F-droid or Obtainium or Github?

Draiodoir

Hello,

Questions from a non-tech average everyday mobile phone and laptop user. I'm not planning on trying to become a tech expert, nor do I have the natural ability to do so! :)

As a non-tech and a new Grapheneos user, I have a general understanding of the different functions of F-droid and Obtainium. F-Droid is an app repository. Obtainium is designed to automate tracking and update apps directly from source repositories like GitHub, GitLab, or F-Droid, bypassing centralised stores (I know Obtainium doesn't do this for all apps). And I understand you can also go directly to Github etc. I have managed to take myself through all these processes.

What I'm finding a bit frustrating is that I keep getting conflicting opinions and information about the safety and security of these sources. I do understand how to use AppVerifier.

How secure is F-droid?
How secure is Obtainium?
How secure is going directly to Github etc?

Also, depending on the app, it seems that sometimes I should download an app directly from the makers of the app, but other times I shouldn't. And I am steering clear of Google. I'm deliberately not using many apps at all for security reasons, but sometimes it is kind of necessary.

Does anyone have any advice? Thanks in advance...

kaisernatron

Draiodoir Obtainium is pretty good, it fetches all updates too which is important for security

dhhdjbd

Draiodoir

i would either use play store (for example with owner / user profile) or obtainium (that is just github / whatever but keeps your apps up to date)

there is really no need to use fdroid, i do not feel like you gain anything from it. (and grapheneOs offers alot of critic on them^^ so i do not would take that option)

The risks are, for github and similar, if you installed the real app, for updates,
that a developer of a app you use gets hacked and that then their credentials are used to publish a fake release.
Not sure if this like ever happend to a trustworthy app tho.

For playstore this is less likely/ almost unheard of.

(and biggest danger is when installing that it was not the real app, but that is what app verifier is for)

Novalissoide

Draiodoir How secure is Obtainium?
How secure is going directly to Github etc?

Obtainium goes directly to Github, if your app is sourced from there, goes directly to any supported source that you direct it towards. So, Obtainium should be about as secure as the manual route, minus the security advantage of Vanadium browser.

Johnnyloans

Draiodoir

I'd bet there are more instances of people downloading malware apps off of the google play store than on any other android app store. I'm sure you already know to perform a bit of due diligence before installing something.

Many comments that you'll see are like this:

Throw away your high heels ladies. Adding just 1 inch--2.5cm--to flats increases ankle injuries by 20,000%. Your bones will break soon--heels aren't best practice.

Just the other day, a person on this forum claimed that an encrypted hard drive is extremely easy to crack and read. Maybe for the USA's NSA and a subset of motherboards.

There was a crusade against Fdroid. Many people that are not technical still parrot the issues that they fixed 2-3 years ago. There is still a magnifying glass held to fdroid to this day.

"[If fdroid gets hacked, you might be unsafe.]"

Is fdroid the only org susceptible to hacks?

Besides, you'd have to find out an Fdroid dev's home address, buy a plane ticket, break-and-enter to obtain physical access to something that isn't on the internet.

Keep in mind that many people that you'll encounter are on the far end of security, perfection, and/or paranoia. Many people miss the forest for the trees and focus on the most convoluted, theoretical improbabilities.

We are more likely to be affected by a random, rogue, app dev--once trusted for years/decades. (e.g. event-stream 2018, node-ipc 2022, left-pad 2016).

Very little can be 100% in this world. We will have to trust someone eventually. We don't have the time to closely monitor every dev and repository. 99.999% is good enough.

Johnnyloans

First, have you thought about your threat model?

Who am I protecting my data from?
(corporations, government, ? )
What data am I worried about?
(location, pictures, messages between friends and family)
How bad are the consequences if I fail?
How much trouble am I willing to go through to try to prevent potential consequences?

More info:
https://www.privacyguides.org/en/basics/threat-modeling/

You don't have to share personal specifics. just saying "low threat model" is enough or whatever you decided.

littlerack

dhhdjbd there is really no need to use fdroid, i do not feel like you gain anything from it

Isn't it because you have no idea on reproducible builds and all the monitoring they do in regards to anti-features and included libraries? You also seems have no idea on obtainium usability - it's plain PITA when it comes to auto-updates, verifying hashes is literally promised but it's a joke.

