Can Blokada confirm is the suspicious release from F-Droid wasn't dangerous?

I was one of the members to file a bug since an update on F-droid to Blokada 5(v22.3.8) starting popping messages saying “Private DNS was set” even though that setting wasn’t enabled on the phone. The community manager or Blokada team member posted on the press section saying it was not a “reliable” update from F-droid and that they didn’t post that update to F-droid
How can a third party issue an update on their behalf on F-droid? Has their distribution channel on the F-droid been compromised? Can Blokada comment if the update pushed via F-droid was malicious in any nature? The update has been running on my phone since that F-droid update was pushed and only just reinstalled it from their website after their community announcement.
I call on Blokada to provide more details in this incident since this is a serious breach of trust.

1 Like

Hi, we already checked the apk shared and there was no malicious activity there.

Many websites share the Blokada apk without our approval, we are still investigating how we could delete the version there or at least replace it with orginal version.

The purpose of the announcement was to let everybody know that “the solution to the error message from F-droid is to download the original update”

Meanwhile, please only download Blokada from our website.

1 Like

Good to know it was harmless. Thanks! Could you explain how the F Droid distribution works? Is the blokada team behind the F Droid releases? How could an update be released without blokada team’s consent?

I agree with argus here. Blokada used to distribute via F-Droid themselves and even was involved in discussions regarding wanted or unwanted features inside the software. So it used to be a distribution mode that blokada itself was using. It is therefore highly unlikely that a third party used your keys to distribute the update on F-Droid - please give us an explanation as to what happened there and what parts of the APK on F-Droid were altered compared to your own versions. We need to know whether our traffic was subject to any bad actors…

One more reason to provide your own F-Droid repo or an in App Updater or at least a notification if there is a new update. I and I think many users will find it tedious to manually check for updates.
App Stores make sense as the updates are available timely and automatically. However not everbody wants to be dependent on the Google Play Store and I guess this is the case for many users of Blokada.

1 Like

that´s happening already with the website version. F-droid has been deprecated for the time being until we´ve either started our own repo or moved away from it completely.

Thanks, I am going to try the website build. Although I still would prefer a F-Droid repository.

Edit: Wait Blokada 6 is only available on G Play!?

This was a bit unexpected for me as well.
Here you can see the change that was made on F-droid: blokada: 22.3.8 (f325ad20) · Commits · F-Droid / Data · GitLab
It appears nothing malicious was embedded in this release, however it triggered a new kind of bug at start up since it hasn’t been tested by Blokada at all.

So it appears that any random guy can submit changes without any kind of approval (including editing the source code and behavior) to any app hosted on F-droid. While it probably was with good intentions to make the latest version available and was hopefully reviewed somewhat by F-droid maintainers, it is also scary that this is even possible. You can’t really trust that “the source” that an app links to is truly what you’re installing.

What’s even more interesting is that previous attempts by Blokada to satisfy new requirements was denied. But a random guy can get a pass.

This behavior doesn’t exactly add anything to my confidence in supporting F-droid as a platform for Blokada in the future. I believe most users expect apps to be signed by the author of the app and not modified at will by the app store you download it from.

3 Likes

Why not? Blokada is Open Source (MPL) isn’t it? Without reading through all the license I don’t think it would be a problem for me to distribute it in binary form (meaning providing the apk). This is how it works. Under Linux it is the normal way. For most of the distributions out there volunteers take care of software packages and make it available for their users.

F-Droid is not that different for Android.

Not speaking for F-Droid or Blokada, but certainly not! F-Droid has a strict inclusion policy and personally I trust it more than the Play Store. There will never be malicious additions. On the contrary the policy e.g. prevents the addition of Apps tracking the user etc. Also they use the original code to build it and all the dependencies from source.

The only thing is that their build triggered a bug which is not in the original version distributed by Blokada itself. This is unfurtunate but surely can be fixed.

Although you use words like “good intentions” and “hopefully reviewed” this seems a bit hostile to me.
Additionally the contributor is not just a random guy. Just take a look at the commit history and you will find regular contributions of linsui to the repository. Not just every random guy can commit additions/updates to F-Droid. I am pretty sure that only trusted project members are allowed to do so. In the end it is all about trust. I also have to trust the Blokada team that I can safely use it. The same as with all other software.

I see you had not the best experience with F-Droid in the past regarding their inclusion criteria but maybe you guys can talk to each other again and find a solution.

If you really don’t like that F-Droid is publishing your software I am pretty sure they will remove it if you insist.

Then however I hope you provide a solution for Blokada 6 outside of the Play Store which guarantees timely and automatic updates. I think we are past the time were one has to manually check for updates, download and install them by hand.

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.