Discussion:
[whispersystems] How to verify APK at Google Play is built from the claimed source?
Jaakko Luttinen
2016-02-09 08:03:12 UTC
Permalink
Hi!

I searched for the answer but couldn't find it so I thought I'd ask
here. Probably this has been answered somewhere already, though.

Is it possible to verify that the APK distributed at Google Play has
been built from the exact source code in the GitHub repository? I
suppose this would require that the source code can be compiled in a
reproducible way.

Thanks for any help!

Best regards,
Jaakko Luttinen
Jaakko Luttinen
2016-02-09 08:26:55 UTC
Permalink
Thanks for the reply!
normally you cannot check this
you have to trust the developper for this.
I don't think this is enough. For a secure app, it should be possible to
verify that the distributed APK is built from the source. Trusting the
developer creates a quite weak link in the "security chain".

Also, if it isn't possible to verify that the APK is built from the
claimed source, then developers shouldn't say that we can trust their
APK because we can see the source code. Nope, we can trust their APK
only if we trust the developers themselves.
that is why we are some compiling by ourself the apks
I don't think this really solves the issue either. If the majority of
users install from Google Play and I happen to send messages to those
people, all that communication is at risk. So I should make sure that
not only me but also all the people I send messages to, build from the
source. All those people would need to know how to build APKs and they'd
lose all the benefits like automatic updates etc.
maybe you can also check what is on fdroid project
it gives more information abiut the used source
I'm not sure how F-Droid is related to this question, because F-Droid
doesn't distribute Signal (because that's the wish of the Signal
developers).

Best regards,
Jaakko Luttinen
#359
2016-02-09 08:45:11 UTC
Permalink
even if there is a way to decide weather Signal on Google Play is really
built from source or not, to know that for sure every single user would
need to check it for themselves. which, of course, is not going to
happen.

so, at the end of the day, it's still a matter of trust. and for most of
the users that's enough. conspiracy theorists and people with special
threat models would of course need to compile apks themselves.
--
- jure
Post by Jaakko Luttinen
Thanks for the reply!
normally you cannot check this
you have to trust the developper for this.
I don't think this is enough. For a secure app, it should be possible to
verify that the distributed APK is built from the source. Trusting the
developer creates a quite weak link in the "security chain".
Also, if it isn't possible to verify that the APK is built from the
claimed source, then developers shouldn't say that we can trust their
APK because we can see the source code. Nope, we can trust their APK
only if we trust the developers themselves.
that is why we are some compiling by ourself the apks
I don't think this really solves the issue either. If the majority of
users install from Google Play and I happen to send messages to those
people, all that communication is at risk. So I should make sure that
not only me but also all the people I send messages to, build from the
source. All those people would need to know how to build APKs and they'd
lose all the benefits like automatic updates etc.
maybe you can also check what is on fdroid project
it gives more information abiut the used source
I'm not sure how F-Droid is related to this question, because F-Droid
doesn't distribute Signal (because that's the wish of the Signal
developers).
Best regards,
Jaakko Luttinen
Sam Lanning
2016-02-09 08:59:03 UTC
Permalink
Post by #359
even if there is a way to decide weather Signal on Google Play is really
built from source or not, to know that for sure every single user would
need to check it for themselves. which, of course, is not going to
happen.
Exactly,

Even if someone were to check the APK that they received from the Play
Store and were to verify it, that doesn't prove that other people are
receiving the same APK from the Play Store, all it proves is that at
least one version that the play store distributes is verifiable. You
then also need to trust Google that it will only ever distribute the
APKs that the developers upload. There is no way to assert this.
Post by #359
so, at the end of the day, it's still a matter of trust. and for most of
the users that's enough. conspiracy theorists and people with special
threat models would of course need to compile apks themselves.
Sam
Johan Wevers
2016-02-09 10:09:42 UTC
Permalink
Post by Sam Lanning
then also need to trust Google that it will only ever distribute the
APKs that the developers upload. There is no way to assert this.
Unless Google has a hidden way to automatically disable signature
verification when installing an app, this can not happen. There are ways
to disable this verification but it requires root and tools one does not
install by accident. And it most probably would not go unnoticed for a
long time.

