How to explain why Accrescent over F-Droid?

Sbpr What about izzyondroid and Obtainium?

Like Accrescent, the IzzyOnDroid F-Droid repo distributes builds directly from developers. The repo also implements app signing key pinning and other security measures. If I'm not mistaken, this makes using the IzzyOnDroid repo equally secure as using Accrescent (please correct me if I'm wrong).

Obtainium is not a repo per se, although they have started a crowdsourced list of app configurations in the last months. Apart from apps in that list, apps installed via Obtainium are not curated (they are not scanned for malware, etc.). If your threat model considers developers compromising their own apps as a threat, that makes Obtainium less secure than Accrescent, and less secure than the F-Droid official and IzzyOnDroid repositories. However, if your threat model considers compromised F-Droid repos as a higher threat, it would be more secure for you to install an app via Obtainium. Accrescent would in theory resist a compromised repo, unless the Accrescent client was also compromised to remove app signing key pinning.

missing-root

If I'm not mistaken, there is an option for background updates in Obtainium.

It can be activated in the app under settings> Enable Background Updates. Background Update Checking Interval can be set with the slider above. Unfortunately this doesn't seem to work with all apps.

AlphaElwedritsch We're not going to be switching to using it from our own App Store. It's included to provide a way to get developer builds of apps for developers submitting their apps to Accrescent. We don't plan to provide the same service to app developers since Accrescent has it covered and multiple options would be counterproductive.

boldsuck

¹There have been many improvements in the last few months.

There have also been continued regressions in security and trust.

leo F-Droid's repository metadata is poorly designed and the security is poor. The security of anything built around an ecosystem of insecure scripts, clients, builds, etc. is highly questionable.

unless the Accrescent client was also compromised to remove app signing key pinning

No, the OS package manager is what implements the baseline pinning and downgrade protection. That's why having an app repository like F-Droid with poorly secured builds and keys by untrustworthy people is such a terrible idea. It means even already installed apps can be compromised.

GrapheneOS F-Droid's repository metadata is poorly designed and the security is poor.

Thanks, I didn't know about this.

unless the Accrescent client was also compromised to remove app signing key pinning

No, the OS package manager is what implements the baseline pinning and downgrade protection.

Sorry for my ambiguous message. I was referring to the fact that the Accrescent client verifies an app's signature even before the first install, compared to baseline pinning from the Android OS which only verifies an app's signature during app updates. If I understand this correctly, this prevents a scenario where a compromised Accrescent server could deliver malicious apps to people who are installing them for the first time with the Accrescent client. A malicious actor would therefore need to compromise the Accrescent client as well. Again, please correct me if I'm wrong, I am not at all an expert in this topic.

By the way, thanks a lot for making GrapheneOS and staying in touch with the community. I learnt a lot from the beautiful GrapheneOS documentation and from your posts on the forum!

Scott

hey can use my donation to improve security?

Security isn't bad because of a lack of resources, it's mainly an ideological issue.
They consider that what is generally defined as good security practice only applies to closed-source proprietary, and that open-source services don't need it.
There's a complete disinterest about security.

Murcielago yeah that doesnt work

Scott If i were you, id double the amount for GrapheneOS and forget about donating to to F-Droid.

matchboxbananasynergy strange. The low SDK apps are where I need to press on the "update" android package manager popup manually, right?

I am not talking about that, it doesnt work on its own, in the background.

It even tells me that Obtainium needs to be in the foreground to do that, which is not the definition of automatic updates

missing-root Perhaps you can talk to Obtainium's developer for more info, or maybe they have docs up. I remember getting automatic updates to work for Obtainium was an ordeal due to the app being written in Flutter, but it's been done for a while.

For me, without touching Obtainium, I get a notification telling me "AppName may have been updated to version 0.0.1" or something similar. The may have been updated bit in the notification is there for a reason, but I forget the details.

DeletedUser24 Security isn't bad because of a lack of resources, it's mainly an ideological issue.

I may really be a bit stupid. But I still haven't understood why F-Droid security is so bad. They do the same thing as Debian, just for Android. Can you explain it simply?

Scott I still haven't understood why F-Droid security is so bad. They do the same thing as Debian, just for Android. Can you explain it simply?

As was recently discussed, Debian is not at the top of the heap in terms of security. So "Debian does X" does not imply "X is fine". That is the simple version.

Debian is ok at desktop Linux security. But desktop Linux security is distinctly not great. However, because security is complicated, the reasons why desktop Linux security is not top-shelf are not reasons that can be stated in a few words. So asking for a simple explanation is asking for something that is not feasible.

Here is some non-simple material about security of desktop machines in general (even before the question arises of which desktop OS is run): https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation/36

Overall, "Debian does X" does not imply "X is fine".