F-Droid vulnerability allows bypassing certificate pinning

missing-root

Sorry I did not write earlier this but using Obtainium app with AppVerifier app is the recommended way to directly obtain APKs via GitHub. Then comparing the certificate hashes of the APK using AppVerifier against the known internal database.

We don't want to blindly trust the APK one downloads from GitHub without making effort to verify the certificate hashes of the APK. If it doesn't work i would be asking in the Matrix listed under Community:
https://github.com/soupslurpr/AppVerifier

F-Droid or using any F-Droid client is not recommended: https://privsec.dev/posts/android/f-droid-security-issues

xuid0

Just also worth noting a important bit i missed:
You can verify with other people for apps that are not in the internal database. (Join the Matrix channel for AppVerifier and discuss would be one way).

xuid0

Appverifier is only needed for the first install. If devs dont publish their certificate, does this even make sense?

That "F-Droid security issues" is only about the official repo afaik, so not useful.

missing-root

First install? We should be checking the APK every time it is downloaded. That means first install & updates.

xuid0 We should be checking the APK every time it is downloaded.

Why?

I simply trust the OS.

Carlos-Anso
Ah OK I wasn't aware it worked that way. Thanks for informing me :-)

xuid0 Sorry I did not write earlier this but using Obtainium app with AppVerifier app is the recommended way to directly obtain APKs via GitHub.

Obtainium is a nice way to automate update of apps you cannot obtain from app stores such as Accrescent and Play, but it's not a more "secure" way to directly obtain APKs via GitHub. It just doesn't do a verification check of the downloaded APKs. I feel like stating that it is the "recommended" way to obtain APKs make it sound like it's an official recommendation by the GrapheneOS project, which to my knowledge, it is not.

Dumdum

I would not even recommend it personally.

It is really only good to have a single source of apps. But as said, it is way more inefficient than F-Droid at pulling and checking updates. It has waaay more attack surface.

And it has no background updates and parallel downloads, that work. Unlike on F-Droid, I never get an update note or just a prompt, while the app has already downloaded.

You won't believe it but people never update manually. If updates are not automatic, they are often not done.

missing-root I would not even recommend it personally.

I know. You make that obvious from your Fdroid defending. You don't need to tell me, nor do I care. Plenty of people, myself included, are happy using Obtainium and happy to recommend it (until Accrescent can properly replace it, then that'll be the recommendation instead).

You won't believe it but people never update manually. If updates are not automatic, they are often not done.

Well, sorry then, that's an untrue statement. Because I do all updates manually. I don't like not controlling updates and have never understood people's obsessions with automatic updates. I have never spent more than a few minutes updating apps (most of which is spent looking at changelogs), and its not in any way a hindrance to me. I don't find it difficult to keep up to date on my apps and will pretty much always update my apps within a few hours (if not 5-15 minutes) of the updates being available. I'm sure I'm likely not alone in this either.

missing-root If updates are not automatic, they are often not done

All of my updates are manual. Either based on notifications, or on spontaneous check. I haven't automated nothing, except through Accrescent, which I use for 2 apps (including Accrescent itself).

Dumdum
@Eirikr70

Wow... yes I update manually too. This simply is not a scaleable solution. It is an ease to have somewhat background updates.

And no, F-Droid is not only better than Obtainium because of that. I hope that you didnt really only get that. The client is extremely minimal, so that some repos dont even work with it, and only work with Droid-ify.

Obtainium is an entire browser. It renders HTML and runs Javascript, follows redirects and more. I use both, but Obtainium is not the secret tool that is better than all others.

GrapheneOS can I just say what an absolutely fascinating read this entire thread has been, i had zero clue f droid's security was so borked. until today most of my apps were from obtanium, accrescent, and f droid, but after learning all this i uninstalled f droid and replaced my f droid apps with either the play store version or directly from obtainium. thank you so much for keeping security at the forefront

missing-root yes I update manually too.

Shouldn't say blatantly untrue statements then.

And no, F-Droid is not only better than Obtainium because of that. I hope that you didnt really only get that. The client is extremely minimal, so that some repos dont even work with it, and only work with Droid-ify.

I simply don't care. Did you not get the part where I said I'm happy using Obtainium?

but Obtainium is not the secret tool that is better than all others.

1. Never said it was. Stop pretending I did.
2. The same can be said of Fdroid.

xuid0
It is mentioned to use these repos with F-Droid on the website.

Dumdum

Nobody is talking about you or me. Start thinking wider... These issues make Obtainium suboptimal.

FlipSid what would be the error code, if there is one, in the case of a rejection?

Error message is
'package conflicts with an existing package'