F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform.

Conducted by Cure53, this test against several components of the FDroid application service compound occurred in January 2015.

The scope of this project was particularly broad, since the assignment covered a server-side implementation (composed in Python), an Android app, and a WordPress Plugin (written in PHP). In addition, a majority of services offered on the FDroid website were also examined.

Importantly, many issues discovered during this test and marked as ‘Critical’ and ‘High’ in severity were caused by an overly large amount of trust put into the user-submitted APKs and connected repositories. Once an attacker has control over one of APK or repository, the command injections almost inevitably follow. Right then and there it is possible for the attacker to take over the affected machines and spread the attack onto other devices and phones. Consequently, the aforementioned issues should be treated with a sense of urgency, and the possibility of this particular pathway of exploitation should be promptly eliminated. Other problems spotted during the test entail classic web security problems – for instance XSS1. Further, several bypasses for the XSS filter of the MediaWiki software were spotted and should be reported to their respective maintainers.

The full audit and summary of findings can be found below.

F-Droid Penetration Test (2015)