I just wondered about your experience with updating open source apps. As far as I understood, some people use the RSS-method to notify them about updates and then download and install them manually. Others use Neo-Store/Droidify or Obtanium (or Accrescent, as far as already possible). Apparently, Obtanium notifys the user about new updates that the user can then download manually while Neo-Store/Droidify supports automatic updates. It was mentioned that Obtanium can obtain the updates directly from the developer’s site on github, avoiding potential disadvantages of F-Droid-signed apps. Do you have any comments on that? What is the difference between these methods from a security perspective?
Secure app updates via Droidify/Obtanium/RSS...?
As long as the APK from which you install the app the first time, Android updates requires the APK to be signed with the same signature as the currently installed app. It's a trust of first use mechanism (TOFU).
As long as the APK from which you install the app the first time is safe
Titan_M2 Thanks!
- Edited
Don't use RSS method. Too cumbersome. If you wann get apps from github use Obtanium. It does the exact same thing just much faster and more convenient.
Also remember, just because an app is open source and available on github doesn't mean that its privacy respecting or "safe" to use.
Apps on f-droid however have been checked for funny business. Also new and updated apps on F-droid don't really have a disadvantage. Depends on the app. some apps are actually better from F-droid, example: OsmAnd+, Geometric Weather.
The f-droid signing keys threat is overblown. Its not really a big threat. Outdated SDK however is, but thats a per app issue.
EDIT: Heed @matchboxbananasynergy following comments. There is merit to what he says.
User2288 I wouldn't really recommend relying on that. By the F-Droid team's own admission, any "checks" they do are very basic, and are not done on future updates, only on the original inclusion.
[deleted]
cactus457 Again, using the Playstore for open-source and non-open-source applications is the safest way to use Android. There is the accrescent app, but given the limited number of apps available...