Blank

dhhdjbd on the play store you have plenty of nefarious or scam apps. In my point of view, play store doesn't protect you entirely. Nevertheless I agree that play store is still more secure than f-droid anyway. However you have documented cases where malicious apps have been distributed from the play store.

No solutions seems perfect as you mentioned. It only depends on where you decided to put your trust. But I wonder if using obtaimium cannot be more secure in the sense that updates (fixes) can come faster than on the plsystore ? Plus if you only download known, well reputed projects you should minimize the risk (not eliminate though(

dhhdjbd

littlerack

i mean if the build if reproducible it, the build is not signed by frdoid but by the developer instead which is kind of a different story then the normal fdroid usage
(Do they not do it like this?)

and i dont know i think i saw threads before of people bringing up some ofc these librarie monitoring before but the result was often more confusion about about what this means, then it beeing a reliable feature. Also i think you do not need to use fdroid to look up the monitoring info if you need to, do you?

edit: and i dont know obtainium works fine for me, it is a bit annoying sure but like its fine, only issue i have that updating obtainium itself is a bit buggy,

and for hashes it prompts the app verifier app? so not sure what you mean

littlerack

dhhdjbd and for hashes it prompts the app verifier app? so not sure what you mean

The best way you don't use this feature. AV's database is non-existent, so if you indeed want to use the feature, you have to manually verify hashes one by one.

Also, it's interesting to hear what people do for github not to rate limit Obtainium while on VPN. I have never had a single issue with f-droid bans anonymous clients.

Novalissoide

littlerack what people do for github not to rate limit Obtainium

Add a personal access token.

https://wiki.obtainium.imranr.dev/sources/

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens

littlerack

Novalissoide Add a personal access token.

I'm sorry, I have not thought anyone would advise so privacy-disrespectful way to solve it.
Thank you, I don't use Google Play with signed-in account and I don't plan to do it for github.
I would sooner go back to f-droid than do what you suggest.

Novalissoide

littlerack then it would be keeping the checks per a good time interval, avoid visiting Github in other ways between the checks.

xxx

littlerack I don't use Google Play with signed-in account and I don't plan to do it for github.

Understandable. Since f-droid has its shortcomings:
I use:

Accrescent (install from App Store)
Appverifier (install from Accrescent )
Optainium (check the signature before install with Appverifier)
and from time to time aurora (check the signature before install with Appverifier)
Should work decent enough.

DohnJoe

littlerack I would sooner go back to f-droid than do what you suggest.

People is fine with a disposable Google account for Play Store, I guess people will be fine also with disposable GitHub account as well.

Also, another workaround is izzyondroid.
A lot of applications can be found in izzyondroid repository with the same signature, usually one day later (on average).

Draiodoir

@kaisersnatron @Johnnyloans @dhhdjbd @littlerack @Novalissoide

Hi All - thanks for responding to me & for discussing things with each other.

Johnny Loans - I'm just a low threat model. Not famous, not a billionaire, not a politician, nor a journalist, just a boring member of the general public. I'd like to try & take back some privacy & control of my life, despite the fact, like everyone else, I already have a years-long digital footprint. I'd prefer the tech bros, corporations & the government to stay completely out of my life, but of course that's impossible. It's also a bit of an "up yours" to the tech bros.

All - apologies if I was a bit vague with my initial question. I really just wanted feedback about how safe F-droid, Obtainium & Github are in regards to hopefully lowering any risk of getting viruses/malware/spyware, & keeping my info more private instead of Samsung, Apple & Google tracking everything we do. I was confused following hours of online research, I kept getting conflicting opinions about F-droid, Obtainium & Github. Some people support some or all of them, while at the same time others criticise some or all of them - there doesn't seem to be a general consensus. Although I'm hearing what's been discussed, I'm still a bit confused after reading this thread! : ) But I do still appreciate all your input.

As nothing is perfectly fail-safe, maybe it's more about personal preference.

