Is using Obtanium or getting apks from git repos is LESS secure than F-droid?

brook

23Sha-ger You keep comparing Windows to GOS in terms of architecture and app sandboxing.

That is not true.
I compare the way of installing binary applications that is popular for Windows users (download some exe file somewhere and install it) and approach of installing binary apk files using Obtanium or manually installing it from some third-party websites. I think it is similar.

It's not related to GOS security itself nor it sandboxing, I did not said it, please read again.

23Sha-ger Do we have an example of a malware that was published via Github and was able to bypass the GOS permission model?

I do not no such examples. But I do not talk about it. The point of discussion - how is it more secure to install third-party apps. I consider "having malicious binary app without sources but with Network and other permissions" to be screwed already, even if the app is still sandboxed.

The topic is this:
Which way you have lower probability to get MALWARE or SPYWARE? Using 10 github repos or 10 the same apps from f-droid?.

23Sha-ger They missed the Wireguard auto-update insertion and found about post factum, if that was not a popular app,
that "backdoor" could exist for years.

OK, let's take your example. How exactly using Obtanium for downloading apks from this Wireguard project's git repo make the problem any less? HOW EXACTLY?

23Sha-ger

brook How exactly using Obtanium for downloading apks from this Wireguard project's git repo make the problem any less? HOW EXACTLY?

You are finally starting to get the point. If both approaches won't stop the app developer from adding a potentially
malicious code, why should you trust an additional 3d party that is screwing up with minSDK and signatures?
If you are building the source yourself that's another thing, but delegating it to an incompetent project that
forgets to update it's own TLS certificate every now and then (just search "fdroid certificate expired") that's
something way worse. I'm not even talking about the fact that if they close, or pull a Calyx, all the users are
screwed and will have to reinstall all their apps.

https://gitlab.com/fdroid/fdroid-website/-/issues/883

brook

23Sha-ger If both approaches won't stop the app developer from adding a potentially
malicious code

Why? What is your proof of that statement? In case of f-droid there is reasonably high chance the problem will be caught even on pre-publish stage. You use a factually wrong statement to base your argument. A single example of app adding a auto-update feature and missing checks is not an argument. You will not drop a system when it was tricked or even hacked. It still is way better than no protection at all.

23Sha-ger If you are building the source yourself that's another thing, but delegating it to an incompetent project that
forgets to update it's own TLS certificate every now and then (just search "fdroid certificate expired") that's
something way worse.

Almost nobody here nor you for sure, compile their apps from sources, right? So, compare

installing after 3rd-party checks and compiling from sources to
installing unchecked binary blob from some kind of random web pages pages of some unknown people on internet. Which most of users do in case of using Obtanium like that.

About being screwed. You wrongly said that I was talking about GOS sandboxing being broken. Well, that can eventually happen, but I was talking about more trivial to implement scenarios:

You use custom FLOSS telegram client from some github page (e.g. via Obtanium). It has 1500 stars.
The account of this project's dev gets hacked, or they gets bribed, or threatened, or paid to sell it, or just decided to do bad things themselves.
The release page of this github projects gets new "Release", completely unrelated to sources. Obtanium would install it to you almost instantly, you got malware without any protection.
This app will already have Network permissions obviously, even in case of GOS. And let's even say no other permissions at all.
This release would send your account, password, your chat history, your most private and most valueable information to somebody.

I call it screwed. And please notice, that GOS sandboxing was not broken at all, while you are screwed with Obtanium and a project with 1500 stars on github.
It's the worst possible way to install or update FLOSS applications.

In case of f-droid there is quite real chance you will be saved from this.
After all we know a lot of cases with real viruses in Google Play store, and probably 0 in f-droid?

brook

23Sha-ger https://gitlab.com/fdroid/fdroid-website/-/issues/883

What about this link? I see that an issue, that certificate got outdated, f-droid on the same date got 5+ reports about this issue and fixed it on the same day. Good enough.

Just do not install apps if you browser says that the connection is not secure with huge red text or does not allow you to enter the website.

Compare it to publishing an apk release with malware addition in any random github project. How long will it be addressed if the dev decides to do so? In a year? Never?

other8026

Locked because of a rude comment about our team (saying they don't care about what we say and that we're not objective, implying that the reason we advise against using F-Droid because of "bad blood" and not facts is both rude and misinformation), and because it seems to me that some here aren't discussing this topic in good faith. It's not appropriate to ask a question, then argue with everyone who doesn't agree with your point.

We want our users to be informed, so we tell them about issues with F-Droid. Many people in other communities don't know about F-Droid's issues or don't care. That's not our problem and people are free to do as they please with their own devices.

Edit 1: Reworded some things
Edit 2: I have gone through and removed posts that crossed one line or another and replies to those posts.

« Previous Page