Awesome app. It is somehow not listed on android-foss list so maybe someone didn’t know about it.

Obtainium allows you to install and update Open-Source Apps directly from their releases pages, and receive notifications when new releases are made available.

GitHub page: Link.

  • everett@lemmy.ml
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    Malicious APKs, built by the developer themselves, not matching their public source code.

    • bluejay@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Which developer?

      E: Lol @ the ninja edit.

      That’s hardly a meaningful advantage for f-droid and the whole man in the middle risk you’re exposing yourself to there. If you don’t trust the developer to do the bare minimum of providing a release that matches source then why are you even installing their app? Satyr’s response about developers getting compromised has way more weight in that conversation, but still falls short IMO.

      Making sure the apk matches public source and running it through VT aren’t going to catch a malicious apk that has the nasty bits buried in various commits but checks out in VT and matches the public source code. Sure, it’ll burn them as a developer if/when they get caught, but how often does the community truly do code reviews on one-off Android apps? Not often enough to catch that kinda thing before it spreads without getting insanely lucky.

      • SatyrSack
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        If you think about it, any developer could have their account hacked and the attacker upload an APK that includes malware. Obtainium isn’t doing any malware scan or building from source or anything. If you are planning to just install from GitHub anyway, Obtainium should be a no-brainer. But I can see where might argue that having a middleman like F-Droid to validate APK integrity has some merits.

        https://f-droid.org/docs/Security_Model/

        https://f-droid.org/docs/Reproducible_Builds/

        https://apt.izzysoft.de/fdroid/index/info#security

        • bluejay@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Fair point. I guess it boils down to if you prefer speed of update (obtainium) or the extra checks f-droid has in place and if you continue to trust that f-droid’s stuff doesn’t get compromised.

          It’s also worth mentioning f-droid’s workflow far from guarantees there’s nothing nefarious in a package. The bar looks to be passing virus total and then ensuring the provided apk matches source. If nobody reviews the source each time then every release could be the one that gets a nasty surprise.