67b9514c5a
EXIF data can be abused to exploit systems a lot easier than the JPEG image data can. The F-Droid ecosystem does not use the EXIF data, so keep things safe and strip it all away. There is a chance that some images might rely on the rotation to be set by EXIF, but I think having a safe system is more important. If needed, only the rotation data could be saved. But that then makes it hard to tell which images have been stripped. This way, if there is no EXIF, it has been stripped. And if there is EXIF data, then it is suspect. https://securityaffairs.co/wordpress/51043/mobile-2/android-cve-2016-3862-flaw.html https://threatpost.com/google-shuts-down-potentially-massive-android-bug/120393/ https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html The big downside of this is that it decompresses and recompresses the image data. That should be replaced by a technique from jhead, exiftool, ObscuraCam, etc. that only strips the metadata.
| CI Builds | fdroidserver | buildserver | fdroid build --all | publishing tools |
|---|---|---|---|---|
| Debian |  |
|||
| macOS & Ubuntu/LTS |  |
F-Droid Server
Server for F-Droid, the Free Software repository system for Android.
The F-Droid server tools provide various scripts and tools that are used to maintain the main F-Droid application repository. You can use these same tools to create your own additional or alternative repository for publishing, or to assist in creating, testing and submitting metadata to the main repository.
For documentation, please see https://f-droid.org/docs/, or you can find the source for the documentation in fdroid/fdroid-website.
What is F-Droid?
F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
Installing
There are many was to install fdroidserver, they are documented on the website: https://f-droid.org/docs/Installing_the_Server_and_Repo_Tools
All sorts of other documentation lives there as well.
Drozer Scanner
There is a new feature under development that can scan any APK in a repo, or any build, using Drozer. Drozer is a dynamic exploit scanner, it runs an app in the emulator and runs known exploits on it.
This setup requires specific versions of two Python modules: docker-py 1.9.0 and requests older than 2.11. Other versions might cause the docker-py connection to break with the containers. Newer versions of docker-py might have this fixed already.
For Debian based distributions:
apt-get install libffi-dev libssl-dev python-docker
Translation
Everything can be translated. See
Translation and Localization
for more info.
