this post was submitted on 08 Jul 2023
200 points (98.5% liked)

Android

17682 readers
124 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

πŸ”—Universal Link: [email protected]


πŸ’‘Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.


Support, technical, or app related questions belong in: [email protected]

For fresh communities, lemmy apps, and instance updates: [email protected]

πŸ’¬Matrix Chat

πŸ’¬Telegram channels / chats

πŸ“°Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to [email protected].

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to [email protected].

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More


founded 1 year ago
MODERATORS
 

Awesome app. It is somehow not listed on android-foss list so maybe someone didn't know about it.

Obtainium allows you to install and update Open-Source Apps directly from their releases pages, and receive notifications when new releases are made available.

GitHub page: Link.

top 50 comments
sorted by: hot top controversial new old
[–] itadakimasu 21 points 1 year ago (3 children)

This doesn't seem super safe from a security standpoint. Can anyone comment on safety?

[–] [email protected] 26 points 1 year ago (4 children)

Yeah fdroid is vastly preferred over this because you can be sure that the source code provided actually produces the executable.

[–] [email protected] 16 points 1 year ago (1 children)

F-Droid installs an APK that F-Droid compiled. Obtainium installs an APK that the app developer themselves compiled. I'm not sure what you're getting at.

[–] [email protected] 10 points 1 year ago (1 children)

Malicious APKs, built by the developer themselves, not matching their public source code.

[–] [email protected] -2 points 1 year ago* (last edited 1 year ago) (1 children)

Which developer?

E: Lol @ the ninja edit.

That's hardly a meaningful advantage for f-droid and the whole man in the middle risk you're exposing yourself to there. If you don't trust the developer to do the bare minimum of providing a release that matches source then why are you even installing their app? Satyr's response about developers getting compromised has way more weight in that conversation, but still falls short IMO.

Making sure the apk matches public source and running it through VT aren't going to catch a malicious apk that has the nasty bits buried in various commits but checks out in VT and matches the public source code. Sure, it'll burn them as a developer if/when they get caught, but how often does the community truly do code reviews on one-off Android apps? Not often enough to catch that kinda thing before it spreads without getting insanely lucky.

[–] [email protected] 8 points 1 year ago (1 children)

If you think about it, any developer could have their account hacked and the attacker upload an APK that includes malware. Obtainium isn't doing any malware scan or building from source or anything. If you are planning to just install from GitHub anyway, Obtainium should be a no-brainer. But I can see where might argue that having a middleman like F-Droid to validate APK integrity has some merits.

https://f-droid.org/docs/Security_Model/

https://f-droid.org/docs/Reproducible_Builds/

https://apt.izzysoft.de/fdroid/index/info#security

[–] [email protected] 2 points 1 year ago

Fair point. I guess it boils down to if you prefer speed of update (obtainium) or the extra checks f-droid has in place and if you continue to trust that f-droid's stuff doesn't get compromised.

It's also worth mentioning f-droid's workflow far from guarantees there's nothing nefarious in a package. The bar looks to be passing virus total and then ensuring the provided apk matches source. If nobody reviews the source each time then every release could be the one that gets a nasty surprise.

[–] FutileRecipe 7 points 1 year ago

I disagree. Using F-Droid introduces another party and middle man that you have to trust, in addition to a single point of failure. Any checks that F-Droid does is very basic and they have said themselves that they can't ensure apps are safe.

https://privsec.dev/posts/android/f-droid-security-issues/

[–] [email protected] 4 points 1 year ago (1 children)

Am I missing something? In my experience using Obtainium it pulls apks from sources I tell it to, usually the developers git releases and even sometimes f-droid repos. This app doesn't compile anything.

The main benefit is watching for updates directly from developers which, again in my experience, has been quicker than waiting on f-droid. You could even have it do just the notification and you can manually go download and install if you're the cautious.

