F-Droid and the Janus Vulnerability
Posted on Dec 13, 2017 by
The Janus vulnerability has sprung forth unto the Android world, and we have sprung into action to keep it far away.
First off, f-droid.org, guardianproject.info/fdroid and apt.izzysoft.de/fdroid were scanned for possible Janus exploits and none were found. f-droid.org’s greatest protection against malware is the requirement that everything must be built from source, humans review all apps that are added, and a source tarball for each build is stored forever. Exploit writers do not want to give away the source code to their malware nor have their activities permanently logged in git, so this process keeps them away. No malware has been found in f-droid.org in its 7 years of operation.
F-Droid is also an open ecosystem, that means many people are getting apps from other sources. For that reason, we are working to add Janus detection to the F-Droid Android client app. When an APK with a Janus exploit is found, it will prompt the user to uninstall it in the “Updates” tab. If an APK with a Janus exploit is downloaded from a repo that has allowed it in, it will be blocked from being installed.
There is also some random good news: it turns out that none of the
about 10 Janus examples we have can pass fdroid update
. Most of
them failed to verify when fdroid update
calls aapt dump badging
.
The one file that passed those tests was the publicly released
Janus demo APK.
But it had strange dates like 2042-14-03 00:62:15
in the ZIP
entries, probably because of the tricks needed to assemble this
DEX+ZIP file. This triggered a crash in fdroid update
, when parsing
the date of AndroidManifest.xml. Python complains that there is no
14th month. This crash prevents the APK from being added to the
repo. We have also added an
explicit block
for APKs trying to exploit Janus.
Also, apksigner is better at verifying APK signatures, and many
Janus examples failed. If apksigner is installed, then fdroid
build
uses it. If an APK is signed with a v2 APK Signature, then
things like Janus exploits are not possible. So if you are working
with APKs that you have not built from source, be sure to install
apksigner.
So we can safely say that it would be difficult to inadvertently put a Janus exploit in an F-Droid repo. And with the new protections in the Android client app, a repo cannot force the user to install one.