client should scan APKs for "Master Key" exploits before installing

It turns out that "Master Key" exploits follow a pretty easy pattern to spot: multiple files in a ZIP/JAR with the exact same name. Perhaps some other key exploits are also similarly easy to spot. In any case, fdroidclient can check APKs before installing them to make sure that they don't contain exploits.

Here's some example code:

• http://www.saurik.com/id/17
• http://gitweb.saurik.com/backport.git

More details are available at this issue.

more example code here: https://github.com/robertmillan/mkbreak

What would we do if we find a pattern that matches those exploits? I'm thinking:

• Should we just warn the user, or also prevent him from installing the APK altogether?
• Following up on that last point, do these patterns ever occur in safe APKs? In other words, are there ever false positives?
• Do all exploited APKs show this pattern? By which I mean, could we say that F-Droid is "safe" from Master Key exploits?

Added ~18502 label

mentioned in issue #411

assigned to @eighthave

changed milestone to %1.0

marked this issue as related to #1070 (closed)

@pserwylo What about if F-Droid scans the installed apps and sticks KnownVuln info in the InstalledAppProvider? Does that seem feasible now? The actual scanning part is easy, the question is: how hard would it be to display the KnownVuln prompt in the Updates tab for apps were not installed via F-Droid, and are not even included in the current metadata?

added bazaar label

changed milestone to %1.1