Update 2022-12-11: A new update (2.10.3) is has been published, and the security warning should clear after installing this update.

Snikket Android users who installed the app via F-Droid may receive a warning from F-Droid telling them that the app has a vulnerability and that they “recommend uninstalling immediately”. First of all - don’t panic! This is a over-simplified generic warning that is scary, but the actual situation is not quite so scary and has an explanation. Here goes…

How F-Droid works

When an app is developed and ready for release, it must be compiled and built, to produce the final app file (e.g. APK) that can be installed on devices.

Most app stores let developers upload their built apps. For example, we build the Snikket on our build servers and then upload it to Google Play.

However, F-Droid is different. Instead of accepting ready-built apps from developers, they instead download the app’s source code and build it themselves. This has a number of advantages: you can be sure that every app in F-Droid has source available, and (as long as you trust the F-Droid folk and systems), you know the app you install matches exactly the published source code and hasn’t got any surprises.

WebRTC woes

The Snikket app, along with many other apps supporting audio/video calls on Android, depends on an open-source WebRTC component developed by Google as part of the Chromium project.

However, building the WebRTC component is not trivial. It requires a lot of system resources, downloading many gigabytes of source code, and the process uses some Google-specific build tools.

Rather than attempt build WebRTC from source, the F-Droid build process has historically been pulling in third-party pre-built versions of the library from other sources. Originally these builds came from Google’s Maven repository, but Google announced they would no longer publish new WebRTC builds some time ago (the source code continues to be available and updated of course). Many F-Droid apps have remained stuck on an old version of WebRTC due to this, and the F-Droid project has remained without the resources needed to build WebRTC reproducibly from scratch as part of their usual build pipelines.

In August 2022, a lot of apps in F-Droid were switched to a newer (but still third-party) build of WebRTC, published by the Threema developers. Unfortunately, this build is patched and optimized for Threema’s usage of WebRTC in their app. As a result, their build has poor interoperability with software and services in the XMPP ecosystem, including the popular JMP service. When asked if they would consider tweaking their build to improve interoperability they (quite reasonably) declined, stating that the build is really only intended for their own app.

Meanwhile, WebRTC is a complex and widely-used component. Security researchers have found multiple vulnerabilities. However, WebRTC is technically developed as part of the Chromium web browser project (the open-source version of Google Chrome), and this is the context in which most of the vulnerabilities have been discovered and reported. Chromium exposes the WebRTC API to every web page you visit, while the usage of WebRTC in mobile apps such as Snikket is significantly more restricted.

While it’s not ideal to be using an old version of WebRTC, we are at this time unaware of any security issues in the build that F-Droid is using that would impact Snikket and the way it uses WebRTC. F-Droid’s security warning has been added to a wide range of apps using WebRTC as a precaution (not just Snikket), but at no point have any of the apps confirmed to be specifically vulnerable to any of the issues.

Tip: WebRTC is generally a complex component. If you do have any concerns about WebRTC security (in Snikket or any mobile app) and believe you may be specifically targeted, we recommend to avoid answering unexpected calls from strangers. Although we are not aware of any existing issues, past issues have generally required you to accept a call from a malicious party before any exploit can take place. Therefore any attacker would first need to know your Snikket address and rely on you accepting their call.

What can you do?

We’re actually close to finally resolving the issue, with the co-operation of F-Droid contributors, and are hoping we can get an update to Snikket (and other apps in the same situation with WebRTC) published by F-Droid very soon.

In the meantime, you have the following options:

1. Simply press ‘Ignore’ on F-Droid’s warning for now, and wait for their builds to be fixed. This is the recommended course of action for most existing F-Droid users.

2. Alternatively, switch to builds provided by us, using Google Play or Aurora store. These are built with a modern WebRTC version. Note that these builds also include libraries from Google to support push notifications. If you are running a pure “de-Googled” Android variant, you won’t want these builds and they may not work correctly on such devices anyway.

As a third option, we’re looking into setting up our own F-Droid repository where we would be able to publish our own official FOSS builds with a modern WebRTC version. This is not currently available, but we’ll be sure to announce it here and on our social media when it’s ready.

Conclusion

We greatly value the role F-Droid plays in mobile app distribution and security on Android. We still believe that it is generally the best option for most users who care about open-source values to install apps on their device.

However, in this case an ongoing issue with their build processes and policies has turned into an unnecessarily alarming recommendation to uninstall the app without sufficient explanation to users.

We’ll continue working with F-Droid to resolve the issue for Snikket and all the other apps affected, and are looking forward to sharing news of updated builds with you soon!

Update: The good news is here!