Love this app, makes it really easy to keep non-store apps up to date by linking directly to the apps GitHub repo for example.
Obviously you have to be careful what you install, just as with any app not found in Play Store, but if you're getting your apps elsewhere anyway this is really convenient.
> just as with any app not found in Play Store
I would recommend caution with apps from the store too. Not only are many predatory practices not disallowed, outright malware can and does slip through review. The advice is the same as ever when it comes to computers: don't run programs you don't trust, and set your bar of trust high.
it's worse than that imo. People claim the web is dangerous because it runs untrusted code but apps do the same with auto updates from stores and that the majority of apps are just webviews running code from the net but without the same level of sandboxing as a browser
Agree, the play store isn't secure one bit.
We hear enough story how Google removes legit app without reason, using automated process, to know that there is at least as much malicious app that goes through being undetected.
while your app gets rejected when there is a button that does nothing :D
Alright, well I don't think I personally know anyone who has ended up with malware on their phone. I'm sure it could be better but it seems alright. I'm not gonna advise everyone I know to stress out about it by trying to have a high bar of trust and evaluate every app they wanna try only to have the exact same result they've had for years.
The advice is absolutely not the same as it's always been - it would be weird if the advice from the early aughts, when it was common to be affected by malware or viruses, was the same as the advice now when it's rare.
It's not just the outright malware. It's the McDonalds app that sends them a few notifications per day reminding them that they have One Free McFlurry Waiting!, or 5 ad-ridden games they downloaded to play once and now litter their 5th and 6th homescreen, one of which got them to agree to background location tracking. It's the SuperCoolEmojiKeyboard they installed one time 2 years ago because they couldn't figure out how to send a hotdog emoji, and has been keylogging them ever since.
People treat installing apps like a casual activity that involves no real thought or consideration. They've been trained to do so. The mental model needs to change: installing software is granting it some measure of ground on your device, and should only be done in cases where you have good reason to trust the developers. For everything else, that's what we have websites for.
> McDonalds app that sends them a few notifications per day reminding them that they have One Free McFlurry Waiting!
the mcdonald's app has never sent me a notification
You knowing someone personally is different from the objective millions of infections [0] that we've seen in the real world.
[0] https://www.tomsguide.com/news/these-35-malicious-android-ap...
Nevermind that being downloaded a million times doesn't mean by a million people, as scammers download their own app to boost numbers -- a million is what, 1 in a few thousand smartphone users?
I'd love it to be zero but the amount of vigilance warranted has gotta be a lot less than it was in the past unless there's some argument that magnitude of harm has gone up by a massive amount while probability has gone down by the same amount. Which, idunno, maybe that argument can be made actually.
Also I guess 2001 felt unsafe to visit trusted websites, so the advice upthread was already a bit lessened.
> Nevermind that being downloaded a million times doesn't mean by a million people, as scammers download their own app to boost numbers -- a million is what, 1 in a few thousand smartphone users?
Isn't this cause for people to be more vigilant? You can't even trust apps that are vouched for by large numbers of users (with these large numbers being not mere claims on a shady website, but statistics officially certified by the authority of the app store).
Sure, it means you can't trust download count.
But 2 million downloads among 35 apps is nothing when it comes to evaluating your personal risk. There's like 50,000 times that many apps downloaded every year. The point is the odds of you installing this app are very low. And if those numbers are half fraudulent then the odds are half of that already very small number.
That's one incident among many. Don't judge the situation by a singular incident. Google's move to realtime scanning of apps upon install is not because there is no risk.
> I don't think I personally know anyone who has ended up with malware on their phone
That's... kind of the point when distributing malware? Not only has the game changed as to what actually happens, but malware is only valuable as long as it's installed - meaning getting noticed is pretty well the worst-case scenario for the attacker.
