Ship database of app id signing key pins to bootstrap app trust

[flawedworld]

No description provided.

[flawedworld]

We should try to automate doing this for the top apps on the play store.

[life00]

I just randomly thought of this idea and was told that it is already planned. It definitely would be really handy because currently I do manual hash verification. I want to briefly comment on it.

I guess the implementation of an app itself should not be very difficult. Have a signed (by a dev) database with package names and its possible trusted signatures from various sources (e.g. play store and github releases).
Any app installed will be checked (assuming this will be implemented on the system level). If package name exists in the database and matches the signature then everything is fine. If it does not match any of the listed hashes then warn the user. If there is no such package name then also slightly warn the user. If the app has an f-droid (or similar) signature then also warn the user.

The actual difficulty will likely be to get all of those package names and corresponding hashes of signatures. I don't think scraping data directly from sources is an ideal option. I thought maybe implement some platform where community may contribute and add hashes (github can already be used I guess)? However it should definitely be cross verified by trusted users to prevent any poisoning of the database.

I also think that the action of the app should be limited to only warning the user because there could be false positives if for example a developer changed their signing keys for some reason. In such a situation this should simply be reported by the user, request will be verified, and the database will be updated.

I would suggest to create a github repo with the database in some format and allow the community to contribute, and also assign few trusted members of the community to verify the hashed. I believe this would be the cleanest solution.

[life00]

With some additional thoughts I would like to add something. A major concern you might have is that it might not be very efficient, which definitely it won't be at the beginning. Because currently the only way it is possible to find those hashes is through special application analyzers like LibChecker, but it will be no where near optimal for the thousands of apps that needs to be verified.

A more automated approach would be to have a miscellaneous user app that will export all the package names and their hashes in an appropriate format that will be later submitted and verified by a trusted contributor. The trusted contributor will have to remove all of the existing hashes and verify the new hashes manually using a similar method. This will require creating multiple miscellaneous apps and scripts which may become complicated very fast.

My suggestion is to not get into automation too much because it might be too demanding. Instead publish a beta version of the application (not included into the stable release) and some users may start using it. Whenever an application will be installed (and it won't be in the database) a warning will appear that will ask the user to contribute and share the hash. Slowly but surely the database will grow and become more usable. At some point the database will be big enough to have most of the apps users use so there will be significantly less contributions.

Also do not strictly focus on trustworthiness when recruiting "trusted contributors". I think that any active community member or future frequent contributor of hashes may become such. It is important because there will likely be a lot of hashes to verify, while it won't be optimal for main developers to spend time verifying hashes. It should not be a severe concern because a malicious contribution may be more or less easily detected when the hash does not match and a new user reports this issue.

[w9925]

That would be a very useful feature !