The article discusses the F-Droid Fake Signer Proof of Concept (PoC) for bypassing certificate pinning in fdroidserver. The author highlights discrepancies in how Android APK Signature Scheme v2/v3 handles certificates compared to F-Droid’s code, causing potential security hazards. The PoC demonstrates how fdroidserver can be manipulated to see a “fake” certificate instead of the legitimate one. Multiple updates show the ongoing vulnerabilities and patches that attempt to address them. The author recommends using the official apksig library to avoid such implementation mistakes. Additionally, they warn against using the flawed fdroidserver implementation without proper expertise.
https://github.com/obfusk/fdroid-fakesigner-poc