The main point though is malware is no longer stealing credit card numbers. It's not 15 ad-laden toolbars in browsers, or pop-unders and overs, or in-your-face obvious. A subtle miner over half a million users is a decent chunk of shitcoin to mine, and efficiency doesn't matter when it's not your hardware, or your power.
> Obviously you have to be careful what you install, just as with any app not found in Play Store, but if you're getting your apps elsewhere anyway this is really convenient.
Its still a lot more dangerous than the Play store, and I assume a good threat actor can go undetected, but the Play Protect even scans apps that are installed from outside the store.
Disney proved that terms of service and conditions for their media content can be more dangerous than the content they serve.
> Obviously you have to be careful what you install
How?
Use F-Droid.
I use this and it's great. Only problem is when: 1) you want something outside of github (from my experience, already gitlab and codeberg can be buggy here, although very rarely), and 2) when you need a specific release channel (example: Firefox Beta, which requires a bit of work). But overall it works great. Now, one has to consider the security aspects: stores like Google Play (and, to a lesser extent, F-Droid) do perform some antimalware checks. It's not bulletproof, but it gives a bit more trust in case the dev goes rogue or is compromised. BUT you have to trust the store. With Obtainium, you have to trust: 1) the app's developer 2) Github/Gitlab/Codeberg 3) Obtainium's developer. So, it depends what's your threat model. I'm looking forward to seeing wider adoption for Accrescent!
For those that have never heard of Accrescent: https://accrescent.app/
I've been using it for a while I'm surprised that Android allows third party app installers that can update apps in tbe background. I don't follow the specifics of Android developments but I 100% expected it to get more locked down with time.
The opposite happened; for a while, it did not allow third party installers to run without user interaction but now it does. EU legislation probably had a role in that change.
i've been using this app and i honestly prefer it this way.
Lets not forget that certificates are created and checked for github.com, so unlikely for a middleman to get in.
I trust github much more than google right now. Especially since the object being fetched is generic as opposed to a appstore. Google's app store has only shown to hinder publishing. Take syncthing for instance.
The only thing I wish was better was the .apk selection process. It would be nice if a database existed with filename formats or a little extra metadata to match the correct asset.
> Lets not forget that certificates are created and checked for github.com, so unlikely for a middleman to get in.
What?
Don't assume that the APKs are generated by GitHub's CI, anyhow, anything can be uploaded as a release
A great example of this would be the XZ backdoor, which never got commited to the source tree, but got implanted in the release tarballs, which were built on the attacker's systems
Github should provide a certificate when binaries are built from source with their tools.
They added something to verify if the binary came out of their CI only a few months ago; I haven't checked now, but it seemed extremely convoluted
In any case, there's for sure no GitHub certificate added to the APKs
NPM has support for github CI provenance. So you can verify that the package on npm was built on the github actions of the repo mentioned in npm.
I saw, nice
It seems to not check it automatically, though?
Yeah, you have to set provenance flag to true.
- uses: JS-DevTools/npm-publish@v2
with:
token: ${{ secrets.NPM_TOKEN }}
access: public
provenance: true
Do you mean https://apps.obtainium.imranr.dev/ or something else? That seems to be a crowdsources list of configurations for different apps.
Finally, a no nonsense Auto-App-Updater App! if only sites would include a version number somewhere on the download page so obtainium could find it. Looking at you https://grayjay.app (it doesn't seem to work for partial file hash either so I had to turn auto updates off for this one)
We sorely need 1:1 replacement of app store trust and discovery mechanisms too without any kafka-esque approval hoops. Obtainium app config sharing and perhaps a standard for APK release webpages would be a great first step towards that.
I work for FUTO, does it just need to be somewhere in the Download section? I'll see if I can get this added if so.