Thanks xo

dhhdjbd

Draiodoir

honestly for any normal user play store is still the safest option ^^

i would recommend anyone that has not a reason and/or google type apps on their phone anyway, to just use playstore.

vtek

Regarding technical ability, you and I seem to be in roughly the same league and, as such, I tend to prefer F-Droid Basic for a few reasons, one being their policies on adware, malware and disclosure of non-free dependencies, another being the convenience it offers for finding apps, another being its simplicity, and another being its suitability for less technical people. Also, to my knowledge, F-Droid has always been free of malware (knock on wood), unlike the Play Store which gets hit fairly often and sometimes on a fairly large scale. Of course the Play Store is a much more attractive target with a massively larger selection of apps so comparing it to F-Droid isn't really valid I suppose.

I also use Obtainium, but only for 1 app currently that isn't on F-Droid. I used to use Obtainium for all my apps, however I found it could be a bit cumbersome at times and there's no assurances that apps are free of non-free services and assets and i'm not about to go through the source code of every thing I install, much less every time an app is updated, mainly because I'm not capable!

For those reasons F-Droid seems to make the most sense to me with the notable caveat that some people question the security of their infrastructure and practices. If F-Droid got hacked, so could all of their users and that is perhaps more likely than that happening with Obtainium or the Google app.

There are also those here who are knowledgeable that suggest installing GOS's Google apps and using the Play Store due to the security checks Google employs, but like you, i do not want Google anything on my device and, again, we run into the non-free asset problem with the Play Store.

Draiodoir lowering any risk of getting viruses/malware/spyware

Depends what you consider malware. In my case, I consider ads malware (code that isn't required for an app to function) which means the Play Store is loaded with malware from my POV.

Johnnyloans

Draiodoir

All 3 app stores are safe for you. If any app you want is particularly worrying whether it's file, photo, or network permission, then do a little research on if it's a brand new project or trusted by the community etc.

Dumdum

vtek used to use Obtainium for all my apps, however I found it could be a bit cumbersome at times and there's no assurances that apps are free of non-free services and assets and i'm not about to go through the source code of every thing I install, much less every time an app is updated, mainly because I'm not capable!

RandByte I use Obtainium for a small handful of apps not available in F-Droid

You can install Fdroid apps through Obtainium as well.

RandByte

I agree with @vtek here. I mainly use F-Droid through Droid-ify - https://f-droid.org/packages/com.looker.droidify/ - which I like very much. I use Obtainium for a small handful of apps not available in F-Droid and finally AuroraStore for 2 apps only available on the PlayStore.

So far so good this way, I have nothing to complain about. 99% of FOSS apps and Rethink - https://github.com/celzero/rethink-app - to keep everyone in check.

BTW, the logs feature of Rethink allows me to say with a high degree of certainty that 100% of the FOSS apps I use on my phone behave really nicely and don't try to sneak up behind my back. Only 1 or 2 have a builtin "check for update" call to api.github.com from time to time which is blocked as I want to keep F-Droid as the main supplier.

gristle-cause

Hey, welcome to the forum. I recommend taking some time to search through the archives:

https://discuss.grapheneos.org/d/30180-is-using-obtanium-or-getting-apks-from-git-repos-is-less-secure-than-f-droid

https://discuss.grapheneos.org/d/4901-secure-app-updates-via-droidifyobtaniumrss

https://discuss.grapheneos.org/d/26827-use-obtanium-with-f-droid-as-source-or-f-droid-itself

https://discuss.grapheneos.org/d/11439-f-droid-vsor-droid-ify

https://discuss.grapheneos.org/d/16589-obtainium-f-droid-basic-or-other-for-installing-f-droid-exclusive-apps

https://discuss.grapheneos.org/d/20212-f-droid-security-in-simple-words

https://discuss.grapheneos.org/d/16900-f-droid-app-vs-aurora-store-app

RandByte

Dumdum You can install Fdroid apps through Obtainium as well.

I know but I don't want that! Obtainium is throttled by GitHub and I don't want to have an account for an API key.

And there are numerous examples, already cited in this thread, why F-Droid is sometimes better because it removes/disables unwanted features in apps or enable full access on other ones. Take a look at OsmAnd~ and others.