Latest

Build Your Own App Store: Android Media Distribution for Everyone

Most individuals get their Android apps from Google Play. It’s often the only and most safe choice for them. But there are also many people who should not have access to Google Play. This is perhaps as a consequence of lack of a proper web connection or simply because Google Play is blocked within their nation.

The F-Droid challenge already provides tools to create unbiased app distribution channels for Android apps. These instruments are ready for manufacturing, however require professional information and the command-line to be used. Now, we need to build upon this foundation and develop curation instruments that may also be utilized by individuals with little technical information, thus making the app distribution know-how more broadly out there.

Use-Instances

The primary use-case we need to tackle is to bypass app retailer censorship and blocking. But there are different use-cases that benefit from easy-to-setup app stores as properly.

There are Android phones and tablets that don’t have Google Play out there, either because their manufacturer did not get a license from Google or because their house owners favor their telephones Google-free.

Just like Apple’s app store, the terms of service of Google Play exclude sure apps from being distributed and these are being removed regularly. Having various means for distribution of apps is usually the one approach to convey these apps to individuals.

Options

Core Features

  • Create a brand new app repository
  • Add new apps/media to the repository
  • Update present apps/media to the repository
  • Replace the description and metadata of apps/media
  • Remove apps/media from the repository
  • Automated era of repository web site with QR Code (and directions)
  • Import apps instantly from different repositories

Non-compulsory Future Options

  • Archive apps/media to archive repository
  • Take away put in apps/media from consumer’s units
  • Provide hosted web-app with user-management (Signal-Up, Misplaced Password) as a service
  • Permit multiple curators to manage the same repository
  • Import apps (and their description) from Google Play
  • Verify for updates from Google Play periodically and routinely import them
  • Making the repository out there via the Tor network
  • Generate customized white-labelled repository app (based mostly on F-Droid)
  • App security scanner for weak libraries and Virus Complete (opt-in) add
  • App shopping and obtain on generated repository website

Target Viewers

The primary audience for this work are activists and trainers with average technical information who have to securely distribute apps and updates to their group. That is particularly a priority in nations the place the official app store is blocked. Organizations like Amnesty Worldwide for example nonetheless have to allow individuals in those nations to securely obtain their apps and updates.

The individual maintaining the repository may use any operating system and in some instances won’t also have a laptop computer/desktop pc obtainable. They may be focused by superior attackers that may intercept and insert arbitrary visitors, but don’t have the power to compromise giant service providers corresponding to Amazon.

Moreover, this work may additionally be utilized by the next groups:

  • service providers (who need personal distribution and update mechanism for their apps)
  • individual software program developers (who need to distribute beta releases for e.g. user-testing)
  • everyone else who wants full control of all the distribution and replace course of

Implementation Options

There are roughly 4 alternative ways, the app retailer curation software might be carried out. Every has their own pro and cons as well as totally different implications for the usability.

Command-line interface

The current app repository tools are already used by way of the command-line, but they require some setup and a number of other non-intuitive instructions to be executed. The objective right here can be to scale back the number of required instructions as much as attainable and make them straightforward to know and keep in mind. This may be just like how Letsencrypt’s Certbot simplified SSL certificate administration.

Execs

  • least quantity of work constructing instantly on present instruments
  • signing key might be created and stored on native gadget

Cons

  • too troublesome to make use of for individuals with no prior command-line expertise
  • off-putting and not inviting for potential non-expert curators
  • adds little profit to present answer

Cross-Platform Desktop Software

A graphical consumer interface (GUI) might be added to the prevailing instruments to make them easier to use. Present UI toolkits reminiscent of Qt, Gtk or Tcl/Tk might be used for this.

Execs

  • could make use of present python tools
  • signing key might be created and saved on native system

Cons

  • requires a desktop pc and installation procedure (probably of dependencies as nicely)
  • want to take care of and help set up packages for Windows and MacOS

Android App

The free software F-Droid app already consists of repository functionality used for direct app swapping. This could possibly be modified to publish repositories to distant servers and prolonged by curation performance. Alternatively, a new app could possibly be developed that’s dedicated to repository curation and will opposite to F-Droid even be distributed by way of Google Play.

Execs

  • Simple installation
  • No desktop pc required

Cons

  • Wants reimplementation of present Python code in Java
  • Signing key saved on probably much less safe cellular gadget

Net App

The consumer interface for repository curation might be carried out as an internet software that’s accessed via an internet browser. Low-risk curators might use a hosted instance for most simplicity whereas others might additionally entry the interface via an area (built-in) web-server. Highly effective net frameworks similar to Flask or Django could be a sensible choice for that job.