No need. Obtainium already supports downloading from third-party F-Droid, so users can add Grayjay this way: 1. Enter the URL "https://app.futo.org/fdroid/repo/" 2. In "Override Source", select "F-Droid Third-Party Repo" 3. For "App ID or Name", enter "grayjay" 4. Press "Add" 5. Done
Reference images: - Add app: https://ibb.co/dL1Hqw6 - Result: https://ibb.co/whmL3PY
1. F-Droid
2. FFUpdater
3. Obtanium
4. Aurora Store
You can manage Firefox updates from Obtanium itself.
1. Neostore
2. FFUpdater
3. Aurora Store
It's weird how many orgs keep their apps unavailable, as lots of users decline to submit to Play store preconditions (link phone to a Google account).
Can't access the site. It says: "Sorry, you have been blocked You are unable to access imranr.dev"
"Israel" is blocked.
Why is it blocked? Why the quotes?
here's their github: https://github.com/ImranR98/Obtainium
Hmm if only I had an app to easily install it from github
When you install Obtanium from an APK, it prefills the Obtanium source for self-management.
same here
I use this to update Koreader on the Android tablet I use only for reading ebooks.
Wow, what a great name!
Just the app I was looking for.
Would prefer everything is hosted on GitHub to reduce the attack surface. But this is cool!
Github reserve the right to stop serving those release downloads at any time. They usually just kick you off entirely if your project gets unwanted attention. I don't see them allowing revanced (modded popular social apps) forever so we still need a better way to trust outside that touch and go easy relationship.
Your app is a massive target, if your domain or web server is taken over, what implications would this have on the end users using your app (if any)?
If it's a social app users should worry about account take over making you look bad/illegal or tricking you to enter your password to other OAUTH accounts. Privacy implications etc. Similar to if the app owner changed hands to someone trying to milk it. As always you be suspicious of any permission asks to limit damage in these cases.
[flagged]
Obtanium exists for a very specific use case.
1. You have an app you want to use.
2. That app isn't on the google app store or you don't want to/can't use google services.
3. The app is not open source so it can only be built and packaged by the first party.
4. You don't want to manually update the app by downloading a new APK every time.
5. You don't want to give a black-box closed-source app you downloaded from the internet permissions to install new apps (and therefore grant them certain new permissions as well).
My example of this is WhatsApp. I hate the app. I think it's scummy as shit. However if I want the version of WhatsApp that doesn't package google services, I either have to download a 3rd party app store, update the app from their web page manually, or grant the app permission to update itself. I obviously don't want to install a (often closed source) 3rd party app store just to install this app without granting it keys to the castle. So instead as I already use F-Droid, I can install the FOSS build of Obtanium and pin my trust on F-Droid. Then I use Obtanium to manage my WhatsApp updates.
Technically this also extends to open source apps where you trust the first party enough to use the app but not enough to let it update itself and where you want to be able to just download updates from github releases.
Why do you trust it to run code and to install updates from their website but not to execute that update? What’s the threat model there?
You don't see the difference between allowing whatsapp to run, vs allowing whatsapp to install apps?
You don't see the difference between allowing a dedicated app installer app written by an author with no other goal and no other source of reputation to install apps, vs allowing a random app to install apps just to hopefully only use that power to keep itself updated and do so in a way that only serves your interests and not those of the apps author? (ie it will never be a Facebook and one day decide that it wants you to use Messenger, and that's the nicest example let alone something hidden)
The thing that you give permission to install apps must be a seperate thing written by a seperate author who has no incentive to install or remove any other apps.
I do see a theoretical difference, but in reality there’s no guarantee that they don’t ship AB testing in the ipa/apk and do it at runtime. In fact, everything points to them doing exactly that already. By running a closed source medsenger client with a closed backend service, they have the power to say “WhatsApp off, use messenger now” if they want to- and they don’t need to push a client update to do so. I’m not concerned about meta having root access to my device - they already have access to my contacts for messaging, all ny message data (I’m in Europe, WhatsApp is my default communication method),Bluetooth and WiFi settings because you need it for location stuff. They have the data, and the permissions already. The only thing they can’t do is install another app (which I would have to grant the permissions WhatsApp already has) to do the nasty, but they can just do the nasty in the app I’m already running.
