Best way to update manually installed APKs?

0260

Hello! I'm trying to avoid using Google Play. I've got it installed in a separate user profile for my banking app, but I'm kind of using that profile like a quarantine, only for essential apps that I very rarely access and typically don't want running.

I'm using Thunderbird for mail at the moment, although I'm migrating to Proton and will use their app. For these apps, I've just been downloading the APK manually.

What do other people do in terms of keeping these apps updated? Do I have to just keep tabs on it and check for a new release every so often, and then uninstall and reinstall the app? It's not something I've had to worry about before.

geko

0260
I only have two extra apps and download them manually. I keep tabs on them and when an update is available I download it and install it. When I download and install the newer version, there is always a dialog stating do you want to ' update' the app. Click yes and the older version is updated, rather than delete and install.

r134a

Depends on from what source u install them manually. But generally it's recommended here to install them from github, and u could use obtanium to automate the update process when source is github.

0260

Sounds like Obtanium might be what I'm looking for. Proton definitely uses GitHub for their direct APK.

r134a

0260 So is thunderbird: https://github.com/thunderbird/thunderbird-android/releases

r134a

Also, if u installed them initially from another source, from a security perspective it's adviced to not allow it to update that app then from another source (obtanium then in this case), as it would allow generally from that point on updates to this app from any source.

I would recommend deleting the apps (if installed from another source), reinstalling them through obtanium directly and restoring settings from backup. (Thunderbird lets u backup settings, not sure about proton).

Watermelon

r134a from a security perspective it's adviced to not allow it to update that app then from another source (obtanium then in this case), as it would allow generally from that point on updates to this app from any source.

That's not true, any app installed for the first time has its signing key pinned in order to cryptographically ensure that all future updates originate from the same app author. App stores can silently update apps if they were the last source the app was installed or updated from (as listed in the Settings app) and if the updates are signed with the same signing key. If it wasn't the last source then it requires user interaction to update and will prompt you, but once you approve the app to be updated it should succeed. There's no security risk here, the risk is in the initial installation only when the signing key isn't pinned yet.

r134a reinstalling them through obtanium

That's terrible advice and contrary to what's generally recommended. Obtainium is untrustworthy and, in my opinion, worse than getting APKs manually. Again, that's not a problem for updates, but you're telling them to reinstall through it. I recommend against getting apps for the first time or reinstalling them through Obtainium or any other shady source.

andrej567

I was going to ask the same, I am not completely happy about obtainium, its not a true app store, just a helper to get something from web, installing something from somewhere... I hope Accrescent store will have more and more apps. Maybe the end of amazon store will accelerate this.

r134a

Watermelon Thanks for clearing that up. I've got this impression as when u for example install an app from f-droid, and then later update it from girhub, u will get the alert:

Update this app from X?
This app normally receives updates from Y, by updating from a different source, you may receive updates from any source on your phone. App functionality may change.

I don't really agree with obtanium being shady, but i don't feel the need to counter that aswell.

brookie229

Watermelon

Not being contrary, but is Obtainium really untrustworthy? I thought that this app was kind of recommended (even by Graphene OS devs). I've been using it exclusively for 2-3 years now.

rellhom

Watermelon There's no security risk here, the risk is in the initial installation only when the signing key isn't pinned yet.

isn't there a possible security risk if the original source is compromised?

fid02

Watermelon

Oh, I see the small button now. My eyes usually skip buttons that look like that. But not really clear how that makes Obtainium "untrustworthy".

Watermelon Obtainium is untrustworthy and, in my opinion, worse than getting APKs manually.

andrej567

brookie229 probably the concern is about obtainium updating itself, apk comes from "somewhere", a web server that can be compromised, not a store with higher security. If you give obtainium the rights to install apps, it can install practically anything... I am not blaming the "true" obtainium, but the fake one you'd get after obtainium would update itself unluckily to a version that somehow someone put on the server where it looks for its updates.

Watermelon

brookie229 is Obtainium really untrustworthy?

Check the official GitHub repository, which contains political messaging. I'm not sure the author values the integrity of their app above their political values. EDIT: I'm saying it because there have been news in the past of developers that maliciously compromise their own software for a political purpose. If my memory serves me well, this has happened at least one time, for example, with an npm (Node.js Package Manager) module.

brookie229

andrej567

Maybe I need to rethink my app update method. I think Side of Burritos has an alternative method that I need to revisit. Thanks for quick reply.

Carlos-Anso

andrej567 If you give obtainium the rights to install apps, it can install practically anything..

User has to approve all app installs on GrapheneOS, app stores can not just install new apps without user consent.

Can download Accrescent from the GrapheneOS app store. Then get App Verifier from Accrescent which lets you check the hash of the signature for any apk you have downloaded or app you have installed. This makes it possible to confirm you have a genuine build of any app.

andrej567

Carlos-Anso Desperately waiting for more and more apps to appear in Accrescent

DeletedUser227

Let's just remind ourselves that genuine does not always equal secure and/or private and that electronic hygiene (in terms of what app ecosystem and its online interconnectedness we choose to rely on) should play important role in our lives. Simple setups provide less entropy (chaos) and attack surface and should be preferred.

fid02

Watermelon Check the official GitHub repository, which contains political messaging. I'm not sure the author values the integrity of their app above their political values.

I can't see anything resembling politics in that link. Also took a quick look at the wiki and it seems like just normal software documentation?

Watermelon

fid02

Watermelon If my memory serves me well, this has happened at least one time, for example, with an npm (Node.js Package Manager) module.

I found it:
https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/
For example.

Watermelon

zzz Some projects advertise their politics, and some don't.

You're missing the point. It's not about whether they have or don't have a political stance.

Watermelon I'm not sure the author values the integrity of their app above their political values.

The point is whether they value the integrity of their app over political ideas, or they value political ideas over the integrity of their app. This political banner is an indicator that it's more likely than otherwise to be the latter rather than the former.

rellhom

fid02

I looked too and it is there, small at the top of the readme, definitely political and a turn off