Is using Obtanium or getting apks from git repos is LESS secure than F-droid?

brook

How come people consider using Obtanium (or manual installation apks from different git repos) in any way more secure than just using F-droid?

I mean, kudos and thanks to Obtanium authors, their app is probably great, but the whole approach is very insecure, let me demonstrate why:

Let's imagine you use only 10 FLOSS apps, from 10 github repos.

Obtanium with github repos:

You can install these apps using Obtanium from github, and any of these apps can become spyware, malware, adware at any moment. No guarantee what so ever. E.g. repos can be hacked, authors can sell the project or turn malicious.
You have to rely on reputation of 10+ different people, some of which are unknown and have accounts with only 1-2 years history. Any one of them can screw you totally at any moment, push spyware and only lose their 2-years anonymous developer reputation (almost zero loss).
Obtanium does not even provide any verification that apks are in any way connected to the source code from the repo, it takes them from Release page, that can contain anything completely unrelated to the source code in git repo itself.

F-Droid:

You install all apps that have their code some-what checked before making apk, there is at least some verification, probably better than in google store, due to projects being FLOSS.
You almost only have to trust F-Droid, the project that is well-respected and exists for 15+ years. Reputation to lose is huge. Main team members are also not anonymous.
There is almost 100% certainty that the actual github code was used to actually build pushed apk file. And propritary blobs were removed properly. Even reproducible builds are supported to reduce trust-me-bro factor.

So, how can one consider Obtanium or grabbing apks from github repos to be a secure way of managing your software?

23Sha-ger

brook there is at least some verification, probably better than in google store

brook And propritary blobs were removed properly.

brook So, how can one consider Obtanium or grabbing apks from github repos to be a secure way of managing your software?

By reducing one unnecessary 3d party.

Dumdum

brook You can install these apps using Obtanium from github, and any of these apps can become spyware, malware, adware at any moment. No guarantee what so ever. E.g. repos can be hacked, authors can sell the project or turn malicious.

And Fdroid can also be taken over at any moment. At which point every single app that is available on their repo is now at risk due to them using the same signing keys for all apps. I would rather trust individual apps with separate signing keys so that any harm done is isolated to specific apps, which can be disabled or uninstalled individually.

You have to rely on reputation of 10+ different people, some of which are unknown and have accounts with only 1-2 years history. Any one of them can screw you totally at any moment, push spyware and only lose their 2-years anonymous developer reputation (almost zero loss).

Then don't use such "new/unknown apps". Stick to more well known ones. Github has a star system. Use apps with lots of stars (and therefore more attention on them). This is true regardless of whether you have apps on Github with 10 stars, or apps on Play Store with only 2000 downloads.

Obtanium does not even provide any verification that apks are in any way connected to the source code from the repo, it takes them from Release page, that can contain anything completely unrelated to the source code in git repo itself.

This is more the fault of app developers themselve if anything. Developers can and should be providing hashes that people can use to verify installations. The lack of this being the case shouldn't really be pinned on Obtainium.

You install all apps that have their code some-what checked before making apk, there is at least some verification, probably better than in google store, due to projects being FLOSS.

GOS developers have repeatedly stated that the "checks" are basic/flawed and don't really do much, which would therefore lead to a false sense of security. The example typically used is Wireguard adding their own self-updater (against Fdroid's rules) and Fdroid didn't even notice till much later.

You almost only have to trust F-Droid, the project that is well-respected and exists for 15+ years. Reputation to lose is huge. Main team members are also not anonymous.

"Well-respected" by who? From what I've seen, they have repeatedly shown to not care all that much about security, often putting software ideology above security. I've not really heard good things about them from the GOS devs either, who I frankly trust and respect a lot more than the Fdroid team.

So, how can one consider Obtanium or grabbing apks from github repos to be a secure way of managing your software?

Its not so much that Obtainium is a "secure" way to get apps. More that it is better (in the minds of some people) to skip unnecessary middle men and get apps directly from developers themselves, especially when the signing keys of individual developers are used instead of a universal third-party (Fdroid) key.

gristle-cause

brook how can one consider Obtanium or grabbing apks from github repos to be a secure way of managing your software

Your premise is flawed. Obtanium does not offer more or less security than FDroid. It simply shift the trust

With FDroid, you are trusting the FDroid team to provide secure APKs

With Obtanium, you are trusting individual app developers to provide secure APKs

The only app source that offers any additional security is Play Store, with its Play Protect features. All other methods simply place trust in a different external party. You, as the user, must decide which party is more trustworthy for each app you install

brook

23Sha-ger By reducing one unnecessary 3d party.

