fid02 it is the "recommended" way to obtain APKs
Maybe "commonly recommended" would be more appropriate. Personally I feel this is generally implied when people say "recommended" without a specific source, but I suppose some might think its not clear where the recommendation comes from and lead to misunderstandings.
I would not even recommend it personally.
It is really only good to have a single source of apps. But as said, it is way more inefficient than F-Droid at pulling and checking updates. It has waaay more attack surface.
And it has no background updates and parallel downloads, that work. Unlike on F-Droid, I never get an update note or just a prompt, while the app has already downloaded.
You won't believe it but people never update manually. If updates are not automatic, they are often not done.
Carlos-Anso what would be the error code, if there is one, in the case of a rejection?
missing-root I would not even recommend it personally.
I know. You make that obvious from your Fdroid defending. You don't need to tell me, nor do I care. Plenty of people, myself included, are happy using Obtainium and happy to recommend it (until Accrescent can properly replace it, then that'll be the recommendation instead).
You won't believe it but people never update manually. If updates are not automatic, they are often not done.
Well, sorry then, that's an untrue statement. Because I do all updates manually. I don't like not controlling updates and have never understood people's obsessions with automatic updates. I have never spent more than a few minutes updating apps (most of which is spent looking at changelogs), and its not in any way a hindrance to me. I don't find it difficult to keep up to date on my apps and will pretty much always update my apps within a few hours (if not 5-15 minutes) of the updates being available. I'm sure I'm likely not alone in this either.
missing-root If updates are not automatic, they are often not done
All of my updates are manual. Either based on notifications, or on spontaneous check. I haven't automated nothing, except through Accrescent, which I use for 2 apps (including Accrescent itself).
Wow... yes I update manually too. This simply is not a scaleable solution. It is an ease to have somewhat background updates.
And no, F-Droid is not only better than Obtainium because of that. I hope that you didnt really only get that. The client is extremely minimal, so that some repos dont even work with it, and only work with Droid-ify.
Obtainium is an entire browser. It renders HTML and runs Javascript, follows redirects and more. I use both, but Obtainium is not the secret tool that is better than all others.
GrapheneOS can I just say what an absolutely fascinating read this entire thread has been, i had zero clue f droid's security was so borked. until today most of my apps were from obtanium, accrescent, and f droid, but after learning all this i uninstalled f droid and replaced my f droid apps with either the play store version or directly from obtainium. thank you so much for keeping security at the forefront
missing-root yes I update manually too.
Shouldn't say blatantly untrue statements then.
And no, F-Droid is not only better than Obtainium because of that. I hope that you didnt really only get that. The client is extremely minimal, so that some repos dont even work with it, and only work with Droid-ify.
I simply don't care. Did you not get the part where I said I'm happy using Obtainium?
but Obtainium is not the secret tool that is better than all others.
Nobody is talking about you or me. Start thinking wider... These issues make Obtainium suboptimal.
baby_bat I feel the same way, I am really happy that I'm now aware of the many issues F-Droid has and I stopped using it altogether. I started using Obtainium for my app updates instead.
I had to replace almost all of my apps (because of the different signature) but is was well worth it; I feel more at ease and many apps are now updated alot quicker also, furthermore, there is no longer that additional middleman (F-Droid) that can be compromised.
Thanks for all of the info guys!
FlipSid what would be the error code, if there is one, in the case of a rejection?
Error message is
'package conflicts with an existing package'
I think Obtanium can update apps in the background automatically.
Both in Apple App Store and Google Play, auto update feature won't update your apps as soon as new version released. If you want the latest update, you have to manually check for updates or even check apps one by one (Apple). This is annoying.
I do all updates manually. I don't like not controlling updates and have never understood people's obsessions with automatic updates.
I am very fond of having control over updates too! So much so I revoke network access from the GrapheneOS System updater until I'm ready to install the update since as of right now it automatically downloads the update which is undesirable for me. I don't want anything being downloaded until I'm sure I'm ready to install it in the first place.
I also mainly use RSS feeds for apps now. I use obtainium only to fill in the blanks where RSS feeds are not available. I of course still use AppVerifier before installing where applicable.
