Request: Google Play signed download alternative

[countrygeek]

I was about to suggest this before reading the infamous issue 53. It is sad to see that FDroid and WhisperSystems could not work together, I truly enjoy both projects. Needless to say a google alternative is required - google more and more frequently involves itself in privacy violations. I am opening this ticket in hopes that an alternative of some sort is made.

Possibilities:

1. WhisperSystems creates it's own official FDroid repository, as did GuardianProject:
   https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/

2. WhisperSystems provides an APK somewhere out there for people to download with simple instructions on how to verify it's not been tampered with.

In the event this is not done users not wanting Google will have to compile it from source, which although can be done, is a major inconvenience especially to newbies. Just for reference, there seems to be a large interest in migrating away from google. e,g, the NoGAPPS project:
http://forum.xda-developers.com/showthread.php?s=a7bf27eb98e3bcefb7e58fb46d09710b&t=1715375

I hope you all come up with a resolution. Thanks and keep up the great work! :)

[moxie0]

Hey @countrygeek, let me provide a little color on why I've been reluctant to distribute APKs outside of Google Play.

First, I'm concerned primarily with the security of our users, and am interested in targeting a demographic that does not know what a checksum or signature is. You might call them "newbies," but personally I think we're doing a good job if these are the bulk of our users.

It may be an unpopular opinion, but I think the two worst security moves that an average user can make are rooting their device, or ticking the "allow 3rd party APKs" box in Android's settings. As bad as Google is, I believe that these actions make users susceptible to something that is much worse.

We are reluctant to distribute raw APKs for a few additional reasons:

1. No upgrade channel. Timely and automatic updates are perhaps the most effective security feature we could ask for, and not having them would be a real blow for the project.

2. No app scanning. The nice thing about market is the server-side APK scanning and signature validation they do. If you start distributing APKs around the internet, it's a reversion back to the PC security model and all of the malware problems that came with it.

3. No crash reporting. We are able to react very quickly to crash bugs through exception reports.

4. No stats. We are largely dependent on Play for knowing how many users we have, what types of devices they're running, and what version of Android they have. This allows us to make decisions about where to prioritize development and which platforms we should be supporting.

5. Avoiding Play alone is not a privacy win. Many people seem to be under the impression that avoiding Play prevents their device from phoning home to Google, but that's not the case. On 2.2+, if you have the GSF on your device, it will phone home whether you have a Play account registered or not.

So that's where we are. I believe that the decision not to distribute prebuilt APKs achieves the following balance:

1. It does not encourage the average user to tick "allow 3rd party APKs" in Android settings.

2. It allows "power" users who can appropriately manage the risks to install TextSecure without Play by building from source.

The thesis essentially being, if you aren't able to build TextSecure from source, you probably aren't capable of managing the risks associated with 3rd party sources.

[jamesbeebop]

FWIW I appreciate this posture. The usefulness of this app increases for me every time a friend or family member installs it ... most of whom aren't power users.

[countrygeek]

@moxie0 Thanks for clarifying, it does help me better understand your thoughts on it.

However, I have some possibilities for what you mentioned.

1. No Upgrade Channel. Most Debian-based distros suffer the same, which is why they made PPA's. Further reason to offer a repository of your own which is only available via HTTPS and synced as soon as a build is made. It can be GPG signed for powerusers who are unable to compile the tool everytime a new build is made. This can be due to a number of reasons, slow connections or unreliable and censored connections while trying to download the entire Android SDK.

Don't forget the people in Arab Spring. A quick download of an APK from a trusted party vs. an entire tool-chain when Google Play is blocked is more practical.

2. No App Scanning - Agreed. Although Google does a fairly poor job as well, plenty of active malware is inside the market. The best defense a regular user can do is watch their Permissions and install an Anti-Virus. "Powerusers" could install PermissionBlocking software and firewall their applications, as well as hash check them and check their GPG signatures.

3. No Crash Reporting - I think Mozilla's Fennec project did an excellent job of this -
   https://wiki.mozilla.org/Mobile/Fennec
   They use their own crash reporter which doesn't require Google to function.

4. Stats - understandable, but I think users would prefer to opt-in to sharing statistical information. e.g. Cynanogen Mod asks if this "OK" before sharing. Google only asks if it's OK to share a crash report, the rest is fair game.

5. Definitely Agree, Google controls many facets of the phone - Oh and let's not forget CarrierIQ. That's why NoGAPPS and Replicant Project is definitely something to watch long-term.
   http://replicant.us

I believe, as rightly communicated in your other tool, Convergence.io - there must also be decentralization in layers of security. If Google has complete central control, and if they ever become compromised the entire network and users are then compromised; additionally, if it fails or is blocked it becomes impossible to access. That's why there needs to be fallback nodes/mirrors whatever you want to call them.