That's insane. Instead of installations apks that ARE BUILT from source code by independent 3d party, you would better use apks that are binary blobs that can easily have ZERO connection to any published source code.

It's such a Windows-way, just installing exe files from different websites and getting malware at some point.

xxx

23Sha-ger By reducing one unnecessary 3d party.

That's true.

eggy

Dumdum Then don't use such "new/unknown apps". Stick to more well known ones. Github has a star system. Use apps with lots of stars (and therefore more attention on them). This is true regardless of whether you have apps on Github with 10 stars, or apps on Play Store with only 2000 downloads.

This is bad advice. GitHub stars can be bought in the same way that you can buy play store downloads, instagram likes, etc...

NetRunner88

Fdroid is garbage.
This has been discussed here multiple times with strong facts.

brook

NetRunner88 This has been discussed here multiple times with strong facts.

Can you provide real logical points how installing unknown binary blobs, that can have zero connection to any published source code, from dozens of places can be more secure compared to installing apks built from actual source code?

The only case I see if F-droid itself gets hacked. But it's still much less probable than any of dozens github accounts getting hacked.

23Sha-ger

brook
If you are talking about malicious app developers, they can do exactly the same with F-droid:
https://gitlab.com/fdroid/fdroiddata/-/issues/3110

If the Wireguard developer wanted to push a malicious update, he could do this before the app was pulled
off from Fdroid. Just demonstrates that a 3d party building from source adds no practical security.

brook

23Sha-ger your link has a discussion that apps that have auto-updates are considered possibly dangerous and this function can be restricted in F-droid version. I consider it to be a good point.

So, we see a discussion and possibly some actions for such cases. While Obtanium would blindly install anything: such apps with auto-updates, or even full new malicious github release.

How exactly installing unchecked binary apk without any connection to source can be better?

P.S. It's like saying "haha, GNU/Linux was once hacked (or in this case had code an unintended policy violation), so I consider GNU/Linux be as secure as Windows 95 (which actually has no checks nor security at all)".
Not a strong point to me.

EverettHitch

23Sha-ger

23Sha-ger developer wanted to push a malicious update, he could do this before the app was pulled
off from

This potentially applies to any Play Store app until it is removed and it DOES happen

NetRunner88

brook
At some point just search on the forum here it is not too hard, there is even technical view from GOS devs
You make no effort

brook

NetRunner88 At some point just search on the forum here it is not too hard, there is even technical view from GOS devs
You make no effort

OK, then I consider you comment Fdroid is garbage completely weak and factually wrong. Bye.

EverettHitch This potentially applies to any Play Store app until it is removed and it DOES happen

I agree with this. Any moderation and reviews can fail eventually, even a good one.
And of course it would still better that getting APKs from github without any moderation, nor guarantees, nor code review at all.

brook

gristle-cause With FDroid, you are trusting the FDroid team to provide secure APKs

With Obtanium, you are trusting individual app developers to provide secure APKs

Yes. So, by whom is more probable to be tricked, by:

F-droid project existing for 15+ years with real people behind and good reputation (even Obtanioum provides F-Droid as one of main ways to install it!).
Any person among dozens of semi-random and often anonymous or unknown developers?

gristle-cause The only app source that offers any additional security is Play Store, with its Play Protect features.

This is false, obviously.
Building APK files from actual sources by trusted 3rd party is a HUGE improvements over installing binary programs from some websites and even from Play Store, that is full of adware, spyware, malware and etc.

Byku

brook Building APK files from actual sources by trusted 3rd party is a HUGE improvements

Well, I'll give you that. It truly leverages the benefits of open source software. But AFAIK GrapheneOS does not consider F-droid as trusted. I'm not speaking for the GOS devs but they expressed that a shared signing key is a one big point of failure to consider. There is generally bad blood and distrust between those 2 teams. Personal anymosity aside these 2 projects focus on different aspects: GOS is "security at all costs" while F-droid is "FOSS at all costs". Look at how they approach hardware:

GOS only supports one brand of devices with cutting edge security chips
FD goes out of its way to support older devices for people where access to smartphones is limited

One approach focuses for security, the other on ideology. You can see how F-droid refuses to update the target SDK of their main client app because they consider some functions they'd have to cut more improtant.

