.apks for popular developers?

sandwichdude234

Is it considered safe to download .apks from reputable sources?

Hi, beginner question here. I asked on Discord and people are basically telling me the only safe way to get software onto my phone is thru Accrescent or Google Play -- so basically, for most things, Google Play.

For example, Wireguard has an official apk for download: https://download.wireguard.com/android-client/

I have put in extraordinary effort to avoid Google on this phone so far. Unfortunately, what I'm hearing is that to get any software, even something popular like Wireguard, the only safe way is thru Google Play?

Thanks so much to anyone who reads this, and thank you to GOS devs for making this OS.

raccoondad

sandwichdude234 Wireguard has an official apk for download

The issue is if a mirror was intercepted, however, if you verify the apk signing key and it checks out for you, it would be fine to install and only apks that are signed with the same key can be used to update the app.

Johnnyloans

Is it considered safe to download .apks from reputable sources?

Yeah, that's all good. Wireguard will be safe and have automatic updates built-in. The only downside is with this download you're 99.999% sure the apk is from wireguard (Let's encrypt cert, but the server could be hacked) instead of being 99.99999% sure (Verifying the signature)

In my opinion, the risks are close to equal for the average accountant, school teacher, etc.
Let's say a developer (dev) is compromised:

Their github apk is compromised--bad.
Their app on the play store or accrescent is compromised, uploaded with their signing key--bad. (Verification or not doesn't matter).

Keep in mind GOS is a privacy/security comunity. It's already on one end of the spectrum and you can run into the extreme end more readily.

I couldn't stay in the discord server myself. So many outspoken people there are way more intense with absolute security/privacy, no compromises. A few tell people to only install open source apps and to forget about meta/google. If you say anything against the hive mind, you'll instantly get a few people calling you a bot and suggest for you to leave and stop trolling. If I have a source backing my claim from the creator of GrapheneOS himself, they don't care.

Also, F-Droid is totally fine, just be careful about 100% vibe-coded apps from people that don't know what they're doing. This is also true for the recommended play store.

For download APKs, the potential pitfalls to look out for, usually on github, are:

The 'releases' page with APKs might be for debug/dev builds not for production (normal use). It should be documented that this is the case.
Debuggable could be enabled in the apk
The repo might have their github apk be signed with a public key (dev build)
- This means someone else could sign an apk. but then they somehow need to get it on your phone and tap install or trick you into downloading it. I could sign an apk for a popular app but it's just sitting on my computer or on xyz.com not doing much harm.
No automatic scans from an app store (sort of useful)
No verification of the dev's signature
It's often up to you to implement updates without an app store
- wireguard has automatic updates built in, don't worry.
- or use Obtainium to check for updates for your apps

This ended up way longer than expected, but gotta include the list of github warnings as well as explain my reasoning for why app stores aren't full proof or a huge jump up in security or guarantees that an app isn't malicious.