Skip to content

Android: Secure Gradle download against MITM #2374

Open
@ann0see

Description

@ann0see

Describe the bug
The android Gradle download (?) doesn’t seem to be verified:
FDroid Bot tells us the following:

gradle/wrapper/gradle-wrapper.properties is missing distributionSha256Sum.

This means that the gradle download is not verified.

We recommend explicitly setting the expected Sha256sum to protect you and your apps if a bad actor gets access to the Gradle servers or manages to MitM your internet connection.

Please note that Android Studio does not currently support this and may or may not crash, but we suggest you try our suggestion anyway to improve the security of yourself and your app.

Here is an example of how to fix this:

#Mon Aug 03 13:45:58 PDT 2020
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-6.1.1-all.zip
distributionSha256Sum=10065868c78f1207afb3a92176f99a37d753a513dff453abb6b5cceda4058cda

Additional context

See this comment on GitLab for more information: https://gitlab.com/fdroid/rfp/-/issues/2011#note_837630418

Next steps:

  • Include the proposed fix in the repo (I don‘t know the Android build enough to judge if this has any negative impact).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingtoolingChanges to the automated build system

    Type

    No type

    Projects

    Status

    Triage

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions