F-Droid and the Janus Vulnerability

The Janus vulnerability has sprung forth unto the Android world, and we have sprung into action to keep it far away.

First off, f-droid.org, guardianproject.info/fdroid and apt.izzysoft.de/fdroid were scanned for possible Janus exploits and none were found. f-droid.org’s greatest protection against malware is the requirement that everything must be built from source, humans review all apps that are added, and a source tarball for each build is stored forever. Exploit writers do not want to give away the source code to their malware nor have their activities permanently logged in git, so this process keeps them away. No malware has been found in f-droid.org in its 7 years of operation.

F-Droid is also an open ecosystem, that means many people are getting apps from other sources. For that reason, we are working to add Janus detection to the F-Droid Android client app. When an APK with a Janus exploit is found, it will prompt the user to uninstall it in the “Updates” tab. If an APK with a Janus exploit is downloaded from a repo that has allowed it in, it will be blocked from being installed.

There is also some random good news: it turns out that none of the about 10 Janus examples we have can pass fdroid update. Most of them failed to verify when fdroid update calls aapt dump badging. The one file that passed those tests was the publicly released Janus demo APK. But it had strange dates like 2042-14-03 00:62:15 in the ZIP entries, probably because of the tricks needed to assemble this DEX+ZIP file. This triggered a crash in fdroid update, when parsing the date of AndroidManifest.xml. Python complains that there is no 14th month. This crash prevents the APK from being added to the repo. We have also added an explicit block for APKs trying to exploit Janus.

Also, apksigner is better at verifying APK signatures, and many Janus examples failed. If apksigner is installed, then fdroid build uses it. If an APK is signed with a v2 APK Signature, then things like Janus exploits are not possible. So if you are working with APKs that you have not built from source, be sure to install apksigner.

So we can safely say that it would be difficult to inadvertently put a Janus exploit in an F-Droid repo. And with the new protections in the Android client app, a repo cannot force the user to install one.