[–] itadakimasu 3 points 1 year ago (1 children)

The developer(s) could slip something nefarious in easily. We're putting all our faith into developers that could be anybody

[–] [email protected] -3 points 1 year ago (1 children)

The developer of obtainium or the packages we're installing? I'll assume the former. If you're skeptical about obtainium you could still use it as a source to monitor && notify and then do your install manually.

[–] [email protected] 0 points 1 year ago (1 children)

No, the developers of the apps you are installing through obtainium.

[–] [email protected] 3 points 1 year ago (1 children)

How does f-droid solve this problem? From my understanding they confirm that the .apk provided by the dev matches what compiles from source and run it through Virus Total. Those are trivial steps for a malicious dev to take to slip in something nefarious.

At that point you're relying on the community to check every commit for nefarious code $x. Not to mention they could simply build up community trust for some time before slipping in the code, since they'd effectively be burned once (if?) their very first shady code commit is found.

I can't imagine f-droid would go on the hook and say everything they build is also code reviewed for malicious stuff, right?

[–] [email protected] -2 points 1 year ago (1 children)

They don't just confirm it, the apk you download from fdroid is compiled by them from the source code. And sure, they're not reviewing all the source code for all apps they build, but it's still one added layer of security.

[–] [email protected] 1 points 1 year ago

The apk isn't always what f-droid compiles. There's two scenarios where they publish the apk signed by the developer.

https://f-droid.org/docs/Reproducible_Builds/

It's one added layer of security to you, but to others it's a man in the middle that could be an extra attack vector.

If you don't trust the dev to put out an apk that's compiled from their public source why are you trusting any of your data with them?

[–] [email protected] 1 points 1 year ago (1 children)

So this means you trust F-Droid? .. do you have proof that they aren't doing anything nefarious?

.. if we want to play the game of 'is it safe' play it all the way in each case.

Like we're acting like a dev would upload malware to a trusted repo. If we think that way, the could also slip it into the open source code and not be noticed. Anything's possible but don't live in fear.

There is a weird thing on Lemmy where people seem to be very worried about things that they probably shouldn't be; then we hit a line where its just 'ok'.

TLDR: For 99.99% of people I'd recommend just using the Google Play store.

[–] [email protected] 3 points 1 year ago (1 children)

I thought about that argument as I was posting my reply. The thing is that with fdroid you only have to trust one instance. With something like obtainium, you are trusting every single developer whose app you are downloading. Don't get me wrong, ultimately I am not that worried either and am using the izzyondroid repo as well which has the same issue as obtainium. But it is good to have systems in place to prevent abuse even if that abuse is unlikely.

[–] [email protected] 4 points 1 year ago (1 children)

Aren't you trusting every app developer since it still compiles their code? I mean unless you actively look through all the code in each app you use.

[–] [email protected] 0 points 1 year ago

Sure, at one point you have to trust something or someone unless you want to read all source code for all apps you use. Thankfully there are quite a few people out there who do basically that and report issues they find, but ultimately, reading all source code and compiling everything by yourself would be the only way to be safe.

[–] [email protected] 1 points 1 year ago

Just be aware what you install. Check the developer name and the whole path.
Some apps on F-Droid are limited for example but you can download the full featured app from Github. Later updates are anyhow cryptographically signed.

[–] [email protected] -1 points 1 year ago

What's your concern exactly? That they'll install malicious apps on your phone?

[–] [email protected] 8 points 1 year ago (1 children)

Never heard of it before, but it seems better than just using f-droid. Some of the apps I use are only available on GitHub.

[–] [email protected] 5 points 1 year ago (2 children)

Are you aware of the izzyondroid repo? That contains loads of github releases which for one reason or another haven't made their way to fdroid yet. So far, I haven't had to manually download any apks from github because everything has been available there.

[–] [email protected] 3 points 1 year ago

I use it, but I have some games that are not there and only at github/gitlab.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Lots. But definetly not all releases. Very convenient app!

[–] [email protected] 5 points 1 year ago (1 children)

Literally just installed this and set up with all my Foss apps, couldn't be happier, works surprisingly well for "beta" haha

[–] [email protected] 5 points 1 year ago

Yeah, "beta" label is kinda meh for such a good tool!