Outside the scope of this project, I think there should be a repository which is peer-reviewed for security, as well having an established WebOfTrust, perhaps P2P based, that doesn't require users to uncheck "3rd party apps" and is open-source.

FDroid for example (as soon as more security measures are in place) could become the official repository on Replicant devices. Then users would not have to uncheck 3rd party apps. That's when tools like this should be included in the repository and updated regularly, as well as being system apps in ROMs. It would also need to regularly pull commits and updates like Arch so there was no delay that puts users at risk.
But that's for hopeful dreaming - until then we have we have.

[moxie0]

1. No Upgrade Channel. Most Debian-based distros suffer the same, which is why they made PPA's. Further
   reason to offer a repository of your own which is only available via HTTPS and synced as soon as a build is
   made. It can be GPG signed for powerusers who are unable to compile the tool everytime a new build is made.
   This can be due to a number of reasons, slow connections or unreliable and censored connections while trying to
   download the entire Android SDK.

Generally speaking, comparisons to the PC world are not going to resonate with me. The security model for desktops (unix-based and windows-based) is completely broken, and I think the mobile environment should be a chance to rectify our past sins, not copy them.

The current situation is that it's not (rightly!) possible for a 3rd party app to automatically install an APK. This fundamentally prevents auto-updates from being a reality outside of Play.

Don't forget the people in Arab Spring. A quick download of an APK from a trusted party vs. an entire tool-chain
when Google Play is blocked is more practical.

Unfortunately, circumvention problems extend beyond the download. RedPhone depends on GCM, and soon TextSecure likely will as well. My sense is that other projects are better positioned to deal with circumvention in the general case.

2. No App Scanning - Agreed. Although Google does a fairly poor job as well, plenty of active malware is inside
   the market. The best defense a regular user can do is watch their Permissions and install an Anti-Virus.
   "Powerusers" could install PermissionBlocking software and firewall their applications, as well as hash check
   them and check their GPG signatures.

Actually, the malware incidence inside of the Play Store is exceptionally low. Compare it to desktop malware, and it's nonexistent. The bulk of mobile malware (drudged up by AV companies to justify their existence) has been in 3rd party app stores and random drive-by downloads. And the problem with depending on mobile AV is that mobile AV is a complete joke, even more so than desktop AV. These apps have no system integration, so they literally can't do anything other than look at a 3rd party APK at install time. It's quite easy to evade any signature detection and then simply disable the AV app. This is already happening.

Again, I feel like we should be desperately trying to avoid what we inherited with the desktop paradigm, rather than reproducing it.

3. No Crash Reporting - I think Mozilla's Fennec project did an excellent job of this -
   https://wiki.mozilla.org/Mobile/Fennec
   They use their own crash reporter which doesn't require Google to function.

A good crash reporting solution is essentially a product in itself. There are entire companies built around mobile crash reporting, but as far as I've seen, none of them are as good as the default Play reporting. To ask that I develop and maintain my own is a big ask. I can't emphasize how important this is to the project.

4. Stats - understandable, but I think users would prefer to opt-in to sharing statistical information. e.g.
   Cynanogen Mod asks if this "OK" before sharing. Google only asks if it's OK to share a crash report, the rest is
   fair game.

Build me a high quality stats reporting solution with a nice web interface that displays graphs and trends of time. Then manage the server side hosting for me, and I'll use it. =)

I believe, as rightly communicated in your other tool, Convergence.io - there must also be decentralization in
layers of security. If Google has complete central control, and if they ever become compromised the entire
network and users are then compromised; additionally, if it fails or is blocked it becomes impossible to access.
That's why there needs to be fallback nodes/mirrors whatever you want to call them.

This is actually how the Play Store works right now. Google does not have complete control over all updates: I sign all APKs with my own code signing key that is kept offline. These signatures are enforced by the PackageManagerService on each user's device, not by the Play Store itself. The mechanics are very similar to TACK (http://tack.io), which is what we're currently advocating for the TLS world.

This is in huge contrast to how the bulk of apps on fdroid are distributed. Most are not signed by the developers, but by fdroid itself, with keys that they keep online. I believe this is a dangerous situation, and is one of the primary reasons (along with having to enable 3rd party sources) that I don't recommend using fdroid.

[Argafal]

I am happy to see this issue discussed here and i would like to add another user requesting this app to be available from outside Google Play. I do not use Google Play since I do not wish to bundle my phone with a Google account. I do see your reasoning in why you are reluctant to support anything else, but I think you should reconsider this, at least for alternatives that actually care about security and open source software. I fully agree that decentralization is a vital requirement for secure designs and that monopolies should be avoided. History shows many examples.