Maybe android can limit allowing apps to install updates of themselves, only if this could be implemented, https://issuetracker.google.com/issues/378112214
I sure don't use dubious WhatsApp mods, but in general, the advantage of updating through a website rather than through an internal update, is that you're much less likely to receive "customized" updates; it's more likely (though of course not guaranteed) that what's distributed through a website stays always the same, for everyone
In the same way as walking. Stick to well trafficed places you know and your risk drops significantly.
You're removing the middleman (Play or F-Droid) so I don't see how.
Usually the middleman validates what the stuff does, before we do it ourselves, yes even though malicious apps get through the cracks, still makes a difference.
It really depends. Many apps currently cannot be distributed through the stores or the maintainers have to endure a lot of bullying to stay in the stores. (Think NewPipe et al)
In these cases, the middlemen like Google are the hostile party. Essentially the threat actor. It is natural: big tech is big tech, because they are very good at limiting user choice.
For these applications, Obtainium is brilliant.
It also shows that the store model that everyone is working to enshrine in digital policy is not the necessity that Big Tech would have everyone believe.
Mostly because certain apps refuse to adopt Android APIs, or insist NDK is a full blown GNU/Linux userspace, contrary to Android team official position on the matter.
The fact that the Android team's official position on API usage determines what software I get to install is exactly my problem with this gatekeeping.
The latest victim of this travesty is the removal of syncthing from the play store and the subsequent discontinuation of the app. This was ostensibly due to syncthing's failure to leverage the storage access framework to access files on Android devices. In reality, developers were benchmarking the storage access framework as somewhere around 50 times slower than direct system access, and that made it infeasible for usage in apps like Syncthing. That bug has been open for years, and the Android team has done nothing other than claim it's fixed when benchmarks show otherwise.
So I'm not sold at all on the value of these gatekeeping stores that have black box approval processes with changing rules. It is a system that is set up to be evil because it can reject and accept on a whim with no accountability. We should not so easily give up on installing the software of our choosing on the devices we purchase.
How does that apply to F-Droid though? I don't think they are bullying any of the app maintainers, NewPipe seems to be on there?
Honestly I started using obtainium because I can't figure out why F-Ddoid builds are a month behind. RedReader became completely broken and needed the newer version. Not sure what's up with that lag. It's extremely frustrating.
Never had a problem with RedReader, strange.
Anyhow, when the apps stop being updated, it's usually due to something that was added that doesn't make them compliant with F-Droid's policies anymore; or, they changed something in the release process without telling F-Droid.
Other times, the apps were set to be updated only at the developer's request, and for some reason they still haven't done that request (some developers deliberately update F-Droid less frequently, to be more confident of not giving bugged releases to the F-Droid usere).
The normal delay, due to their manual (and lazy) signing process, is from few days to about ten
This is the case if the app store is done right, that is, if it has the end user's interests in mind. But as with all things Google, the end product always boils down to how much profit it can extract from its services in ad revenues, so there isn't really that much incentive in Google to keep the Play Store tidy.
This or some variation of the idea. The result is the same, what should protect the user becomes a vector to help spread malicious apps.
So if obtanium does checks, the issue is resolved?
The safety-argument functions as an apologetic narrative to justify the gatekeeping.
Strangely, almost everything the Play Store pushes at me (Temu, TikTok, millions of communication apps with dubious reputation) is crap.
I would never install an app without checking the permissions it asks for, researching the owner of the app as well as the the tracking it includes - yet the store never makes those things transparent, quite the opposite.
Google even takes money to show you bad apps through PlayStore app ads designed to look like an organic app listing. This is apparently a mechanism to profit directly from deceiving users. (Right now, for example, it shows a gambling app, some "beautifying" shovelware, and "Tango live streaming," which the author probably believes by heart is not made for porn.)
