F-Droid vs Github

[deleted]

I want to download a few Apps and I hope you can tell me which way would be more secure for those.

SimpleX via Github or SimpleX Repo?
Obtainium via Github or IzzyOnDroid Repo?
FlorisBoard Stable Version via Github or FlorisBoard Beta via IzzyOnDroid Repo?

What I know so far is that Apps on Github are not verified and that because of that, we should use Appverifier for that. But I heard someone saying that getting an App from App Repo like for example let's say SimpleX Repo would be more secure, because F-Droid checks them at least. Vs if I would get it from Github then I would need to check it.
And I did hear too that IzzyOnDroid can be trusted because it has good privacy/security or something like that.

But correct me please if there is something wrong about that. I just want to learn if that is true and more secure and which ways I should get those Apps. Thank you

DeletedUser88

[deleted] The most important thing is that the SHA-256 certificate hashes of the APKs you have installed match their expected hashes. No matter what source you install from, if the certificate hashes match, your installation is genuine.

To check this you need AppVerifier as you said, however you can't just trust AppVerifier by installing it from Github and being done with it. You need to verify that AppVerifier is authentic first in order to be able to trust the hashes that AppVerifier shows you. You have two options if you are not on GrapheneOS:

Install AppVerifier from Github and follow the information in the Readme:
Install Accrescent from Github and manually verify it using the steps in the FAQ. If the hashes match, any app you install from Accrescent (in your case, AppVerifier) is confirmed to be authentic now.

Now you can use AppVerifier to check the certificate hashes of your installed APKs. Not all apps are available in the AppVerifier internal database though so if you want to compare certificate hashes with others, there is a thread here.

For everyone else reading, if you are on GrapheneOS all you need to do is simply install Accrescent from the GrapheneOS App Store (This confirms Accrescent is authentic) then install AppVerifier from there. No other steps are needed and you can start verifying SHA-256 certificate hashes as you please.

Please note that there is no need to verify certificate hashes of apps you install from Accrescent once you have verified that Accrescent is genuine. Same applies for apps installed from the Play Store using Sandboxed Google Play on GrapheneOS. You will always need to verify certificate hashes of APKs you installed from sources such as Aurora Store, or the internet.

[deleted]

DeletedUser88 Thank you so much for your detailed Answer! I will try my best with that. And could you guide me about the 3 Apps I asked, which I should get? Is a App in the first place more secure if Developers launched them in F-Droid on their own Repo, instead of Github where it is not checked. As I know at least on F-Droid the App get's checked. (if that is true)

missing-root

Izzyondroid just takes Git* release APKs and puts them into a repo. Advantage is free access (no account and api key, no hastle) and a waaay easier client. Disadvantage is additional trust in their system.

Selfhosted F-Droid repos are better than github, as they are also free and simpler to use.

Obtainium has support for f-droid 3rd party repos, I use F-Droid basic just for repos and searching and getting the app IDs.

Then obtainium for updates but honestly not sure if that is worth it. I think it is.

[deleted]

missing-root But are App Repos more secure than Github in the sence that they are at least checked from F-Droid? Because I heard on Github they are not checked...

SovereignCopper

[deleted] It looks like you're under the assumption that if a developer has set up their own F-Droid repo, then F-Droid does some checks on the apps in this repo. This isn't true. The additional checks done by F-Droid (e.g. licensing, whether there are no 3rd party malicious and/or Google library dependencies or outdated dependencies with known vulnerabilities) are done only if they are (to be) included in the F-Droid main repository.

Izzy does such checks for his repo, too, so you might say that Izzy's repo for F-Droid is a "vetted" repo with builds by their original devs.

missing-root

[deleted] no they are not checked by F-Droid