Riot.im Android security update

Hi all,

After the security incident at Matrix.org, we have decided to publish a new Riot.im Android app on the Google Play Store out of an abundance of caution.

The fresh app is still called Riot.im but internally it has a different application identifier (im.vector.app). Because of this new id, the new app appears in Google Play as a completely different application. This also prevents an automatic update from the old to the new application.

(Google unexpectedly removed the new app from the Play Store on April 25th between 13:00 UTC and 16:00 UTC; they haven’t given us any details on why, but it’s back now. Apologies for any inconvenience).

This means that Riot/Android users who use the app from Google must make sure their encryption keys are backed up (either by manually exporting them, or by backing them up onto the server), and then manually reinstall the app. We are very sorry for the inconvenience, but we would rather be safe than sorry.

If your keys are not backed up yet, this is the time to do it. Tools are available in Settings > Cryptography Keys Management

Why this change?

During the security incident on Matrix.org’s production infrastructure, the attacker may have had access to the key we use to sign the Riot Android app. Unfortunately, it is impossible to replace this key without replacing the application.

In future, we will be storing the signing key offline for maximum security.

The risk

If the key was compromised, the attacker could hypothetically generate a malicious version of the Riot Android app with our signature. They would not be able to publish to Google Play but they could use other channels (e.g. circulating a malicious APK file). If a user installed this compromised version, the system would replace the legacy Riot.im app with it.

We have no reason to believe that this attack is happening in the wild; this measure is to prevent it from happening in future.

The old app

We made a final release 0.8.99 with 2 main changes:

  • It has been renamed to “Old Riot.im”
  • There is a dialog on every startup to warn users to reinstall and migrate to the new app

You can trust this last version if you update your Riot.im app from Google Play.

F-Droid

The F-Droid release of Riot is not affected — this only affects the Google Play Store app.

Riot iOS

The Riot iOS app is not affected.