using aurora - do I delete all apps and reinstall them via Obtainium?

nervousball

Hi folks, as the title says - recently noticed quite a lot of talks that Aurora Store is not really verifying signatures and authenticity of apps and that I would be better off using Obtainium

Also was told to ditch F-droid

Question - I have already installed Obtainium via f-droid. Do I delete all apps I have, one by one and install it via obtainium just to be safe?

Or is there a way to verify if current apps that were downloaded from aurora store are “authentic” ?
if yes, do I add GitHub URL via obtainium of required apps and somehow verify it?

Would appreciate some workarounds saving me loads of manual work but of course don’t want to sound lazy - if deleting app and downloading via obtainium is more secure way - I will do it

Many thanks and apologies if question is silly - not very tech with phones and degoogling yet

nervousball

a little update, i've been updating / adding some apps via obtainium - app has also very nice design..

what im not sure/confident enough is that potentially, i might have downloaded some malware/bloatware from previous apps versions via f-droid / aurora store, so perhaps a technical person could confirm the below?

if lets say there was a malware in my previous MullvadVPN / Signal app that i have downloaded from aurora store (as they dont check signatures/authenticity of the app), and now i still have this app and added it to be updated via obtainium...if i had that malware files inserted, once obtainium downloads it via source link, eg github page for .apk install file...will that automatically delete those malware files from previous version and override with correct and safe direct dev authentic source code URL? or will it potential keep those infected files just update to newer version?

might sound confusing but i hope i got a point here..

Byku

Don't worry, apps from Aurora Store and F-Droid aren't malware/bloatware. That is not what they are are criticized for.
Aurora fetches apps from the official Play Store, not from some random place.
If you want to verify your apps are original download the app called App Verifier from Accrescent store. You can use it to compare the signing key hash if the author has posted one or if one is in App Verifier database. There is also a thread in this forum with hashes for more apps.
Note that metadata verification is only important when you install an app for the first time since you cannot update an app if it was signed by a different party.
Neither Aurora store nor Obtainium support metadata verification btw. Obtainium is used to download directly from the authors repository - in this case there is no middle man but your completely trust the author. It's basically like downloading from a random site, it is up to you to make sure that what you are pointing Obtainium to is the genuine repository. Obtainium should ask you to use App Verifier before commencing with the installation though.
If your apps are genuine than you don't need to reinstall them, they should update from a different source when the signing key matches.
Apps from F-Droid are a different matter, because they use F-Droids own signing key and cannot be updated by another source, so if you want you'll have to reinstall those. The app versions from Play Store, github or F-Droid can differ between themselves e.g. Play Store/github versions may have trackers, while F-Droid versions will most likely not support notifications so it pays off to read about those differences before deciding which version you want.

harp

Byku Apps from F-Droid are a different matter, because they use F-Droids own signing key and cannot be updated by another source, so if you want you'll have to reinstall those.

Not mandatory. Sometimes developers publish the F-Droid release of their apps on their own Github site or for example on openapk.net you can also find F-Droid versions. For instance that's the case for SherpaTTS and other apps of it's developer. And: openapk.net publishes the signing fingerprints to compare with AppVerifier while you can't find them on F-Droid. So you're able to verify apps downloaded from F-Droid (of course only if they really are the F-Droid versions on openapk.net).

nervousball

Byku hello, thank you for thorough response and the explanation - makes sense.

i have few questions please. my situation at the moment:

i have installed Obtainium and added some source URLs such as you mentioned - main and official github repository for that app. never liked aurora store as i dont get notifications of available updates timely and it does not install apps, majority of them fail and i have to restart app or try multiple times again..very glitchy with lots of errors so i assumed i got something malicious going on - main and official github repository for that app. thing is i only heard and used AppVerifier after adding few apps via Obtainium, so it doesnt prompt me to scan it via AppVerifier at all.. shall i uninstall Obtainium and install it again so this gets triggered?
i checked AppVerifier and some apps are ticked automatically. some cant be found in database..as a newbie here..how do i verify the signature? do i need to find out where main repository of that app is, for example on github and locate signature key? then copy past to appverifier app for that specific app that im querying? im i thinking correctly here? or is there any other app / way to verify apps with wider database? you did mention a thread over here, perhaps i could use that one? still - using signature information i could then go to appverifier and match signature information, right?
is there sort of stock OS antivirus or can i install one just to make sure all is safe and sound and i dont have any malicious files or viruses?
in regards to trackers added on github / f-droid, arent those published files the same on play store for example? i imagine that if main dev using official page on github for that FOSS app, wouldnt but of course, they could add potential trackers..but google play store can also add something in there..not sure if im making my self clear but of course as you said, repository's trust totally depend on me - i assume play store has strict compliance checks for it but apps such as Exodus could show what sort of trackers are there...

again..dont think we could freely use apps for our everyday's use in our lives with 0 trackers at all for all purposes..hence i also run nextDNS

Byku

nervousball thing is i only heard and used AppVerifier after adding few apps via Obtainium, so it doesnt prompt me to scan it via AppVerifier at all.. shall i uninstall Obtainium and install it again so this gets triggered?

It does so only if you install a new app, not during the updates.

The weak point of App Verifier is that the dev did not provide any way for others to contribute and they seem to no longer be updating the app. There is a thread titled "Let's compare hashes..." or something like that. You can search there or you can ask the author of a missing app to publish a hash somewhere.

Antivirus has very limited usefulness on an Android compared to PC. There is a FOSS one called Hypatia that can scan for known malicious apps. You can also upload an apk file to VirusTotal.

A meticulous dev should provide a list of all domains their app connects to and why. This sort of information should be in the documentation the dev publishes. As an example you can check how the app called FairEmail differs depending on which source you use - it's dev has this documented fairly well.

nervousball

Byku thank you for your patience and your help here, very kind :)

glad to learn something new everyday

nervousball

Byku have a question thought ,just out of curiosity:

lets say i had an app downloaded with infected files or additional files, such as trackers from aurora or f-droid or downloaded it myself from the website, and manually installed .apk file...

now i do have said app installed on my phone

and - i add source URL via obtainium to keep updating the files via github official main repository..

when new version launches, obtainium will update it - meaning:

will it delete all files of old version and update to new ones = cleaning malicious files;
or
new version will be updated BUT malicious files will remain from previous time?

perhaps you know how would that work?