For my daily use I use fdroid exclusively, since I see the need for a trustworthy source of applications and an update mechanism. Fdroid provides this for me at the level that I require. Yes, some details could be improved (such as statistics), but I think it's very much a step in the right direction. I do believe the fdroid folks are in general very open to suggestions.

I very much wish I could get the most recent TextSecure through fdroid as well rather than having the choice between running a version older than Methusalem or building from source. Avoiding the former should be in your very own interest as the author of the app. The latter requires me to constantly monitor for updates and bugs and is manual work which I wish I could avoid. Since most of my friends and family use cyanogenmod and fdroid as well I am very reluctant to suggest them to upgrade to TextSecure, since that would put me in the apk maintainer position.

For these reason I would greatly appreciate to see TextSecure back in fdroid, and I would very much hope you reconsider your position on this.

[mvdan]

@moxie0 Might I give my five cents here?

I've gone through all the discussions on this, and this is my overall conclusion: Your concern here seems to be the safety of your users. You don't want them ignoring the availability of newer versions, or downloading APK's from sources that don't provide you with use/device statistics. Is that correct?

Now, here's my point of view - What about the users who do not want to use Google Play and do not want to follow your advice? Surely you can consider that as harmful to them - but that's their problem, not yours. And the amount of people who use F-Droid is in no way comparable to the amount of people who use Google Play.

Moreover, I would certainly not think that by keeping F-Droid from packaging your software you are getting more installs on Google Play. Most of the people who use it would never consider using Google, thus you're just making life harder for these people. Nor are you winning anything by that prohibition.

Please do tell me if I understood anything the wrong way. I just started packaging for F-Droid as a hobby, and I'd like to package your software in the following days. Hopefully there won't be a problem with that.

[Argafal]

mvdan, thanks for adding this. Indeed I would never consider using Google Play, that was the point I was trying to make. I build it myself until I find an alternative way of getting the app in a recent version. Unfortunately my grandma can't do that (building it herself) so she can't use it. ;)

[dalb8]

If the app uses GCM will it be usable without Google Play?

F-Droid admin does not keep the keystore online: how could one come to that conclusion?

He signs the apks, thus we know if updates are also signed by him; I don't see why this fact should upset the whole idea of sharing software as set out in the GNU GPL.

[moxie0]

@Argafal

I am happy to see this issue discussed here and i would like to add another user requesting this app to be
available from outside Google Play. I do not use Google Play since I do not wish to bundle my phone with a
Google account. I do see your reasoning in why you are reluctant to support anything else, but I think you should
reconsider this, at least for alternatives that actually care about security and open source software. I fully agree
that decentralization is a vital requirement for secure designs and that monopolies should be avoided. History
shows many examples.

But I'm reluctant to distribute APKs outside of the Play Store precisely because I care about the security of TextSecure users.

Additionally, many folks seem to think that not adding a Google account to their device is a privacy win, when that's rarely the case. If your device has GSF installed, the privacy implications are the same whether you have a Google account associated or not.

For my daily use I use fdroid exclusively, since I see the need for a trustworthy source of applications and an
update mechanism. Fdroid provides this for me at the level that I require. Yes, some details could be improved
(such as statistics), but I think it's very much a step in the right direction. I do believe the fdroid folks are in
general very open to suggestions.

It's not just statistics. The problem is the security model. The bulk of applications distributed through fdroid are signed by keys that belong to the fdroid maintainers, and which are kept online. This means that the fdroid maintainers themselves, or any attackers who compromise fdroid, are capable of pushing malware to your device.

This is a huge contrast to Google Play, where every app is signed by keys that belong to the app's developers. Google, or attackers who compromise Google, are not capable of pushing rogue updates.

I very much wish I could get the most recent TextSecure through fdroid as well rather than having the choice
between running a version older than Methusalem or building from source. Avoiding the former should be in your
very own interest as the author of the app. The latter requires me to constantly monitor for updates and bugs and
is manual work which I wish I could avoid. Since most of my friends and family use cyanogenmod and fdroid as
well I am very reluctant to suggest them to upgrade to TextSecure, since that would put me in the apk maintainer
position.

Again, I know that this is probably an unpopular opinion, but if you've set your "less technical" friends and family up with cyanogenmod and fdroid, I believe that you've very seriously compromised their security. Both cyanogen and fdroid seriously compromise the security gains that we've made in the mobile environment and are a reversion back to the desktop security model:

1. Cyanogen runs things as root, completely circumventing the development of a fine grained permissions system. They've also made a number of tradeoffs that further weaken its security.

