take.

What are your options? You can buy an iPhone and instead let Apple monitor every beath you take...

Or you get an Android phone with a free operating system. Such as one with Lineage or with /e/ among others.

So far so good, you've cut loose this chain of surveiliance capitalism and are able to use your phone and communicate like a free human being.

Now you come to want to use some service or an app and find out, that Google has managed to lock all Android applications up into it's panem et circenses walled garden the key to which will be given to you only if you reconnect your spinal data cord back to Google:

( [local copy of image in case it gets lost in the internets](/bits/Ghostintheshellposter.jpg) )

You'd think that all the companies publishing their apps inside that walled garden would stop for a moment and think before bowing down before their new master, but it seems no, the sweet taste of reach lets them forget about the strategic importance of autonomy.

Or you'd think that the institutionalized will of the peoples would be keeping an eye on our digital sovereignty...

Oh well.

Aware of the inherent tension between freedom and control you flex your warez-search-fu and discover that there are indeed many sites that mirror Android apps (which in their installable file form are called APKs (Android Packages)), such as apkpure, apkmirror and others and those sites do have that Pirate Bay like feeling to them too ... which makes you think whether the APKs you'd download from those mirrors, such as f.ex. your banking app, really are "OK"?

In other words: how do I trust APKs from mirrors?

Looking at the APK trust chain

We can say the following about an app that's available from Google Play:

In contrast: what do you know about an APK published on a mirror?

I'll concentrate on the last question: why would you trust the APK's signature?

Anybody can sign an APK. You can verify that a signature matches the APK with a variety of tools. That means you can trust that the given public key has signed the APK. That trust relies upon the trust into the crypto, which is standard X.509 crypto, which is fine to me.

Can you trust the public key? Anybody can create a public key. This is the critical link of the trust chain.

So given you can find out the signing key of an APK, say

Issuer: Common Name: android.postfinance.ch, Organizational Unit: PostFinance, Organization: Post, Locality: Bern, State/Province: Bern, Country: CH
Fingerprint: b45d8bfc84bef9456d13c790591e6f72bcf92ab3

(that's the public key's aka the signing key's SHA1 fingerprint)

What do you know about this key? You can search the web for it. As a rule the authors of APKs, here the Swiss Post, are not publishing their public keys anywhere. So it's impossible to know whether the APK has really been signed by the Swiss Post or if it's by some entity that Google happened to accept for a developer account. So if you search the net for the fingerprint, you'll basically find and return to from where you had started: the APK mirrors.

If Google was publishing the the public APK signing keys somewhere then that would make it possible to verfify them externally, but it seems Google is not publishing them.

With respect to Google Play this means that the only trust relation wrt to apps is between you and Google, but not between you and the APK's author. In my opinion this reflects of a critically and fundamentaly broken trust chain and a system where the participants, apart from Google have no idea what they are into.

If the regulator should do something about the monopoly situation wrt to Google Play then forcing Google to publish developer keys with no prerequisites on the parts of those who want to check them would be essential.

Now back to our quest to verify an APK. Given the above, how can you trust that the signer of an APK is really who the signature says it is or that the APK really came from Google (and so at least Google's quality requirements apply)? As we saw above, since in general the authors are not publishing their keys we can't know if it's them. How can we verify that the APK came from Google then? We can try to establish plausibility:

We can check sites that - we hope - are unrelated to the APK mirror sites and which - we hope - get the info directly from Google. An example is https://exodus-privacy.eu.org whose goal is to check APKs for trackers. Exodus-Privacy lists info on multiple Post Finance APKs, whose signer's public key fingerprint matches the one shown above.

So now: good luck that our hopes hold :-(!

If anybody has more information on this issue or can verify or refute any of my claims above then please, please, please let me know, I'm very interested in this!!!!

Post-Scriptum / Update on 2021-05-16

I did look into where Exodus-Privacy are getting their APKs from. Luckily that organisation being an open source one, which inspires trust, we can look into the code that their web site (supposedly) runs and we can find the code that downloads the APKs that they audit and we see that the actually do log into Google Play and get their APKs there. So if we look at the author's APK signatures that Exodus-Privacy publishes the linked code gives us more plausibility that we are looking at the same public keys that Google knows via their Andoid developper accounts.

Tomáš Pospíšek, 2021-05-16

Articles