BTW, distributing backdoored apps via Google Play and Apple's appstore
for targeted users has been discussed by the usual 3-letter agencies.
And AFAIK it was publicly announced they abandoned the idea.
--
Met vriendelijke groet,

Johan Wevers
#359
2016-02-09 10:20:51 UTC
Permalink
the three letter agencies would almost certainly try to get Signal's
signing keys and with the unlimited budget i guess sooner or later
they'd succeeded. but, not being Snowdens, this is not to worry about
for most of us... ;)
--
jure
Post by Johan Wevers
Unless Google has a hidden way to automatically disable signature
verification when installing an app, this can not happen. There are ways
to disable this verification but it requires root and tools one does not
install by accident. And it most probably would not go unnoticed for a
long time.
BTW, distributing backdoored apps via Google Play and Apple's appstore
for targeted users has been discussed by the usual 3-letter agencies.
And AFAIK it was publicly announced they abandoned the idea.
--
Met vriendelijke groet,
Johan Wevers
Johan Wevers
2016-02-09 12:49:00 UTC
Permalink
Post by #359
the three letter agencies would almost certainly try to get Signal's
signing keys and with the unlimited budget i guess sooner or later
they'd succeeded.
That's not a matter of budget but more a matter of the famous $5 wrench
at https://xkcd.com/538/ or "legal" equivalents combined with gag
orders. After all, the Signal team lives in the US.
Post by #359
but, not being Snowdens, this is not to worry about
for most of us... ;)
But Snowden apparently uses Signal, so they have some motivation to try
(although if I was him I'd compile from source. I do that already while
I'm not Snowden.
--
With kind regards,

Johan Wevers
Sam Lanning
2016-02-09 10:20:43 UTC
Permalink
I stand corrected then, well that's good news! :-D
Post by Johan Wevers
Post by Sam Lanning
then also need to trust Google that it will only ever distribute the
APKs that the developers upload. There is no way to assert this.
Unless Google has a hidden way to automatically disable signature
verification when installing an app, this can not happen. There are ways
to disable this verification but it requires root and tools one does not
install by accident. And it most probably would not go unnoticed for a
long time.
BTW, distributing backdoored apps via Google Play and Apple's appstore
for targeted users has been discussed by the usual 3-letter agencies.
And AFAIK it was publicly announced they abandoned the idea.
--
Met vriendelijke groet,
Johan Wevers
Torsten Grote
2016-02-10 00:53:11 UTC
Permalink
You then also need to trust Google that it will only ever distribute the
APKs that the developers upload. There is no way to assert this.
There is not, but if they did distribute the correct APK initially, they can
not use a different signature later without circumventing the signature
verification happening on your mobile device.
BTW, distributing backdoored apps via Google Play and Apple's appstore
for targeted users has been discussed by the usual 3-letter agencies.
And AFAIK it was publicly announced they abandoned the idea.
I rather trust the implementation of signature verification than a public
announcement by a 3 letter agency.

Kind Regards,
Torsten
Jaakko Luttinen
2016-02-09 09:12:14 UTC
Permalink
Post by #359
even if there is a way to decide weather Signal on Google Play is really
built from source or not, to know that for sure every single user would
need to check it for themselves. which, of course, is not going to
happen.
I think it is sufficient if even some small subset of people check this.
It would put a high risk on the "cheater" (for instance, if Google
sometimes gives wrong APKs).

In practice, it is sufficient for a user that one person he/she trusts
checks it and then, for instance, shares the hash of the checked APK.
Note that others only need to check the hash of their APKs, no need to
build from source.

(This process could of course be automated somehow if necessary. For
instance, Billy Averagy wouldn't install APK version X until he has
received a checked hash from Susan Nerdy.)

Also, if I could check it, then I'd trust that the same APK installed by
my contacts is trustworthy (even without checking all the hashes etc).
The risk is much lower. But I could of course check the hashes if I wanted.

