App stores should not be allowed to use UpdateService

We should not allow the user to use the UpdateService when the app was installed using any app store(google play, f-droid).

added TorBrowserTeam201807R component::applications/tor browser owner::tbb-team parent::26242 priority::medium resolution::fixed severity::normal sponsor::8 status::closed tbb-mobile type::task labels

Trac:
Status: new to needs_review

Nice. We'll want a different name than INSTALLER_ORFOX, and I think we'll need our own f-droid repository, too. The Guardian Project run their own repo, but I don't remember the specific reasons why the main f-droid repo won't accept their apps.

I thought about disabling using a different method by excluding the updater at compile-time. Unfortunately, this results in different APKs [0]. It's conditionally included using an environment variable.

if [ -z "${TB_BUILD_WITH_UPDATER}" ]; then
# Because Google Play will likely be the primary distribution medium,
# we disable updating and rely on Google Play by default. The
# Developer Policy explicitly prohibits in-app updating:
#    An app distributed via Google Play may not modify, replace, or
#    update itself using any method other than Google Plays update
#    mechanism.
# https://play.google.com/about/privacy-security-deception/malicious-behavior/

    ac_add_options --disable-tor-browser-update
    ac_add_options --disable-signmar
    ac_add_options --disable-verify-mar
fi

[0] https://gitweb.torproject.org/user/sysrqb/tor-browser.git/tree/.mozconfig-android?h=tor-browser-60.1.0esr-8.0-1%2b26401#n22

Replying to sysrqb:

Nice. We'll want a different name than INSTALLER_ORFOX, and I think we'll need our own f-droid repository, too. The Guardian Project run their own repo, but I don't remember the specific reasons why the main f-droid repo won't accept their apps.

Indeed INSTALLER_ORFOX should be INSTALLER_FDROID.

I thought about disabling using a different method by excluding the updater at compile-time. Unfortunately, this results in different APKs [0]. It's conditionally included using an environment variable.

{{{ if [ -z "${TB_BUILD_WITH_UPDATER}" ]; then

Because Google Play will likely be the primary distribution medium,

we disable updating and rely on Google Play by default. The

Developer Policy explicitly prohibits in-app updating:

An app distributed via Google Play may not modify, replace, or

update itself using any method other than Google Plays update

mechanism.

https://play.google.com/about/privacy-security-deception/malicious-behavior/

ac_add_options --disable-tor-browser-update
ac_add_options --disable-signmar
ac_add_options --disable-verify-mar

fi }}}

[0] https://gitweb.torproject.org/user/sysrqb/tor-browser.git/tree/.mozconfig-android?h=tor-browser-60.1.0esr-8.0-1%2b26401#n22

Yeah, Mozilla has the same challenge[0].

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=690820

Trac:
0001-Bug-26528-Don-t-allow-Fennec-to-use-UpdateService-wh.patch

Trac:
Keywords: N/A deleted, TorBrowserTeam201806R added

Moving reviews to July.

Trac:
Keywords: TorBrowserTeam201806R deleted, TorBrowserTeam201807R added

Looks good to me. Applied to tor-browser-60.1.0esr-8.0-1 as commit 1388fbe6fd988603cbfe10eec92f9f9be578a18c.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Trac:
Sponsor: N/A to Sponsor8

Sponsor8 in July 2018.

closed

mentioned in issue #26938 (moved)

moved to tpo/applications/tor-browser#26528 (closed)

mentioned in issue tpo/applications/tor-browser#26938 (closed)