F-Droid will have to be marked with a warning dialog in GrapheneOS explaining the cross-profile install conflicts it causes which place a substantial support burden on us, security issues with their builds, infra and app and the very misleading inaccurate permission listings.
Conversation
They won't fix these problems, and many of our users are using F-Droid. This creates major security issues for our users which they will not address, along with a massive support burden on us where many new users run into the conflicts caused across profiles from app id misuse.
1
9
Very normal for a new GrapheneOS user to install F-Droid, use their main profile, then attempt to install F-Droid in a 2nd user. This doesn't work due to them not updating the download link. We think they're refusing to fix this out of spite towards OSes not bundling F-Droid...
2
9
Replying to
Any number of profiles can have the same app installed. F-Droid is reusing app ids for different apps, which is not supposed to be done, and causes conflicts, since apks are shared across profiles with the apps installed and key pinning / downgrade protection is applied globally.
2
Replying to
Oh, 2 different problems. Which app ids are being reused? Like the play store version of the app and the f droid version have the same id?
1
Replying to
Yes, or the developer's variant of the app they published outside the Play Store. This is not supposed to be done when apps are different build variants or have different signing keys. The app id is supposed to be unique to each published build variant or you get conflicts.
1
Replying to
If you published 2 build variants of an app yourself with the same app id, then installing the 1st variant in one profile and then the 2nd variant in another would replace the 1st variant globally. App ids are meant to be globally unique identifiers for the build variant of apps.
1
2
Replying to
You are supposed to use a reverse domain name as the prefix of your app identifier. You are supposed to own that domain. If you fork / modify another project, you're supposed to change the app id to a reverse domain of a domain that you own. It's mostly an under the hood thing.
1
1
Replying to
It is user facing in several places. Play Store on the web shows it as the URL for the application page. Settings app shows the app id too. It's in multiple other places too, but it's mostly an under the hood unique identifier for an app. It's how the OS identifies app packages.
1
1
Replying to
If you try to install an older release of an app, meaning installing a package or set of package (split apks) with a lower versionCode and same app id, you get an error from the downgrade prevention which is both an important security and data corruption prevention feature.
Replying to
If you try to install an app with the same app id as one you have installed in any profile which has a mismatched signing key NOT authorized by the original key via a key rotation proof, you get a signature validation error explaining that the signing key is mismatched.
1
1
Replying to
Downgrade protection error could be improved by making it describe the specific problem. Signing key mismatch already has a specific error that's worded properly in AOSP but it's still confusing when you don't realize what F-Droid is doing and think devs publish their apps on it.
1
1
Show replies