Execs

  • Very straightforward to use from every gadget
  • Doesn’t want installation (decrease utilization barrier)
  • Could make use of present python tools
  • Makes multi-curator function probably simpler to implement

Cons

  • In hosted mode: signing keys have to be stored permanently on an internet server

Security Issues

Repository Assaults

The know-how used for app distribution needs to ensure the integrity and authenticity of apps offered within the repository. It cannot forestall malicious apps from being deliberately distributed, but can supply a safety scanner to scale back the danger of unintentional distribution. An assault is considered profitable when the content offered by the curator of the repository could be altered so that the modifications propagate to users’ units.

Malicious apps may compromise the targeted software or the whole telephones (root exploit). There are two defenses towards unintentional distribution of malicious apps:

  1. app package deal signatures: shoppers belief the offered app signature on first set up (TOFU) and refuse updates with a unique signature.

  2. repository signature: shoppers examine signature when repository is put in and with every replace. They warn and refuse operations with the repository when the signature is invalid.

The first defense is out of scope for this work, because app packages are signed when the app is constructed so that they’re already signed when added to the repository. The repository curation should nonetheless not permit to publish an update that carries a unique signature.

The second protection needs to be offered mechanically by the curation tools. A repository signing key needs to be created and securely saved. If this key’s compromised, an attacker can modify app metadata and may inject modified apps for specific or all customers once they install them for the first time. Malicious updates of already installed apps are prevented by above package deal signature.

If the repository key’s created and saved mechanically by a service (see implementation choice 4), the curator must trust the service and the hosting provider. Each must be out of attain of attackers from the curators’ threat-model. For instance, if the Guardian Challenge supplies a repository service hosted in Amazon’s Cloud, this service ought to be out of reach of most attackers that have neither the power to compromise the Guardian Venture, nor Amazon. Superior nation-state adversaries might compromise each and thus the repository. Recipients of apps have to trust their distributors/curators and their capacity to maintain their very own system secure.

Nevertheless, we will usually not shield towards attackers who has the power to immediately compromise the users’ units. All that may be carried out is to stop malicious purposes from being installed by way of the repository (without information of the curator). If the attacker can compromise customers’ units by means of other means, this defense doesn’t matter anymore.

Root and Unknown Sources

With a view to get content from the offered repository onto a generic system, the consumer wants to install F-Droid which requires allowing the set up of apps from unknown sources. This will put the consumer in danger, because it makes installing malicious software very straightforward. Alternatively, super consumer privileges (root) can be utilized to install F-Droid’s system extension effectively trusting all apps installed by way of F-Droid. Nevertheless, the safety risks associated with tremendous consumer privileges are much more severe as they will result in compromise of all the gadget.

Lack of Updates

If a repository is the consumer’s sole supply for an software, any delay in offering updates may put the consumer vulnerable to an adversary exploiting a vulnerability in that software that might have otherwise been fastened by the lacking replace.

What We Will Do

The primary aim of the curation tools is to make creating and sustaining repositories as straightforward as attainable for our audience.

This guidelines out the command line and the desktop software, since at present’s consumer expertise expectations are not being fulfilled by these technologies. Whereas a desktop software comes closer, the necessity for an set up procedure and for maintaining it for totally different working techniques makes it too troublesome and error-prone compared to the two different remaining choices.

Implementing the curation instruments inside an Android software has its merits. It comes with a simple installation process, offers a well-known state-of-the-art consumer interface and allows apps to be added immediately from the curators’ gadget. Nevertheless, some present performance would have to be reimplemented in Java and maintained along-side the prevailing Python codebase. Additionally the curator needs to offer an external storage location for the repository which is usually a barrier for many users and wishes its personal documentation.

The simplest and most flexible answer is a web-application based mostly on the prevailing Python instruments. Extra advanced curators can apply it to an area desktop pc with a built-in web-server identical to a desktop software, solely that the UI is in the browser. This utilization state of affairs comes with the identical execs and cons just like the desktop software. The repository signing key for example is stored regionally beneath the curator’s control.

However it allows for different utilization situations as properly. If installed on a trusted web-server as a service, the curation tools may also be utilized by curators with little technical information. The curators don’t need to put in something and may use them from any gadget. They will even change units with no knowledge migration. Nevertheless, they would wish to surrender control over the signing key.

If time permits, the app store creator may be was a full repository service that permits consumer registrations and a number of other repositories per consumer. A trusted organization such because the Guardian Venture might host this as a service and provide it to an activist group. Software freedom would permit different organizations to host their very own repository providers as properly. You’ll be able to think about the activist collective Riseup for instance not solely internet hosting its personal repository of advisable apps, but in addition permitting its customers to create and curate their very own repositories.

This becomes much more fascinating when individuals fill their repositories not solely with apps, however with all types of information similar to books, music and pictures.