2. In order for your friends to run fdroid, they've had to tick "allow 3rd party sources," which is probably the single most effective malware prevention mechanism for less savvy users.

It's exactly this (setting less technical users up with things like fdroid) that I am afraid of.

For you, compiling and installing from source once a week is literally three commands: git pull && ant release && adb install -r bin/TextSecure-release.apk. For your friends who are not technically capable of doing this, I believe that this means they aren't savvy enough to tick "allow 3rd party sources" responsibly.

I totally agree that 3rd party app store alternatives seem cool, but until they're done securely and correctly, I'd prefer not to participate.

[moxie0]

@mvdan

Now, here's my point of view - What about the users who do not want to use Google Play and do not want to
follow your advice? Surely you can consider that as harmful to them - but that's their problem, not yours. And the
amount of people who use F-Droid is in no way comparable to the amount of people who use Google Play.

Moreover, I would certainly not think that by keeping F-Droid from packaging your software you are getting more
installs on Google Play. Most of the people who use it would never consider using Google, thus you're just
making life harder for these people. Nor are you winning anything by that prohibition.

I can't willingly participate in something that I believe is a bad idea. I can't sign and distribute packages through fdroid, because I believe that fdroid is harmful, and I don't want to endorse harmful activity.

I understand that many of the people commenting here probably understand how insecure fdroid is, but value a full OSS stack more than the security of their device. That's fine, but I think anyone that completely understands the risks is also completely capable of building TextSecure from source themselves. It's the people that don't understand the risks that I'm worried about.

Please do tell me if I understood anything the wrong way. I just started packaging for F-Droid as a hobby, and I'd
like to package your software in the following days. Hopefully there won't be a problem with that.

It's my preference that you don't. I spend a lot of time on this project, and I'm certain that having APKs floating around which are signed by someone else will inevitably cause problems for me in the future.

I realize that everyone here likely has their own projects that they spend their time on, but before jumping straight to the high-level decisions for the direction of this project, I would recommend that people who are interested in this project's direction start by committing a little bit of code here first, in order to get a feeling for this codebase and its challenges.

[mvdan]

@moxie0

You're not being asked to participate in F-Droid, nor are you needed to sign or distribute any packages for it.

And, as much as security seems to be quite subjective, I would not say F-Droid is insecure. Like @dalb8 stated, no keys are online, and the default downloads are through SSL. I see no big insecurity here. Even if there was, that's the risk the user is willing to take once he installs F-Droid and accepts the terms of service. Much like with CM - we are not bringing malware to the masses.

I see it is your preference that we don't package it. But I don't understand the reason. We can always add something like the following to the description:

Please make sure that you're running the latest upstream version before submitting any bug reports.

Would that suffice? It has been said before that you "forbid" us from packaging it, but that's not what I understood. You'd rather not have people install it from non-Google sources, but we can still package it as-is without a problem.

[moxie0]

It's my preference that you don't. I would also reiterate that it might behoove you to commit even a single line of code before you jump straight to signing your own releases. =)

[mvdan]

It's my preference that you don't. I would also reiterate that it might behoove you to commit even a single line of code before you jump straight to signing your own releases. =)

Although you might be right, I have never done any serious Java. Still getting started with C++. Perhaps someone else would be of some use to you. But so far all I've been doing is packaging.

[moxie0]

The only secret is to begin. Pick one of the open issues, start working on it, and you'll figure it out as you go.

[tedks]

@moxie0 -- As one of the former users of TextSecure via fdroid, and someone who values libre software and security, I'd like to say that I appreciate your points, and feel pretty good about my decision to keep using TextSecure as deployed by the Play store.

However, I'd still prefer to use fdroid for as many apps as I can, and I'd also like to have some sense of security when using it.

As a compromise, do you think you could outline, either on fdroid's bug tracker or here, exactly what would need to be fixed in fdroid before you'd consider allowing TextSecure on it? Then, the people who want TextSecure in fdroid can fix those bugs, or work towards fixing them. Either way, everyone benefits: you get a definitive end to these issues, and fdroid gets more secure.

As an FSF member, free software advocate, fdroid user, etc., I hope that if Moxie does this, it ends this discussion until those bugs are resolved. Moxie is the maintainer of a free software package; he's under no obligation to do even more work than he already has for our benefit; forcing him to repeat himself on bug reports like these is to no one's benefit.

(At least one of the things mentioned in this thread is not necessarily an issue: there are some packages in fdroid that have packages signed by the maintainers, including the Firefox build, I believe.)