Bought a new P7 on sale and installed GOS. No issues

A few questions:

I installed the Proton suite of tools (VPN, email, pass, drive) and Signal using their APK downloads.

Also setup Obtainium to track releases and updates

Some proton tools aren't FOSS so not github so not sure if that will work.

But Signal and ProtonVPN versions info is being captured in Obtainium.

I have FDroid and Aurora Store also installed in same profile and I get multiple notifications a day saying there is an update for Signal but im on the latest version. I click update nothing happens and the notification goes away.

Today Aurora store says ProtonVPN needs an update. The version is newer but I don't see it posted on their Github page. I'm running latest version from their GH releases.

I guess Aurora and Fdroid don't care whether an app was installed via direct apk and will still monitor for updates.

But the version mismatch with Proton is a little concerning. I know FDroid runs their own builds and signs them so possible their versions don't match official GH releases?

Any tips or advice appreciated.

    Frostily7047 But the version mismatch with Proton is a little concerning. I know FDroid runs their own builds and signs them so possible their versions don't match official GH releases?

    That is normal. The FDroid version will have different keys from the APKs on GitHub.

      p338k m OK so ignore or run the update ?

      I'm unsure if APK installs self update or not, I guess not unless they have code in them that enables that

      On that note, from a security perspective, is it better to get apps through Aurora Store (direct from Google Play Store) instead installing direct from APK?

      Wondering what advantage there is in doing direct APK (and using Obtainium) other than getting updates quicker. Worth the extra security risk?

        Frostily7047

        Wondering what advantage there is in doing direct APK (and using Obtainium) other than getting updates quicker. Worth the extra security risk?

        Primarily making sure that the app is signed with the developer's keys directly (not Google or F Droid keys), I believe. This is a key thing that Accrescent does - see App signing key pinning and No remote key signing.

          Frostily7047

          On that note, from a security perspective, is it better to get apps through Aurora Store (direct from Google Play Store) instead installing direct from APK?

          If you can verify the signature before the first install, updates should be reasonably safe regardless of the source provided the signing key is not compromised and the developers are trustworthy.

          Wondering what advantage there is in doing direct APK (and using Obtainium) other than getting updates quicker. Worth the extra security risk?

          With F-Droid, you have to trust both the developers and F-Droid. F-Droid builds the APKs from the source code and signs them. With direct downloads, you have to trust only the developers.

          The developers could release APKs that do not reflect the source code and have hidden malware and still sign them. F-Droid could do the same thing. You need to decide where to place your trust.

          Dumdum Primarily making sure that the app is signed with the developer's keys directly (not Google or F Droid keys), I believe.

          To my understanding, if you don't verify apks on your device (like comparing keys), you don't have much of a security bonus (apart from not using Play store and Google). Please correct me if I got this wrong.

            Phead
            Well, yeah. That's why Accrescent is designed to do this verification for you. Even without Accrescent there's still the possibility of doing this with apksigner.

            And I could be wrong, but I think you can technically "verify" an apk (with apps from Github at least) by installing an older apk, if available, and updating to the latest version afterwards. This should utilise the key check between the two versions to confirm the app matches. Its not 100% reliable to do, since both apks could be signed with bad keys, but it at least gives a decent chance of detecting whether there's a mismatch or not.

              For the apks I installed manually, I downloaded them to Linux and ran certool against them comparing each to their respective hashes posted on the site

              If they verified, I transferred them.over USB to my pixel and installed

              Not sure I like doing this manually especially if it doesn't give much more in terms of security

              If apps are installed via aurora store though, has nothing to do with fdroid signing their own builds since aurora is downloading the apk direct from Google play? Or am I not understanding this correctly?

              Dumdum Well, yeah. That's why Accrescent is designed to do this verification for you. Even without Accrescent there's still the possibility of doing this with apksigner.

              Sure, but without any of that, with just the naked APK download, you cannot verify and cannot guarantee it has not been tampered with, correct?

                Phead

                Well, what do you mean by "verify"? If you mean verify the signature to confirm the app is the legitimate one from the developer, then as I said you can do so with apksigner. If you mean to verify the code, then as far as I know, no I don't think there is really something that could do that. There's always a possibility that APKs could use different code from what's publicly posted. But in that case, building (and signing) the app yourself with the public code is (usually) an option.