112
[Android][App] Obtainium. Get Android App Updates Directly From the Source.
(raw.githubusercontent.com)
Awesome app. It is somehow not listed on android-foss list so maybe someone didn't know about it.
Obtainium allows you to install and update Open-Source Apps directly from their releases pages, and receive notifications when new releases are made available.
GitHub page: Link.
I was wondering do they have any way to verify the integrity of the packages they downloaded? AFAIK there is no consistent way for developers to provide hashes/signature of their releases.
To me it seems like grapheneos community have a tendency to be unnecessarily harsh about security on other projects. And in this case, side of burrito's suggestion to download app from github directly instead of fdroid, really is a suggestion that is hard for me to understand...
It is obviously true that fdroid's security model is bit behind, especially with index-v1, but they do provide basic functionality like verifying developer signature and hash of the package downloaded. However, I seriously doubt this app is doing that with github releases, since I am simply not sure how verifying the signature/hash of a release when there is no way to provide such information systematically on GitHub.
It is obviously a great app if you use it for its convenience, but I personally wouldn't use it to enhance security. Or maybe I am just ignorant on the matter, I would highly appreciate anyone o point out any mistake I made.
I am using it definetly because of convenience. Not all apps on F-Droid (izzyondroid), Play Store. For me it is unnecessary middleman. But everyone has their own way of publishing apks. So yeah, it is really convenient to have all app updates in one place. Also you can add apps from F-Droid and update them regularly from this app. Incredible work!
This is a good question and a valid concern. However, I wonder if the app really makes in worse then it's already is. GitHub has no way to share checksums with the builds. The only way to do that is to upload a checksum file alongside the binary. But if an attacker is able to upload/replace a malicious binary, they would be able to replace its checksum file as well. So you wouldn't be able to recognize this anyway, even when downloading it GitHub, would you?