[tor-bugs] #26528 [Applications/Tor Browser]: App stores should not be allowed to use UpdateService

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 27 15:41:25 UTC 2018


#26528: App stores should not be allowed to use UpdateService
--------------------------------------+------------------------------
 Reporter:  igt0                      |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:  #26242                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+------------------------------

Comment (by sysrqb):

 Nice. We'll want a different name than `INSTALLER_ORFOX`, and I think
 we'll need our own f-droid repository, too. The Guardian Project run their
 own repo, but I don't remember the specific reasons why the main f-droid
 repo won't accept their apps.

 I thought about disabling using a different method by excluding the
 updater at compile-time. Unfortunately, this results in different APKs
 [0]. It's conditionally included using an environment variable.

 {{{
 if [ -z "${TB_BUILD_WITH_UPDATER}" ]; then
 # Because Google Play will likely be the primary distribution medium,
 # we disable updating and rely on Google Play by default. The
 # Developer Policy explicitly prohibits in-app updating:
 #    An app distributed via Google Play may not modify, replace, or
 #    update itself using any method other than Google Plays update
 #    mechanism.
 # https://play.google.com/about/privacy-security-deception/malicious-
 behavior/

     ac_add_options --disable-tor-browser-update
     ac_add_options --disable-signmar
     ac_add_options --disable-verify-mar
 fi
 }}}

 [0] https://gitweb.torproject.org/user/sysrqb/tor-browser.git/tree
 /.mozconfig-android?h=tor-browser-60.1.0esr-8.0-1%2b26401#n22

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26528#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list