Skip to content

Instantly share code, notes, and snippets.

@obfusk
Last active January 7, 2023 04:24
Embed
What would you like to do?
on android "secure messengers" and reproducible builds (or lack thereof)

Reproducible Builds

According to the reproducible builds definition:

A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

In the case of android apps, that means bit-by-bit identical APK files.

NB: APK files use the ZIP file format.

Embedded signatures

Unfortunately, embedded cryptographic signatures make it challenging to produce bit-by-bit identical APK files. There are several ways to deal with this: pasting signatures, ignoring signatures, and stripping signatures.

For example, F-Droid uses APK signature copying using apksigcopier.

Another option, harder to get right, is ignoring signatures:

A specific comparison tool can be made available that is able to compare to builds skipping the signatures. [...]

Such a tool must be very easy to audit and understand. Otherwise, it’s hard to trust that the script is not ignoring bytes that would make it behave differently.

APK Signatures

Everything but the APK Signing Block must be bit-by-bit identical for any v2/v3 APK signature to verify, whereas the old v1 (JAR) signature scheme only verifies the uncompressed contents of the ZIP entries (that are not part of the signature).

Android Messengers

Signal, Telegram, and Threema all claim to have reproducible builds.

NB: e.g. Element and Wire do not (claim to) have reproducible builds.

Signal

Uses a custom apkdiff.py script.

This script:

  • has had a rather serious bug (fixed in 2016);

  • seems oddly written, not exactly idiomatic Python code (e.g. use of == True);

  • does not actually verify the APK files are bit-by-bit identical (apart from the signature), just that most of the files in the APK are identical;

  • ignores the files META-INF/MANIFEST.MF, META-INF/SIGNAL_S.RSA, and META-INF/SIGNAL_S.SF, which is reasonable since these are the v1 (JAR) signature files;

  • also ignores the file resources.arsc, because of a bug in AGP, and continues to ignore this file despite the bug having been fixed in 2019 and a comment from that same year that "We should revisit when we update", which apparently never happened despite using a much newer version of AGP now.

Conclusion: this script does not verify the APK files are bit-by-bit identical, skips more than just the signature(s), and is thus not suitable to actually verify the build was reproducible.

Telegram

Uses a custom apkdiff.py script.

This script:

  • has had a rather serious bug (fixed in 2020);

  • seems oddly written, not exactly idiomatic Python code (e.g. use of == True, semicolons, mixes tabs and spaces);

  • does not actually verify the APK files are bit-by-bit identical (apart from the signature), just that most of the files in the APK are identical;

  • ignores the files META-INF/MANIFEST.MF, META-INF/CERT.RSA, and META-INF/CERT.SF, which is reasonable since these are the v1 (JAR) signature files.

Conclusion: this script does not verify the APK files are bit-by-bit identical and is thus not suitable to actually verify the build was reproducible, though at least it does not intentionally skip files not part of the signature.

Threema

Uses a custom verify-build.sh script.

This script:

  • has some oddities (e.g. && success=1 || success=0 instead of $?), but otherwise looks fairly idiomatic;

  • does not actually verify the APK files are bit-by-bit identical (apart from the signature), just that most of the files in the APK are identical;

  • ignores everything in META-INF/, not just the v1 (JAR) signature files;

  • also ignores the file resources.arsc (presumably because of the aforementioned bug in AGP that was fixed in 2019).

Conclusion: this script does not verify the APK files are bit-by-bit identical, skips much more than just the signature(s), and is thus not suitable to actually verify the build was reproducible.

Conclusion

It's quite possible these messengers actually have reproducible builds, but the verification scripts they use don't actually allow us to verify whether they do.


Published 2022-12-05, edited 2023-01-07.

@obfusk
Copy link
Author

obfusk commented Dec 6, 2022

Addendum: Briar is a messenger that does have reproducible builds; this has been verified by F-Droid using signature copying, with the validity of the v2 APK signature ensuring the APKs being actually bit-by-bit identical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment