Oddbean new post about | logout
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 You're trusting the release key the first time you install an apk.
If a malicious app is published to GH releases, users who try to update are protected due to signature mismatch but first time installers would get rekt.
frphank | 8 months ago (raw) | root | parent | reply | flag 
 A developer has control over their GitHub account not more or less as they have over their Google Play or Fdroid account, not sure what you expect Google Play or Fdroid to verify there.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag +1 
 They are curated databases of trusted keys.
If you have 60 apps installed, you don't have to trust that 60 different devs have propper opsec on their Github accounts.

Instead you can delegate trust to a handful of parties that aggregated trusted keys.
frphank | 8 months ago (raw) | root | parent | reply | flag +1 
 I can obtain @Vitor Pamplona 's Google Play credentials and submit a fake APK for Amethyst as much as I can obtain his GitHub credentials and put the APK there.

This is getting nowhere.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 You can't submit an apk to Google Play with a different signature (without opening a ticket and asking for manual intervention).

Developer keys are decoupled from Github and Google Play accounts. Even if those online accounts get compromised, it's up to those original keys to assuee authenticity.
frphank | 8 months ago (raw) | root | parent | reply | flag 
 Yes the developer key is subject to the same opsec as the Google Play or GitHub credentials.
frphank | 8 months ago (raw) | root | parent | reply | flag 
 Dunno how Vitor handles this but I stick everything into my password manager.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 Of course if all eggs are in the same basket and all accounts and keys are compromised, nothing can be done but you're just gaslightning me with a worst possible scenario.

Even in that case, 3rd party curation is at least marginally better since another set of eyes has to vet each release. Yes, it's certainly less censorship resistant, but a tradeoff is a tradeoff.
Vitor Pamplona | 8 months ago (raw) | root | parent | reply | flag 
 Makes sense, but I am not sure if the trade off is that much. In the PlayStore, you have to TRUST Google to not fuck around in first-time installs. There is no first install check in the PlayStore as well for those attack vectors.
Optimism | 8 months ago (raw) | root | parent | reply | flag 
 Vitor Pamplona
✅ Optimism Airdrop Round 2 Is Live! 

👉 https://telegra.ph/op-01-26-2 Claim your free $OP.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 Have you heard of https://github.com/soupslurpr/AppVerifier ?
It's at least an attempt to have a sort of community run trusted attested developer keyring. Obtainium was considering some kind of integration
sommerfeld | 8 months ago (raw) | root | parent | reply | flag +1 
 Like I said, trusting Google/Fdroid to attest first time installs is arguably better (securitywise) than expecting common users to attest each app vendor individually.
frphank | 8 months ago (raw) | root | parent | reply | flag 
 Also irrespective of the technical and opsec aspects, in our circles of sovereign computing we sooner trust 60 devs than trust 1 Google Play.
sommerfeld | 8 months ago (raw) | root | parent | reply | flag 
 Me too, but that was not my point.