More generally, a good way would be if anyone could check any APK and
sign it with his/her own key and these signatures are publicly shared in
the software center or elsewhere. Then you could see that an APK has
been signed by these 937 people and I trust at least one of them, so I
can install it. But I suppose current systems don't support this kind of
distributed signing model.
Post by #359
so, at the end of the day, it's still a matter of trust. and for most of
the users that's enough. conspiracy theorists and people with special
threat models would of course need to compile apks themselves.
I think being able to verify the APK helps solve significant trust
issues. And I don't think everybody needs to build from source to
achieve this. Just use reproducible builds and some people checking APKs
and sharing their results. This would already be a huge step.

And as I said earlier, compiling APKs yourself doesn't really solve the
issue if others install from Google Play and nobody has any way of
checking whether those APKs are good or not.

Cheers,
Jaakko
Jaakko Luttinen
2016-02-09 09:21:03 UTC
Permalink
http://support.whispersystems.org/hc/en-us/articles/212477768-Is-it-private-Can-I-trust-it-

"Additionally, the complete source code for the Signal clients and the
Signal server is available on GitHub. This enables interested parties to
examine the code and help us verify that everything is behaving as
expected. It also allows advanced users to compile their own copies of
the applications and compare them with the versions we distribute."

At least it is claimed that the APKs can be checked.

Any instructions on this?

In order to reproduce the distributed APK, do I need to have some
specific hardware/software configuration?

Best,
Jaakko
Johan Wevers
2016-02-09 10:14:40 UTC
Permalink
Post by Jaakko Luttinen
In order to reproduce the distributed APK, do I need to have some
specific hardware/software configuration?
The same compiler and SDK / JDK setup the developers have, and theit apk
signing key. They might tell you the first part, but I doubt very much
they will give out their apk signing key, as it would give others the
option to build a backdoored version with the same signature that can be
installed over the existing Signal.
--
Met vriendelijke groet,

Johan Wevers
Jaakko Luttinen
2016-02-09 10:19:03 UTC
Permalink
Post by Johan Wevers
Post by Jaakko Luttinen
In order to reproduce the distributed APK, do I need to have some
specific hardware/software configuration?
The same compiler and SDK / JDK setup the developers have, and theit apk
signing key. They might tell you the first part, but I doubt very much
they will give out their apk signing key, as it would give others the
option to build a backdoored version with the same signature that can be
installed over the existing Signal.
Ok, if we forget about the signing part (and creating an identical APK),
and only want to verify that their APK is really built from the claimed
source, do I still need their signing keys? That is, can I check that
their APK is built from the source if they only give me "the first part"?

Cheers,
Jaakko
Torsten Grote
2016-02-10 00:47:06 UTC
Permalink
Post by Jaakko Luttinen
do I still need their signing keys?
You don't need the signing key to compare results since it can be "detached"
for the comparison.

Here's more information on reproducible builds that might be interesting for
you:

https://f-droid.org/wiki/page/Deterministic,_Reproducible_Builds


However, I do not know whether Signal is set up to build reproducible. You
could just install an F-Droid build server and try if it can verify the apk.
Post by Jaakko Luttinen
An awful lot of builds already verify with no extra effort. Generally these
are the ones where only Java is involved.
So it's worth a try ;)

Kind Regards,
Torsten
Johan Wevers
2016-02-10 11:38:59 UTC
Permalink
Post by Jaakko Luttinen
An awful lot of builds already verify with no extra effort. Generally these
are the ones where only Java is involved.
Which is not true for Signal, which contains C++ code for libcurve25519
and libredphone-audio.
--
Met vriendelijke groet,

Johan Wevers
Xavier Lebrun
2016-02-09 09:41:58 UTC
Permalink
signal is a "for everyone" encription service

on the base you have to trust signal apps and service.
(text service is open source, calls servers is not actually )
metadata is not secured neither anonymous and we just have to trust what
signal team is doing.

my personnal opinion is that it is enough for me.

