Android applications are cryptographically signed by the developer of the application when they are packaged. When you install an application, the signing certificate is pinned by the operating system and trusted on first use (TOFU). This prevents an app with the same app ID (domain.company.application) having a different certificate be installed. This has a few benefits:
- You ensure updates are only able to be delivered by the same entity, providing the signing certificates isn't compromised.
- An app can't be tampered with since it will require being re-signed.
- You can use the hash of the certificates as a form of app / developer verification.
Outside of signing, apps are also protected by downgrade protections to prevent downgrade attacks.
A limitation with TOFU is that it doesn't verify it an app is legitimate, only that it is different from the original install. App stores provide far more verification on an application being listed and are more likely to assure you getting a legitimate app than getting a random APK file off the internet.
AppVerifier is an app by one of our app developers that lets you check the signing certificate hashes of an app. You can compare the signing hash with one the developer publishes with your own install to validate you have an authentic package. #GrapheneOS will eventually add this as a UI feature (e.g. in the install dialog) in the later future to not necessitate having an additional app.
This information is heavily used to verify apps in an Alpha build app store called Accrescent which we'd like other app store apps to follow the model of. I will explain further about the workings of it later.
Other app stores like F-Droid and recently Google Play compile the apps and/or sign them. The former only allowing own signings certificates if there is reproducible builds (a minimal amount). This is problematic, as it adds an additional trusted party. Apps should be exclusively signed by developers as a compromise of a shared signing certificate means a pwn of every app using that certificate. It also makes updates impossible should the apps be exited from the app store or if you want to get from another source. It is even more telling as F-Droid builds apps on extremely old infrastructure that missed features from processors added in the late 2000s - early 2010s.
Replies (23)
And on the
@Zapstore, the nostr keys for the developer are used. The social graph can be used to trust other devs.
As far as I am aware, that is to do with the listing of the app on Zapstore itself? The app certificates are separate mechanism to it? A social graph can't really help an emerging, anonymous developer so I'd like to see more app listings by developers encouraged rather than mirrors. Big reason I haven't touched Ashigaru much yet. Having an identity provider like Nostr allows an account system with a form or accountability where malicious or compromised apps could then be warned or removed.
if I could filter app listings that are signed only by their app developer in the future that would be a plus. I am only using Zapstore for Nostr related apps whose listings are signed by the app's developers at the moment. I do like that the UI shows the certificate hash, so it helps to update apps. I would still want to check directly for first installs.
The remaining GrapheneOS team said they'd look into what could be suggested for Zapstore in the future. I am very busy to do this alone, nor to get all the information on the app. I'm also aware there's a big overhaul going around so I think now wouldn't be good timing.
Regarding getting the team looking into it I would also need to explain Nostr further as they don't know. It is a given but things to do with Nostr aren't ever going to be bundled in GrapheneOS. No third-party apps or services.
I also am not going to campaign for Nostr as a thing GrapheneOS to adopt at scale, it's strictly a mobile security project and I see them as very different things that users of both can have quite similar goals with, but many separately. Same justification we don't make anything crypto. Not everything must be Nostr-fied and having an app ecosystem users can choose to install is perfect as is for me.
There's a lot of room for error with normies and Nostr just like cryptocurrencies. We still have people self-custodying millions of dollars on their phone and getting pwned. Solution made, now needs to be useable. Many in the GrapheneOS channel space not so interested in Nostr social media but White Noise and Keychat yes.
@franzap is your man. Would love to a tighter integration.
Correct, it is fully independent from the app signing key. Maybe we can connect the two somehow.
@franzap is the creator there and can help you clarify how it works for other folks. But basically, it is web of trust for listings. Better than KYCing devs, IMO.
Don't force it. People should see the need for nostr before trying to do anything here. In some circles, the way to sell it is by saying the nostr is the PGP that caugh on.
I don't think it would be possible unless the app store pins an npub to a signing key or group of signing keys. Other npubs couldn't then pin the same. I am concerned this approach may be primitive and I just thought of this as I saw your reply. Would have to brainstorm.
My assumptions are exact on how Zapstore works then.
We seriously need more online identity layers not reliant on a KYC'd or centralised platform, but they'll always be used because they can be recovered and their login mechanisms are undeniably far more secure. It's a trade off but I guess it's worth it in this space.
When an npub is pwned it is pwned for life. No account recoveries, no password resets, nothing... A passphrase derivation for npubs could solve some issues but still a provider would need to set up their own account system to provide 2FA to prevent a phishing attack. Google SSO may not be so private but it is extremely secure if your account is...
Bunkers or signer apps like Amber may alleviate concerns but then you're entirely reliant on your device's security.
PGP is a utility for encryption / signing people tried to adopt as an identity but never could because it never designed to be. It is primitive and obsolete. Tools like age, signify and kryptor solve PGP by being a far more useable encryption / signing utility. Systems like Nostr and anything to compete against it solved having a cryptographic online identity.
I have mostly recommended to avoid the social media side of it. Look at Nostr in a simplest form: a keypair as an identity.
I agree with avoiding the social media part, but not the social graph. That's the difference between pgp and nostr: the graph of people signing on top of each other. In other words, every Twitter thread is a different blockchain.
Yes. I just mean strictly a social media is something I avoid when describing nostr. Social graph falls more under identity for me since you can have this same social graph system on other identity providers too, for example a federated social media's instance admins trusting admins of other instances to federate. Nostr at least can split this down to an individual level rather than a single authority that individual trusts to trust on their behalf.
A lot of users in channels in our space think Nostr is just "Bitcoin Bro Twitter", and some call npubs an account, which isn't exact. I don't blame them.
Nostr as a social media reminds me of a hyper-accelerated Twitter. Where Facebook is mostly between a friend circle, Twitter was far more out in the open, Nostr as a social media just expands that IMO.
We have a very private space so people who want privacy wouldn't really use Nostr at all, they'd use a centralised social media they can private and lock posts to just people they want... Bluesky provides tons of restrictions on that.
* I don't blame them since it's very different from what they are used to.
Yeah, I wouldn't call that privacy, though. It's just the human need to control each other. People love that and most normies think they need or want that. It takes a while to convince them otherwise.
I've had the idea of using pgp as 2fa for nostr
One of the underrated (and under developed) features of zapstore is that regular users can sign and recommend the application of another developer. This way even anonymous devs can get some reach if they lobby known npubs to endorse them. "At least we're all in the same boat if its malware."
Where can I download App Verifier?
I just checked F-droid and its not there
Thank you
nevent1qvzqqqqqqypzpwleyw4fy3sxt7yvgrran0mpenxqlululur94r9jlax0hd3q3rc7qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uq32amnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcqyzp5dmfy8deqnad6eq28q2dzdgg7px7tz7sa3dntfl8gudu9cxjcz2ep02u
I'm looking forward to FROST/multisig for Nostr.
We might not be there yet but we are going to surpass the security of Google SSO.
Thank you Final. I will be in touch when I feel Zapstore has a more solid pitch for Graphene, and I will be seeking feedback from there
The AppVerifier TOFU UX is subpar in my opinion (better than PGP though).
Zapstore aims to improve on this, add malware/privacy checks, reproducibility attestations and more. As well as discovery and monetization - two big issues for open source developers in particular.
Based on what you are telling me this is a good start. I would need to read Nostr spec further. I understand Nostr, for the most part, just on a surface level.