So either Google is trying to protect its users and just isn't very good at it, or it's a fake argument to hide corporate power.
But it's impossible to know for sure, isn't it?
The safety argument with F-Droid is that F-Droid builds from source and the builds can be verified by anyone
Unfortunately F-Droid sometimes distributes outdated software with security vulnerabilities. This happened with Fennec (Firefox variant), not sure what the reason was. I switched back to Firefox + Google Play after that.
Yes F-Droid is too slow unfortunately. The reason I added obtanium to my mix was because F-Droid version of RedReader was so old it didn't work with Reddit anymore. And I couldn't figure out why or if there was an ETA or what and someone mentioned obtanium.
anyone == noone
> Usually the middleman validates what the stuff does
That's what they say for their defense yeah but personally I don't buy it. I've published an app myself and I've also seen the countless app scams which are allowed to advertise on YouTube.
The value we get from the store is dubious.
They're excellent at inconveniencing legitimate devs for "mistakes" like links to external payment options, but oddly bad at spotting actual scams. I think that tells you something about the actual goal of app review.
That's spot on, there's two main goals of the app review:
- Make sure that they get their cut
- Shift the blame of the privacy issues to the app developers since the duopoly is very often targeted in the media on this subject.
Anything else has a lower priority.
The way you phrase mistakes is interesting, it’s been abundantly clear that’s not allowed for a long time. It’s not a “mistake” if you link to an external payment method .
I’m an iOS user but one of the reasons I like iOS is because I know that I’ll be able to Sign in with Apple, and pay via the App Store. I recently signed up to a service which charged me for a free trial and I opened a support ticket. They refunded me, and charged me again immediately.
I trust apple and google (rightly or wrongly) to have my back in that situation, but this dev clearly didn’t.
It resolved itself fairly quickly when I got my bank involved, but it took a month from start to finish. I have never, not once, had that issue with App Store managed purchases.
Apple does allow links to external payment options in some cases (see App Store Review Guideline 3.1.1), and sometimes rejects apps for links that it itself says should be legal, and is even legally required to allow in some jurisdictions. Which is not surprising, app reviewers spend only a few minutes looking at each app, and don't always understand the current rules.
One of the reasons I don't like either iOS or the Play Store is that I don't want to make an account with them (which can link all the flood of data sent by your phone to your real name, and force you to agree to their terms)
It is if the crowdsourced sources are bad. Outside of that happening, you are just going directly to the project instead of through a curator.
With F-Droid you have at least a guarantee that the app builds, and at least during the initial review nothing bad was found
You can argue you're adding F-Droid to the entities you trust (unless it's a reproducible build), but at the same time you're relying a lot less on a random's developer honesty (and security)
Yeah. I only update my bank app and Chrome and wouldn't trust a random app with that
Do you just not install other apps? Or do you have some kind of preference for unpatched, insecure old software?
I have M&W Dictionary, PlantNet, SoundCloud, and Stellarium+ installed. I don't plan to update any of them as long as they keep working/until I buy a new phone.
Curious and thoughtful observation.
I'll give this a shot. F-Droid is broken on Android 15 and nobody cares.
What is broken in F-Droid? I just got Android 15 and are using F-Droid but have not noticed anything broken yet.
Crashes on startup. Offers to send a stack trace, which I've done. I've been updating apps manually, which is tedious.
Well I have installed latest APK from their site. Browsed for and installed apps without a problem. On my Pixel 9 Pro. So at least its not a bug affecting everyone.
Or else you can open a bug report here: https://gitlab.com/fdroid/fdroidclient/issues
Have you tried another frontend? F-Droid has multiple official/unofficial apps on itself.
The Droid-ify client has always worked well for me. I never cared for the official F-Droid client.
What's the point? If you install from source, the idea is to build on your own machine and review/test the code. Gtihub releases don't even have minimal review scripts that Play Store does.