GOS recommendations is basically telling you bluntly "No matter what you do you can't avoid having to trust the developer of the APK you are using." What the storefront can do is make sure you can safely downloaded what is a genuine article from the real dev. That's basically it. Accrescent focuses on detecting general dangerous permissions in apps. F-droid scans for specific libraries. It's rather good at detecting proprietary blobs. It did detect when Organic Maps placed commercial stuff from Kajak in their app. It did not detect when Wireguard changed their source code to allow it to become an installer. This happened because source code is manually checked only when the repo is first provided. After that it's an automated process of compiling and mass signing them. A similar vulnerability exists and was used to deliver malware on the Steam platform. They check the games for malware when first submitted but not when an update rolls later on. The long delays for updates on the F-droid repo are not the result of them meticulously checking each update but of how their outdated infrastructure works. Yes, they are a venerable project but their infrastructure is showing it's age too. It cannot properly support 3rd party clients without ddosing itself for one. And they don't seem to be keen on upgrading. Both on Github and on this forum you will find discussions about vulnerabilities found in the F-droid backend that were submitted to them by people analyzing the source code. They usually dismiss it or if they patch they do the bare minimum.

Bottom line is F-droid is not a security oriented project hence not recommended by the developers of a security oriented OS. Sorry for the rant. Just be aware of the full picture before you commit to one or another.

gristle-cause

Byku Accrescent focuses on detecting general dangerous permissions in apps. F-droid scans for specific libraries. It's rather good at detecting proprietary blobs

This is good information I was unaware of - thanks for sharing!

23Sha-ger

eggy GitHub stars can be bought in the same way that you can buy play store downloads, instagram likes, etc...

That's not the point. With enough funds, entire FOSS projects can be bought and it happened in the past.
The vast majority of Play Store apps are not open source. So having a source on Github is a bonus, but it
doesn't guarantee anything. Trusting another party to build an app from source with old target SDKs and poor
update mechanisms doesn't guarantee anything as well, it just adds another point of trust.
GOS sandbox and Android permission model limits the way even intentionally malicious apps can exploit
the system. Unless you grant dangerous permissions like device admin, accessibility, adb - that is your
first line of defense. Fdroid cannot protect you from malicious developers.

brook

[removed quote and response to removed post]

After all, I am socked that people prefer and consider more secure to

install binary blobs from different websites (Windows approach) without any protection, instead of
using trusted maintainers who are responsible for building applications from source code (f-droid approach, similar to GNU+Linux, and some BSDs).

The situation is so shocking to me, that I am thinking I am missing something (some arguments for the first approach?).

Currently I think this is very insecure and dangerous. One have to trust all and each of github devs, who can screw all its Obtanium users at any moment with NO resistance what so ever.

23Sha-ger

brook binary blobs from different websites (Windows approach)

You keep comparing Windows to GOS in terms of architecture and app sandboxing. This is not how apps
work on Android. Do we have an example of a malware that was published via Github and was able to bypass
the GOS permission model? I'm not saying it's impossible, but it would be way too expensive and valuable to
develop just for wasting it on infecting some random users with no actual outcome.

They missed the Wireguard auto-update insertion and found about it post factum, if that was not a popular app,
that "backdoor" could exist for years. Just like the XZ-utils backdoor could exist for years.

https://privsec.dev/posts/android/f-droid-security-issues/

brook

23Sha-ger You keep comparing Windows to GOS in terms of architecture and app sandboxing.

That is not true.
I compare the way of installing binary applications that is popular for Windows users (download some exe file somewhere and install it) and approach of installing binary apk files using Obtanium or manually installing it from some third-party websites. I think it is similar.

It's not related to GOS security itself nor it sandboxing, I did not said it, please read again.

23Sha-ger Do we have an example of a malware that was published via Github and was able to bypass the GOS permission model?

I do not no such examples. But I do not talk about it. The point of discussion - how is it more secure to install third-party apps. I consider "having malicious binary app without sources but with Network and other permissions" to be screwed already, even if the app is still sandboxed.

The topic is this:
Which way you have lower probability to get MALWARE or SPYWARE? Using 10 github repos or 10 the same apps from f-droid?.

23Sha-ger They missed the Wireguard auto-update insertion and found about post factum, if that was not a popular app,
that "backdoor" could exist for years.

OK, let's take your example. How exactly using Obtanium for downloading apks from this Wireguard project's git repo make the problem any less? HOW EXACTLY?