itadakimasuThis doesn’t seem super safe from a security standpoint. Can anyone comment on safety?
noneabove1182What’s your concern exactly? That they’ll install malicious apps on your phone?
Yeah fdroid is vastly preferred over this because you can be sure that the source code provided actually produces the executable.
bluejayAm I missing something? In my experience using Obtainium it pulls apks from sources I tell it to, usually the developers git releases and even sometimes f-droid repos. This app doesn’t compile anything.
The main benefit is watching for updates directly from developers which, again in my experience, has been quicker than waiting on f-droid. You could even have it do just the notification and you can manually go download and install if you’re the cautious.
The developer(s) could slip something nefarious in easily. We’re putting all our faith into developers that could be anybody
The developer of obtainium or the packages we’re installing? I’ll assume the former. If you’re skeptical about obtainium you could still use it as a source to monitor && notify and then do your install manually.
No, the developers of the apps you are installing through obtainium.
How does f-droid solve this problem? From my understanding they confirm that the .apk provided by the dev matches what compiles from source and run it through Virus Total. Those are trivial steps for a malicious dev to take to slip in something nefarious.
At that point you’re relying on the community to check every commit for nefarious code $x. Not to mention they could simply build up community trust for some time before slipping in the code, since they’d effectively be burned once (if?) their very first shady code commit is found.
I can’t imagine f-droid would go on the hook and say everything they build is also code reviewed for malicious stuff, right?
They don’t just confirm it, the apk you download from fdroid is compiled by them from the source code. And sure, they’re not reviewing all the source code for all apps they build, but it’s still one added layer of security.
The apk isn’t always what f-droid compiles. There’s two scenarios where they publish the apk signed by the developer.
f-droid.org/docs/Reproducible_Builds/
It’s one added layer of security to you, but to others it’s a man in the middle that could be an extra attack vector.
If you don’t trust the dev to put out an apk that’s compiled from their public source why are you trusting any of your data with them?
SatyrSackF-Droid installs an APK that F-Droid compiled. Obtainium installs an APK that the app developer themselves compiled. I’m not sure what you’re getting at.
Malicious APKs, built by the developer themselves, not matching their public source code.
Which developer?
If you think about it, any developer could have their account hacked and the attacker upload an APK that includes malware. Obtainium isn’t doing any malware scan or building from source or anything. If you are planning to just install from GitHub anyway, Obtainium should be a no-brainer. But I can see where might argue that having a middleman like F-Droid to validate APK integrity has some merits.
f-droid.org/docs/Security_Model/
Fair point. I guess it boils down to if you prefer speed of update (obtainium) or the extra checks f-droid has in place and if you continue to trust that f-droid’s stuff doesn’t get compromised.
It’s also worth mentioning f-droid’s workflow far from guarantees there’s nothing nefarious in a package. The bar looks to be passing virus total and then ensuring the provided apk matches source. If nobody reviews the source each time then every release could be the one that gets a nasty surprise.
csm10495So this means you trust F-Droid? … do you have proof that they aren’t doing anything nefarious?
… if we want to play the game of ‘is it safe’ play it all the way in each case.
Like we’re acting like a dev would upload malware to a trusted repo. If we think that way, the could also slip it into the open source code and not be noticed. Anything’s possible but don’t live in fear.
There is a weird thing on Lemmy where people seem to be very worried about things that they probably shouldn’t be; then we hit a line where its just ‘ok’.
TLDR: For 99.99% of people I’d recommend just using the Google Play store.
I thought about that argument as I was posting my reply. The thing is that with fdroid you only have to trust one instance. With something like obtainium, you are trusting every single developer whose app you are downloading. Don’t get me wrong, ultimately I am not that worried either and am using the izzyondroid repo as well which has the same issue as obtainium. But it is good to have systems in place to prevent abuse even if that abuse is unlikely.
Aren’t you trusting every app developer since it still compiles their code? I mean unless you actively look through all the code in each app you use.
Sure, at one point you have to trust something or someone unless you want to read all source code for all apps you use. Thankfully there are quite a few people out there who do basically that and report issues they find, but ultimately, reading all source code and compiling everything by yourself would be the only way to be safe.
I disagree. Using F-Droid introduces another party and middle man that you have to trust, in addition to a single point of failure. Any checks that F-Droid does is very basic and they have said themselves that they can’t ensure apps are safe.
F-Droid Security Issues
F-Droid is a popular alternative app repository for Android, especially known for its main repository dedicated to free and open-source software. F-Droid is often recommended among security and privacy enthusiasts, but how does it stack up against Play Store in practice? This write-up will attempt to emphasize major security issues with F-Droid that you should consider. Before we start, a few things to keep in mind: The main goal of this write-up was to inform users so they can make responsible choices, not to trash someone else’s work.
QuerellerJust be aware what you install. Check the developer name and the whole path.
Some apps on F-Droid are limited for example but you can download the full featured app from Github. Later updates are anyhow cryptographically signed.
Some apps on F-Droid are limited for example but you can download the full featured app from Github. Later updates are anyhow cryptographically signed.