[–] [email protected] 4 points 1 year ago (6 children)

I don't want to watch the video on "why this app is better than fdroid". So, does anyone care to write an TL;DR?

[–] [email protected] 7 points 1 year ago

For me it's best for the apps where people don't upload to Fdroid but I trust them

[–] liara 3 points 1 year ago

Only reason I installed it is for it's ability to use GitHub releases as a source and notify me if there are updates. As far as I'm aware you have to use f-droid repositories with f-droid -- but it's been a long time since I had f-droid installed.

[–] [email protected] 3 points 1 year ago

It's not better than F-Droid, it's useful for apps that aren't on F-Droid tho

[–] Taeye0n 2 points 1 year ago

You get app updates directly from the devs, without f-droid acting as a middle man.

[–] [email protected] 2 points 1 year ago

I don't even know why that video is there. At first glance, you might think it's a video explaining how Obtainium works. But it's actually a video about how to manually set up an RSS feed of the apps you use from GitHub. This video is just what had inspired the developer to make Obtainium.

[–] [email protected] 2 points 1 year ago

It can replace fdroid with caveats. Direct download from gitlab/hub/codeberg/fdroid official with searching. Other git/fdroid repos with manual web addy entry. Good for stuff both on and off fdroid.

[–] [email protected] 4 points 1 year ago

I use APKgrabber just because it automatically checks for all my installed apps but this seems like a better option if you spend the time to set it up.

[–] [email protected] 3 points 1 year ago (1 children)

Been using this for a while now. Ngl, I didn't understand it at first and was sitting in my app drawer for months.

Revisited the app again few days ago, and I couldn't be happier. Pulls directly from developer's GitHub, Gitlab, or Codeberg as long as their Release page contains an APK.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Truly awesome concept and implementation. Kudos to developer!

[–] [email protected] 3 points 1 year ago (1 children)

I've been using it for Thunder nightlies and it's worked great

[–] d3Xt3r 2 points 1 year ago (2 children)

Reading the Gitbub page it doesn't look like it supports automatic updates, so does this mean you get manual prompts to update every single day?! (given that you're using nightlies)

[–] [email protected] 2 points 1 year ago

yup 😁

[–] [email protected] 1 points 1 year ago

Yes, Obtanium notifies me there is a new update shortly after it's uploaded to GitHub. Then I just have to click update and it updates. Super simple and helpful.

[–] [email protected] 2 points 1 year ago (1 children)

What kind of apps are you all using that aren't on Google Play or Fdroid?

[–] [email protected] 1 points 1 year ago

Many of the lemmy apps that are still in development are not released on any of these stores.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (2 children)

They don't seem like they have background installation mechanism right?

I went all of the troubles creating an automation with Tasker because I haven't found one that worked like Google PlayStore's auto-update back then.

I wonder if there is a couple of them out there that already has those? Maybe like with shizuku, ADBwidi, or root access?

Edit: typo

[–] [email protected] 2 points 1 year ago (1 children)

If it's on F-Droid, you can use Droid-ify + Shizuku for automatic background updating.

[–] [email protected] 1 points 1 year ago

There are two options that makes me a bit confused.

Auto update apps. Try to install updates automatically

Notify about new versions of applications. Show a notification when new versions are available

Do I have to turn off the later to let the auto-update runs fully in background or It's fine to keep both enabled?

On the first run, I think I had both enabled and I still tapped multiple times. Shizuku installer worked great though.

[–] [email protected] 2 points 1 year ago

They don’t seem like they have background installation mechanism right?

From the readme on GitHub:

Auto (unattended) updates are unsupported due to a lack of any capable Flutter plugin.

[–] koinu 1 points 1 year ago (1 children)

Thanks! I didn't know about it :)

[–] [email protected] 2 points 1 year ago

It is really awesome app!

[–] SuperDuper5 1 points 10 months ago

It doesn't work on 64bit only phones annoying

load more comments
view more: next β€Ί