How risky it realistically is to download and install APKs from their...

[deleted]

original GitHub page without verifying their signatures (with a conscious-but-not-high-value-target user in mind)? Especially regarding messaging apps.

matchboxbananasynergy

In that case, you're trusting two things.

GitHub
That the developer's account hasn't been hacked, logged into and a malicious release push.

Note that for number 2, this would only matter for the initial install. Subsequent updates ensure that the signature of the initial install matches, so you can't get a malicious update after installing the real deal.

grateful_gos_user

matchboxbananasynergy Do Github accounts publish the APK sigature that can be chexked to verify that the download was the right one? Signal Messenger publish that signature on their APK download page.

[deleted]

grateful_gos_user

Not who you asked for but I've seem some do, like Session on each of their release posts on GitHub. Though I'm not sure if that could be exploited or altered somehow. But I'd also like to know about the ones who apparently don't share it there.

matchboxbananasynergy

grateful_gos_user It depends. Some do, some don't. For that to really be effective, it makes the most sense for the signature to be posted in various places, including a different one than the one you're getting the APK from.

For example, if you're getting it from the app's site, it would be good for it to have its signature posted on Twitter, or Mastodon, or somewhere else. The logic there being that if the site is compromised and the app is replaced by a malicious one, they could just change the signature there too.

A good example of an app that does this is Accrescent:

https://accrescent.app/faq#verifying

csis01

You're also trusting that the developer themselves didn't slip in something "special" in the binary release. This is why I prefer the F-Droid release model, because F-Droid handles the build and signature themselves, you know as long as you trust F-Droid, that the source archive is an exact match for the binary.

[deleted]

csis01

But if they (developers) do and if I understood the first reply correctly, wouldn't it be detected fairly quickly by others? Assuming the app is popular and people who verified its signature before update it from the same place, they would notice the malicious update didn't go through and possibly alert others. Is this wrong?

csis01

[deleted] How would anybody detect it if the application developer is THEMSELVES malicious? The signature would be correct. That's the big problem with closed source software and the g* release model, there is no easy way to audit the code.