I've had f-droid OSMand for a long long time, recently I started getting a warning for google's "play protect" when I go to update it though. Very strange.
The only way to download F-Droid (as far as I know) is to download the apk directly from their site: https://f-droid.org/. This means having to side-load the app. Of course doing that means I would want to do my due diligence and verify the download using the PGP Signature they provide. My question is how do I verify a PGP signature completely on my phone?
I do know how to verify it on my laptop, and then I could send it to myself or install it using adb. But I'm hoping there's a way to do this without having to involve a laptop.
If someone replaces the APK on their website with a compromised one, what prevents them from replacing the PGP signature with a signature created by the attacker?
Imagine Google showed warnings for all the pre-installed Google apps on every phone.
Warning: Google Background Services can read your SMSes, sideload apps without your knowledge or consent, request your location, and basically anything else your device is capable of doing (see the control panel in your Google account for what you, and Google, can make this do).
Warning: on some devices, Google Maps will nag you to upload WiFi access points every time you open the app. It's opt-in so technically legal!
Warning: every website you type in this browser's address bar will be sent to Google.
Warning: text you type on this keyboard may be sent to Google for improving text suggestions for everyone.
It would be a heck of a lot of pop ups on first boot and the best marketing Apple could ever wish for. Apple is not necessarily better, but they're not being hypocritical by adding warning labels for third party noncommercial open source alternatives (OsmAnd isn't the first one where Google does this, FairEmail has a similar story).
A new version was released today/yesterday in F-Droid. I've just upgraded and the first thing it says is "What's new in 4.3.5. New, faster Version 2 (OpenGL) map rendering engine, with 2.5D view"
Edit: Also, thanks to the replies here, I see that 4.3.5 was actually released in F-Droid on the 1st January, and 4.3.8 is also available since yesterday so I upgraded twice today already.