Better way to obtain some apps: F-Droid vs Github without any verification

DeletedUser44

I mainly use Obtainium (in conjunction with AppVerifer) to install applications and the Play Store to install proprietary applications. The question is simple: if a developer does not offer a good verification method (preferably distrusting GitHub), who should be trusted more: GitHub or F-Droid?

N1b

I don't know the security details, but some thoughts:

F-Droid is often criticized for their centralized approach and app signing keys (= effective attack vector)
One risk at Github is to verify the uploader, but you seem to have a good process here.
Are all your current and potential future apps even available via F-Droid or Github? Or will you have to trust both/neither anyway?

I'm currently using Droid-ify and mostly the F-Droid repository, that's sufficient for my threat model. If I were to increase my security and use Obtainium, I'd probably prefer Github over F-Droid, but that's just a first impression. Looking forward to the next replies from more knowledgeable people.

hemlockiv

I think if you can't verify the hash of the APK, then F-Droid is more secure, hands-down. Why? Because F-Droid builds all its apps from source. If you're downloading "release.apk" from Github, then you don't actually know with certainty that your file was compiled from exactly the code in the repo. It could be legitimate code but then a malicious apk file, because the processes for committing public code and uploading a compiled executable are totally independent.

The only way you can be confident in a Github app is if you clone the repo and compile it yourself, and at that point it's still your responsibility to audit the codebase, because you don't have good reputable folks at F-Droid doing it for you!

(It is slightly safer to download "release.apk" if the repo in question uses a Github Actions workflow to compile and release the file, because that's something you can audit as well. But iirc Github releases can still be edited after the fact, so at that point you might as well fork the repo and run the workflow yourself, bringing us back to the topic of self-compiling.)

Dumdum

hemlockiv If you're downloading "release.apk" from Github, then you don't actually know with certainty that your file was compiled from exactly the code in the repo. It could be legitimate code but then a malicious apk file, because the processes for committing public code and uploading a compiled executable are totally independent

Could be wrong but pretty sure the same concern applies to Fdroid unless the build is reproducible.

you don't have good reputable folks at F-Droid doing it for you

I don't think having "reputable folks" audit code for you really matters unless the app in question is a new/barely known app. If an app has already obtained a sizable reputation (e.g. Newpipe, 31k Github stars), then Fdroid's contribution is virtually meaningless. In this situation, I don't see why Fdroid's auditing would be special and of more significance than the wider open source community's. Maybe there's a good reason I'm missing.

hemlockiv

Dumdum Could be wrong but pretty sure the same concern applies to Fdroid unless the build is reproducible.

Could be wrong but pretty sure F-Droid builds ARE reproducible, based on the documentation you literally just shared. So that's not a relevant concern.

And unless I misunderstood the OP's question, we're NOT talking about big established apps with years of history and followings and thousands of GH stars - because those apps like Newpipe can be verified with AppVerifier. The question is about smaller/newer apps that don't have a reputation and haven't made it into AppVerifier, and for that scenario, I stand by my original statement that F-Droid is much safer than downloading a random .apk file off the internet.

Dumdum

hemlockiv Could be wrong but pretty sure F-Droid builds ARE reproducible, based on the documentation you literally just shared. So that's not a relevant concern.

If thats the case then fair enough. Not sure where on the documentation it says that Fdroid apps actually are reproducible though (maybe I'm blind). As far as I can tell they simply support it. If they are reproducible however, then Fdroid needs to make that a little clearer.

And unless I misunderstood the OP's question, we're NOT talking about big established apps with years of history and followings and thousands of GH stars - because those apps like Newpipe can be verified with AppVerifier. The question is about smaller/newer apps that don't have a reputation and haven't made it into AppVerifier, and for that scenario, I stand by my original statement that F-Droid is much safer than downloading a random .apk file off the internet.

Agreed. If small/newer apps is indeed the point of OP's question, then Fdroid would of course be of benefit as I previously stated. We're not in any disagreement there.

DeletedUser44

hemlockiv Yes, I am about smaller apps.

Also there are some apps with big history, but they cant be verifed(afaik), like fossify, correct me if I am wrong.

So for smaller apps I think I really will trust FDroid more.

thanks

Clark

How high is the risk of malware with the unverified apk method? Talking step counters, compasses, maps...

Clark

Also, personally I'm using Obtainium which I believe can fetch the download from Fdroid and similar repositories. Is this the same thing as directly downloading from the Fdroid app?

DeletedUser44

Thank you all for the suggestions, I'm thinking about how I will further organize the installation of apps, but maybe I'll really switch to FDroid with Obtainium where you can't verify the app.

hemlockiv

An important clarification: AppVerifier compares the signature hashes of apps to confirm that they are genuine and not a tampered copy. AFAIK, AppVerifier does NOT audit the source code. So, it's completely possible that an app is verified by AppVerifier but it still contains malicious/invasive code! All it means is that the malicious code was put there by the original developer who signrd it, and not by a 3rd party.

So, I only really find AppVerifier useful if I have to download an apk from somewhere like APKmirror, which already includes data about signature hashes anyway.