With F-Droid, we have been working towards getting a complete app distribution channel that is able to reproducibly build each Android app from source. while this may sound like a mundane detail, it does provide lots of tangible benefits. First, it means that anyone can verify that the app that they are using is 100% built from the source code, with nothing else added. That verifies that the app is indeed 100% free, open source software.
It also verifies that there have not been any malicious bits of code added into the app during the build process. As has been demonstrated in the 31c3 Reproducible Builds talk, just flipping a single bit is enough to create a usable exploit in an app.
The F-Droid project is leading the way with its system for publishing verified builds. We know have our first full example, building upon our previous work with making Lil’ Debi build reproducibly. We started with our simple little utility app Checkey since it has few moving parts (first get one working, then the rest).
When you download Checkey from f-droid.org, you will get an APK that was signed using the official Guardian Project offline signing key that was built by f-droid.org. No, we did not give them a copy of our key, instead, the fdroid publish process now looks for the Binaries: tag in the build recipe. If it sees that, it downloads that APK, then builds the app from source, then checks to make sure that they match using a simple diff of the APK contents and by checking that the signature on the official APK also validates on the APK that f-droid.org built.
Now that we have our little Checkey working, we can work towards getting all of our apps verifying in the same way, eliminating a whole field of exploits that we have to worry about. You can follow the progress of this work on the F-Droid wiki Reproducible Builds page, and learn about a future application of it on the Verification Server page.
The next two apps that are in the reproducible pipeline are LEAP‘s Bitmask and our LocationPrivacy.