Obtainium + MOLLY-FOSS

flighty_sloth

I am trying to set obtainium to update MOLLY-FOSS with the following URL: https://github.com/mollyim/mollyim-android

For some reason it's constantly telling me there's an update and it's saying the non-foss apk.

Does anyone know what settings to change to fix that?

Thanks

DeletedUser87

flighty_sloth you could add FOSS in the APK REGEX field in Obtainium, see if that helps?

flighty_sloth

DeletedUser87 Thanks for idea, sadly it didn't seem to make a difference, still says update available after refresh.

DeletedUser87

flighty_sloth two more things, you could try to adjust the URL to the releases one (https://github.com/mollyim/mollyim-android/releases) and secondly, you can mark an app as updated when adding it to Obtainium by hitting the small checkmark in the lower left corner. Note: it might say MOLLY (without FOSS) while it actually installs the FOSS version (I just tried and it's the FOSS version, which you can check in the app). If it was the non-foss one, it shouldn't actually install an update over the other one due to signature mismatch.

flighty_sloth

DeletedUser87 Thanks for your help, I realized it's because I already had the app installed before I installed obtainium, I thought it wouldn't matter since it's the same version from the same source.

So I just had to uninstall it and let obtainium install it instead.

IcyScroll

FYI: Molly-FOSS is also available on Accrescent which you can get safely from the App Store. It should be more robust than Obtainium, especially security-wise.

flighty_sloth

IcyScroll Thanks, what do you mean by more secure? As in if the source I put in obtainium gets compromised?

Ammako

IcyScroll That, and Molly-FOSS has a built-in self-updater anyway.

IcyScroll

flighty_sloth https://accrescent.app/#features

Getting an app for the first time (e.g. from Github) without verifying it's hash signature usually means trusting the source providing the app. This is not the case with Accrescent (and Google Play Store) due to App signing key pinning.

If you would like to install an app which happens to be available on Accrescent (Molly-FOSS is the only variant of Molly available there), it is the best practice to get it from there. You can trust your GOS install because you (hopefully) verified it, this creates an ideal chain of trust for getting Molly-FOSS (no possibility of getting a malicious version): trusted GOS install > App Store > Accrescent > Molly-FOSS. This works because you already trust App Store and it includes a similarly secure Accrescent store.

GOS21606

It should work in obtainium with that link.

V7.18.2-1-FOSS check this in settings -> apps -> below see version

flighty_sloth

IcyScroll So if I'm understanding the danger is accidently downloading and installing a malicious version the first time it's installed?

So in obtainium's case the main issue would be if the official repo for an app was compromised whenever it first installed that app it wouldn't have a way to verify it's not legitimate?

IcyScroll

flighty_sloth

Mostly this, yes. I'm not trying to scare you off from using obtainium with Molly's official repo, though. Just wanted to point out there is a safer and much easier method to get the FOSS variant, for anyone interested. I find it fascinating that there is a care-free, easy and quick way of getting a reasonable messaging app on every phone that runs GOS. It's almost like it's included with the OS!

flighty_sloth it wouldn't have a way to verify it's not legitimate?

One can still use AppVerifier to check if one's Molly install is legitimate but the safest way to get it is Accrescent as well, so might as well install Molly-FOSS from there.
In theory, if the repo was temporarily compromised and has served you a malicious APK, it wouldn't be possible to update your install after devs became aware of the compromise and fixed it, so you would notice that.