Opened 8 weeks ago

Closed 4 weeks ago

#26528 closed task (fixed)

App stores should not be allowed to use UpdateService

Reported by: igt0 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, TorBrowserTeam201807R
Cc: sysrqb, gk Actual Points:
Parent ID: #26242 Points:
Reviewer: Sponsor:

Description

We should not allow the user to use the UpdateService when the app was installed using any app store(google play, f-droid).

Child Tickets

Attachments (1)

0001-Bug-26528-Don-t-allow-Fennec-to-use-UpdateService-wh.patch (3.6 KB) - added by igt0 8 weeks ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 8 weeks ago by igt0

Status: newneeds_review

comment:2 Changed 8 weeks ago by sysrqb

Nice. We'll want a different name than INSTALLER_ORFOX, and I think we'll need our own f-droid repository, too. The Guardian Project run their own repo, but I don't remember the specific reasons why the main f-droid repo won't accept their apps.

I thought about disabling using a different method by excluding the updater at compile-time. Unfortunately, this results in different APKs [0]. It's conditionally included using an environment variable.

if [ -z "${TB_BUILD_WITH_UPDATER}" ]; then
# Because Google Play will likely be the primary distribution medium,
# we disable updating and rely on Google Play by default. The
# Developer Policy explicitly prohibits in-app updating:
#    An app distributed via Google Play may not modify, replace, or
#    update itself using any method other than Google Plays update
#    mechanism.
# https://play.google.com/about/privacy-security-deception/malicious-behavior/

    ac_add_options --disable-tor-browser-update
    ac_add_options --disable-signmar
    ac_add_options --disable-verify-mar
fi

[0] https://gitweb.torproject.org/user/sysrqb/tor-browser.git/tree/.mozconfig-android?h=tor-browser-60.1.0esr-8.0-1%2b26401#n22

comment:3 in reply to:  2 Changed 8 weeks ago by igt0

Replying to sysrqb:

Nice. We'll want a different name than INSTALLER_ORFOX, and I think we'll need our own f-droid repository, too. The Guardian Project run their own repo, but I don't remember the specific reasons why the main f-droid repo won't accept their apps.

Indeed INSTALLER_ORFOX should be INSTALLER_FDROID.

I thought about disabling using a different method by excluding the updater at compile-time. Unfortunately, this results in different APKs [0]. It's conditionally included using an environment variable.

if [ -z "${TB_BUILD_WITH_UPDATER}" ]; then
# Because Google Play will likely be the primary distribution medium,
# we disable updating and rely on Google Play by default. The
# Developer Policy explicitly prohibits in-app updating:
#    An app distributed via Google Play may not modify, replace, or
#    update itself using any method other than Google Plays update
#    mechanism.
# https://play.google.com/about/privacy-security-deception/malicious-behavior/

    ac_add_options --disable-tor-browser-update
    ac_add_options --disable-signmar
    ac_add_options --disable-verify-mar
fi

[0] https://gitweb.torproject.org/user/sysrqb/tor-browser.git/tree/.mozconfig-android?h=tor-browser-60.1.0esr-8.0-1%2b26401#n22

Yeah, Mozilla has the same challenge[0].

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=690820

comment:4 Changed 8 weeks ago by gk

Keywords: TorBrowserTeam201806R added

comment:5 Changed 7 weeks ago by gk

Keywords: TorBrowserTeam201807R added; TorBrowserTeam201806R removed

Moving reviews to July.

comment:6 Changed 4 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. Applied to tor-browser-60.1.0esr-8.0-1 as commit 1388fbe6fd988603cbfe10eec92f9f9be578a18c.

Note: See TracTickets for help on using tickets.