F-Droid security update

Last week, Snikket Android users who installed the Snikket app via F-Droid started receiving a warning that it contained a security vulnerability. This wasn’t entirely accurate, as the problem wasn’t with the Snikket app itself but specifically F-Droid’s own build of the app that was using an outdated version of the WebRTC library.

As of today, F-Droid have published a new build (2.10.3) of the Snikket app that now uses an up-to-date version of the WebRTC component. The new WebRTC was built by us and published to Maven Central, one of the sources that F-Droid trusts for certain pre-built dependencies.

Like many communication apps, Snikket uses WebRTC for audio and video calls. We’ve been working on finding a way for F-Droid to build Snikket with a more up-to-date version of the WebRTC library that meets the constraints of their build processes and policies. We’re happy that this work has paid off!

We’d like to thank Licaon_Kter from F-Droid for support and guidance in finding a suitable resolution to the problem. Also thanks to Danilo Bargen from Threema, who worked on incorporating Threema’s existing WebRTC build scripts into a project publishing plain unmodified builds of the library. Our own WebRTC build process has been derived from these projects.

We’ve confirmed that our new WebRTC build will also be adopted by upcoming builds of the Conversations and Cheogram apps in F-Droid, and it is also available to any other XMPP app that would prefer to use it instead of Threema’s patched version or maintaining their own.

There is likely to be more work on this area in the future. In the long term, the ideal solution will be F-Droid building WebRTC themselves, as they do with apps that they publish. However this requires resources - both technical expertise and computing power. If it sounds like something you could help the F-Droid team with, check out this issue for more information or to follow along on their progress.

Finally, this positive news goes further than just resolving the security warning. The older version of WebRTC that F-Droid was using for Snikket builds was adding some friction that prevented us from easily merging new changes from Conversations (the upstream project for the Snikket Android app). With a new WebRTC in place, it will now be much easier to regularly synchronize the Snikket app with all the new improvements in Conversations once again.

(P.S. Did you know that the Conversations project recently announced funding from NLnet to support Conversations 3.0, a major new milestone in the project’s development - we’re super excited!)

We’ll be sure to share details of new updates here in the future. Meanwhile, if you’re using Snikket F-Droid… go update! :)