Opened 15 months ago

Last modified 6 weeks ago

#26318 new enhancement

TBA - Consider different installation methods

Reported by: sysrqb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, tbb-8.5, tbb-parity, TorBrowserTeam201907
Cc: igt0, gk, dmr, jan@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor8

Description

Following from #26242, we must decide how we will distribute this app for initial download and installation.

1) Marketplaces (Google Play Store, F-Droid, etc.)
2) Direct download
3) ...?

We can't only rely on the marketplaces, because those are blocked on some networks. We can use the same mechanisms (such as gettor) for distributing TBA. One major difference on Android (when compared with desktop) is the difficulty with which a user can verify the downloaded blob is authentic. Simply checking the cryptographic signature is not easy, and bootstrapping trust is not as easy here. Have any other project solved this in a way we can use?

Child Tickets

TicketTypeStatusOwnerSummary
#27539enhancementacceptedsysrqbCreate plan for releasing on F-Droid

Change History (24)

comment:1 Changed 15 months ago by igt0

There are few checks we can do, this article describes few of them:

https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app

comment:2 Changed 14 months ago by igt0

I have been thinking about this problem for some time and I propose two things:

  1. Add in the onboarding a link to the wiki about how to validate the APK.
  1. Add a button in the TBA menu called "Validate App". When the user clicks on it, TBA fetchs a json from the onion service with information about what is the current version and signin certificate and checks if the current certificate is the same of the installed app. We also should tech the user that this approach doesn't work if the app is tampered.

sysrqb, GeKo: any thoughts?

comment:3 Changed 14 months ago by dmr

Cc: dmr added

comment:4 Changed 14 months ago by dmr

F-Droid client (specifically Bazaar) is a great "offline" app store.

I haven't follow the progress of the project in a while, but it does allow for these sorts of things:

  • peer-to-peer app distribution over wifi
  • peer-to-peer app distribution over bluetooth
  • peer-to-peer app distribution over NFC, Android Beam
  • peer-to-peer app verification
  • .onion repos
  • sharing repo identities in person

Not the client, but also part of the F-Droid ecosystem:

  • trusted repos created with Repomaker, a web-based UI (not yet ready for production)

While arguably we can't get everyone to use F-Droid, I just wanted to point out that they have designed it much with these use cases and problems in mind.
I believe we should focus some resources on educating users about these peer-to-peer options, so that they can leverage existing trust relationships within communities.

References:

It's worth noting that The Guardian Project has F-Droid repos on multiple distribution channels/platforms:

  • direct HTTPS
  • .onion
  • AWS S3 (so provides the collateral censorship-resistance properties akin to domain fronting)

On a different note, there is also the App Updater / update detector framework that may be of use for non-F-Droid devices (iiuc):

It's not necessarily relevant for the first download/install, but it may be helpful nonetheless in the broader scope of things.

comment:5 Changed 14 months ago by sysrqb

Parent ID: #26531

Required for first alpha.

comment:6 Changed 11 months ago by sysrqb

Keywords: TBA-a2 added
Parent ID: #26531

We have Google Play and direct download complete. Let's decide on how we accomplish the remaining tasks.

Moving to second-alpha TBA keyword.

comment:7 Changed 11 months ago by gk

Keywords: TorBrowserTeam201810 added

Putting on October radar.

comment:8 Changed 10 months ago by gk

Keywords: TorBrowserTeam201811 added; TorBrowserTeam201810 removed

Moving our tickets to November.

comment:9 Changed 9 months ago by pili

Sponsor: Sponsor8

comment:10 Changed 8 months ago by gk

Keywords: TorBrowserTeam201812 added; TorBrowserTeam201811 removed

Moving our tickets to December.

comment:11 Changed 8 months ago by gk

Keywords: TBA-a3 added

Setting tag for third Tor Browser for Android alpha milestone.

comment:12 Changed 8 months ago by gk

Keywords: TBA-a2 removed

We are beyond TBA-a2, TBA-a3 is the new black.

comment:13 Changed 8 months ago by darkspirit

Cc: jan@… added

comment:14 Changed 7 months ago by gk

Keywords: TorBrowserTeam201901 added; TorBrowserTeam201812 removed

Moving tickets to Jan 2019.

comment:15 Changed 6 months ago by gk

Keywords: TorBrowserTeam201902 added; TorBrowserTeam201901 removed

Moving tickets to February.

comment:16 Changed 6 months ago by gk

Keywords: TBA-8.5 added; TBA-a3 removed

Move tickets out of TBA-a3 into TBA-stable.

comment:17 Changed 5 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201902 removed

Moving remaining tickets to March.

comment:18 Changed 5 months ago by gk

Keywords: tbb-8.5 added

Tickets on our radar for 8.5

comment:19 Changed 5 months ago by gk

Keywords: tbb-parity added

tbb-parity items.

comment:20 Changed 5 months ago by gk

Keywords: TBA-8.5 removed

comment:21 Changed 5 months ago by gk

Keywords: TorBrowserTeam201904 added; TorBrowserTeam201903 removed

Moving tickets to April.

comment:22 Changed 3 months ago by gk

Keywords: TorBrowserTeam201905 added; TorBrowserTeam201904 removed

Moving tickets to May

comment:23 Changed 2 months ago by gk

Keywords: TorBrowserTeam201906 added; TorBrowserTeam201905 removed

Moving tickets to June

comment:24 Changed 6 weeks ago by gk

Keywords: TorBrowserTeam201907 added; TorBrowserTeam201906 removed

Moving tickets to July

Note: See TracTickets for help on using tickets.