Honestly it's kind of nice seeing people with similar preferences on updates.
Upstate1618 Play Store is perfectly capable of automatically updating your apps.
I've never seen Obtanium automatically update any of the apps, even though it's been enabled and the apps were installed via Obtanium, not another app and even manually updated via Obtanium at least once (so Android has correctly set Obtanium as the installation source). Obtanium even has unrestricted background permissions. As such, I don't think Obtanium is in any way reliable for automatic updates.
So it is already reported (https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1466#note_2281771672) that this issue would not significantly impact apps in the f-droid.org repo. I know, of reproducible builds (to my understanding the APK is directly uploaded if the build is reproducible). But isn't this similar to downloading the APK directly from the developers repo? Wouldn't that carry the same risk?
Can somebody offer some guidance on how to proceed? I want to avoid proprietary software on my phone whenever possible...
I always been thinking about the situation like this:
PlayStore: relatively high security but not always safe to install (there was malware in the past)
F-Droid: relatively low risk of installing malware if build by F-Droid and you need to trust the dev if the build is reproducible - risk of signature pinning but this would not affect already installed apps right?
directly from Source: You need to trust the developer and the Source that the uploaded binary is safe
Is my picture of this situation correct? Am I missing out significant points? If I am correct, would it be that dumb to keep using F-Droid for updates?
Anyway thank you for pointing out this issue and to spread the awareness!
ParanoidAndroid F-Droid: relatively low risk of installing malware if build by F-Droid
That's not entirely true. F-Droid does only scan with badness enumeration in mind, like a traditional antivirus. You still are at risk of getting malware in there, if it is custom written. They have no way to check it - they don't audit apps manually.
Also "it only affects F-Droid repo". WTF? F-Droid still exists today only because of 3rd party repos. So you either fix all of it or none of it.
I don't know how the repo system works with f-droid, but how would you make sure, that 3rd-party repos are safe? Is that even possible?
Isn't that still safer than having no audit at all? (For example when you use the binary from github)
ParanoidAndroid So it is already reported (https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1466#note_2281771672) that this issue would not significantly impact apps in the f-droid.org repo.
Thank you for this link. It answers the question I had, what the implications for this certificate pinning vulnerability is.
Actually, according to F-Droid developers looking into this security vulnerability, it does not affect the default F-Droid repository at all, as the vulnerable functionality isn't even being used. All APKs have also been scanned, as an extra precaution, no signs of any tampering. Some third-party repositories might be using the vulnerable functionality, so they are working on a fix with high priority.
It is still not clear to me where it is they are using certificate pinning or why, but that question is not so important to answer anymore, as they are doing it in some very specific optional and disabled by default configuration only, according to F-Droid developers.
ParanoidAndroid I always been thinking about the situation like this:
PlayStore: relatively high security but not always safe to install (there was malware in the past)
F-Droid: relatively low risk of installing malware if build by F-Droid and you need to trust the dev if the build is reproducible - risk of signature pinning but this would not affect already installed apps right?
directly from Source: You need to trust the developer and the Source that the uploaded binary is safe
Is my picture of this situation correct? Am I missing out significant points? If I am correct, would it be that dumb to keep using F-Droid for updates?
I would say you have about the same protection from generic malware in both Google Play and F-Droid. The important thing is that they would both remove an app from their repository the moment someone reports there is malicious code in the app or its source code. And they will both make sure they have the genuine version of a certain branded app, and remove any non-genuine versions as soon as it would be reported to them. This is the big level of protection you get, root of trust. You don't get that if getting the app directly from the developer, on github or similar (unless the app happens to be in AppVerifier, in which case you can verify it anyway).
Personally I would never trust Google Play Services or any Google integrations in my threat model, since Google is one of the parties that has acted hostile towards my minority. The risk they would inject code to spy on us is maybe not that big, but the risk F-Droid or anyone in the open source community would is way way smaller. I looked into getting Google Play Services free versions of my privacy sensitive F-Droid apps directly from the developers, but they say no, use F-Droid. They only publish the Google Play version of their apps on github.
It answers the question I had, what the implications for this certificate pinning vulnerability is
Can you please explain what the implications are?