they cannot change how app store is working

if you do not want to trust anyone.
only option is to build your app run your server.
in that case my opinion iq that xmpp + tor is much more advanced in
security than what is signal.
but far away in terms of easy of use and integration

you can read again my emaiand think about the call server not open source.
this may be a blocking thing for you

xavier
Post by #359
even if there is a way to decide weather Signal on Google Play is really
built from source or not, to know that for sure every single user would
need to check it for themselves. which, of course, is not going to
happen.
so, at the end of the day, it's still a matter of trust. and for most of
the users that's enough. conspiracy theorists and people with special
threat models would of course need to compile apks themselves.
--
- jure
Post by Jaakko Luttinen
Thanks for the reply!
normally you cannot check this
you have to trust the developper for this.
I don't think this is enough. For a secure app, it should be possible to
verify that the distributed APK is built from the source. Trusting the
developer creates a quite weak link in the "security chain".
Also, if it isn't possible to verify that the APK is built from the
claimed source, then developers shouldn't say that we can trust their
APK because we can see the source code. Nope, we can trust their APK
only if we trust the developers themselves.
that is why we are some compiling by ourself the apks
I don't think this really solves the issue either. If the majority of
users install from Google Play and I happen to send messages to those
people, all that communication is at risk. So I should make sure that
not only me but also all the people I send messages to, build from the
source. All those people would need to know how to build APKs and they'd
lose all the benefits like automatic updates etc.
maybe you can also check what is on fdroid project
it gives more information abiut the used source
I'm not sure how F-Droid is related to this question, because F-Droid
doesn't distribute Signal (because that's the wish of the Signal
developers).
Best regards,
Jaakko Luttinen
Jaakko Luttinen
2016-02-09 10:11:52 UTC
Permalink
Whisper Systems says on their website that it is possible to compile the
source code and compare it with the distributed version.

In general, I think that being able to verify that an APK is built from
a claimed source code is an important feature. It enables solving many
important trust/security issues.

I am not saying that how app store is working should be changed. (Though
I gave some ideas how things could be "ideally".)

I am definitely not saying that I do not want to trust anyone.

I only want to make sure that the Signal APK distributed on Google Play
is built from the source available on GitHub. That's all.

If this is not possible, then Whisper System has false claims on their
website and there is a significant security issue. But I'm not claiming
they have false claims. I'm just asking how I can do this verification.

I would have thought that someone has done it and has some experience on
it, and that there would be some information about it somewhere. That's
why I sent an email to this list.

Cheers,
Jaakko
Post by Xavier Lebrun
signal is a "for everyone" encription service
on the base you have to trust signal apps and service.
(text service is open source, calls servers is not actually )
metadata is not secured neither anonymous and we just have to trust what
signal team is doing.
my personnal opinion is that it is enough for me.
they cannot change how app store is working
if you do not want to trust anyone.
only option is to build your app run your server.
in that case my opinion iq that xmpp + tor is much more advanced in
security than what is signal.
but far away in terms of easy of use and integration
you can read again my emaiand think about the call server not open source.
this may be a blocking thing for you
xavier
even if there is a way to decide weather Signal on Google Play is really
built from source or not, to know that for sure every single user would
need to check it for themselves. which, of course, is not going to
happen.
so, at the end of the day, it's still a matter of trust. and for most of
the users that's enough. conspiracy theorists and people with special
threat models would of course need to compile apks themselves.
--
- jure
Post by Jaakko Luttinen
Thanks for the reply!
normally you cannot check this
you have to trust the developper for this.
I don't think this is enough. For a secure app, it should be
possible to
Post by Jaakko Luttinen
verify that the distributed APK is built from the source. Trusting the
developer creates a quite weak link in the "security chain".
Also, if it isn't possible to verify that the APK is built from the
claimed source, then developers shouldn't say that we can trust their
APK because we can see the source code. Nope, we can trust their APK
only if we trust the developers themselves.
that is why we are some compiling by ourself the apks
I don't think this really solves the issue either. If the majority of
users install from Google Play and I happen to send messages to those
people, all that communication is at risk. So I should make sure that
not only me but also all the people I send messages to, build from the
source. All those people would need to know how to build APKs and
they'd
Post by Jaakko Luttinen
lose all the benefits like automatic updates etc.
maybe you can also check what is on fdroid project
it gives more information abiut the used source
I'm not sure how F-Droid is related to this question, because F-Droid
doesn't distribute Signal (because that's the wish of the Signal
developers).
Best regards,
Jaakko Luttinen
Loading...