109
[Android][App] Obtainium. Get Android App Updates Directly From the Source.
(raw.githubusercontent.com)
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
I was wondering do they have any way to verify the integrity of the packages they downloaded? AFAIK there is no consistent way for developers to provide hashes/signature of their releases.
To me it seems like grapheneos community have a tendency to be unnecessarily harsh about security on other projects. And in this case, side of burrito's suggestion to download app from github directly instead of fdroid, really is a suggestion that is hard for me to understand...
It is obviously true that fdroid's security model is bit behind, especially with index-v1, but they do provide basic functionality like verifying developer signature and hash of the package downloaded. However, I seriously doubt this app is doing that with github releases, since I am simply not sure how verifying the signature/hash of a release when there is no way to provide such information systematically on GitHub.
It is obviously a great app if you use it for its convenience, but I personally wouldn't use it to enhance security. Or maybe I am just ignorant on the matter, I would highly appreciate anyone o point out any mistake I made.
I am using it definetly because of convenience. Not all apps on F-Droid (izzyondroid), Play Store. For me it is unnecessary middleman. But everyone has their own way of publishing apks. So yeah, it is really convenient to have all app updates in one place. Also you can add apps from F-Droid and update them regularly from this app. Incredible work!
This is a good question and a valid concern. However, I wonder if the app really makes in worse then it's already is. GitHub has no way to share checksums with the builds. The only way to do that is to upload a checksum file alongside the binary. But if an attacker is able to upload/replace a malicious binary, they would be able to replace its checksum file as well. So you wouldn't be able to recognize this anyway, even when downloading it GitHub, would you?