this post was submitted on 16 Oct 2024
25 points (100.0% liked)

Privacy

31748 readers
602 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I've looked through Obtainium source code a while back and there seems to be no hash verification whatsoever. Looks too susceptible to supply chain attacks to me.

I don't like that Aurora Store sends a list of installed applications to Google and the only way to stop it is to blacklist.

Is there an option that combines multiple sources together like Obtainium but contains automatic hash verification for added security (I am aware updates are protected by Android)? Something I can use to download non-FOSS apps from a mirror but make sure it's the APK from the Play Store?

top 3 comments
sorted by: hot top controversial new old
[–] Charger8232@lemmy.ml 11 points 2 weeks ago* (last edited 2 weeks ago)

I'm going to parrot what people in the GrapheneOS community would say: "The most secure place to get apps from is Accrescent. If an app isn't available there, the next best place is the Play Store itself with an anonymous Google account." Some bother to add that Obtainium+AppVerifier can be used if it isn't available for either of those methods. Anyways, they're very stingy about where they get their apps from.

Here is my take: Despite claims of F-Droid and Aurora Store having security issues, I don't care. It's based on your threat model and personal preference. Google may soon be forced to open up Play Store apps to more third parties, so more secure methods of getting them may crop up in the future. You'll really never have a 100% private way to get apps, that's the unfortunate reality of how things are. If your threat model is against Google and supply chain attacks, those limit your options down to some less-than-convenient methods. If you do decide to use AppVerifier, do note that you only need to verify the hash once and you're good for the rest of your phone's life.

[–] Virkkunen@fedia.io 5 points 2 weeks ago (1 children)

If you're really paranoid about it, you can download AppVerifier and have Obtainium automatically send the downloaded apk to it and verify the sums before installing

[–] Quail4789@lemmy.ml 3 points 2 weeks ago

that's still a manual process for most apps I've tried