Love this app, makes it really easy to keep non-store apps up to date by linking directly to the apps GitHub repo for example.
Obviously you have to be careful what you install, just as with any app not found in Play Store, but if you're getting your apps elsewhere anyway this is really convenient.
I would recommend caution with apps from the store too. Not only are many predatory practices not disallowed, outright malware can and does slip through review. The advice is the same as ever when it comes to computers: don't run programs you don't trust, and set your bar of trust high.
it's worse than that imo. People claim the web is dangerous because it runs untrusted code but apps do the same with auto updates from stores and that the majority of apps are just webviews running code from the net but without the same level of sandboxing as a browser
We hear enough story how Google removes legit app without reason, using automated process, to know that there is at least as much malicious app that goes through being undetected.
Alright, well I don't think I personally know anyone who has ended up with malware on their phone. I'm sure it could be better but it seems alright. I'm not gonna advise everyone I know to stress out about it by trying to have a high bar of trust and evaluate every app they wanna try only to have the exact same result they've had for years.
The advice is absolutely not the same as it's always been - it would be weird if the advice from the early aughts, when it was common to be affected by malware or viruses, was the same as the advice now when it's rare.
It's not just the outright malware. It's the McDonalds app that sends them a few notifications per day reminding them that they have One Free McFlurry Waiting!, or 5 ad-ridden games they downloaded to play once and now litter their 5th and 6th homescreen, one of which got them to agree to background location tracking. It's the SuperCoolEmojiKeyboard they installed one time 2 years ago because they couldn't figure out how to send a hotdog emoji, and has been keylogging them ever since.
People treat installing apps like a casual activity that involves no real thought or consideration. They've been trained to do so. The mental model needs to change: installing software is granting it some measure of ground on your device, and should only be done in cases where you have good reason to trust the developers. For everything else, that's what we have websites for.
Nevermind that being downloaded a million times doesn't mean by a million people, as scammers download their own app to boost numbers -- a million is what, 1 in a few thousand smartphone users?
I'd love it to be zero but the amount of vigilance warranted has gotta be a lot less than it was in the past unless there's some argument that magnitude of harm has gone up by a massive amount while probability has gone down by the same amount. Which, idunno, maybe that argument can be made actually.
Also I guess 2001 felt unsafe to visit trusted websites, so the advice upthread was already a bit lessened.
> Nevermind that being downloaded a million times doesn't mean by a million people, as scammers download their own app to boost numbers -- a million is what, 1 in a few thousand smartphone users?
Isn't this cause for people to be more vigilant? You can't even trust apps that are vouched for by large numbers of users (with these large numbers being not mere claims on a shady website, but statistics officially certified by the authority of the app store).
But 2 million downloads among 35 apps is nothing when it comes to evaluating your personal risk. There's like 50,000 times that many apps downloaded every year. The point is the odds of you installing this app are very low. And if those numbers are half fraudulent then the odds are half of that already very small number.
That's one incident among many. Don't judge the situation by a singular incident. Google's move to realtime scanning of apps upon install is not because there is no risk.
> I don't think I personally know anyone who has ended up with malware on their phone
That's... kind of the point when distributing malware? Not only has the game changed as to what actually happens, but malware is only valuable as long as it's installed - meaning getting noticed is pretty well the worst-case scenario for the attacker.
The main point though is malware is no longer stealing credit card numbers. It's not 15 ad-laden toolbars in browsers, or pop-unders and overs, or in-your-face obvious. A subtle miner over half a million users is a decent chunk of shitcoin to mine, and efficiency doesn't matter when it's not your hardware, or your power.
> Obviously you have to be careful what you install, just as with any app not found in Play Store, but if you're getting your apps elsewhere anyway this is really convenient.
Its still a lot more dangerous than the Play store, and I assume a good threat actor can go undetected, but the Play Protect even scans apps that are installed from outside the store.
I use this and it's great. Only problem is when: 1) you want something outside of github (from my experience, already gitlab and codeberg can be buggy here, although very rarely), and 2) when you need a specific release channel (example: Firefox Beta, which requires a bit of work). But overall it works great. Now, one has to consider the security aspects: stores like Google Play (and, to a lesser extent, F-Droid) do perform some antimalware checks. It's not bulletproof, but it gives a bit more trust in case the dev goes rogue or is compromised. BUT you have to trust the store. With Obtainium, you have to trust: 1) the app's developer 2) Github/Gitlab/Codeberg 3) Obtainium's developer. So, it depends what's your threat model. I'm looking forward to seeing wider adoption for Accrescent!
I've been using it for a while I'm surprised that Android allows third party app installers that can update apps in tbe background. I don't follow the specifics of Android developments but I 100% expected it to get more locked down with time.
The opposite happened; for a while, it did not allow third party installers to run without user interaction but now it does. EU legislation probably had a role in that change.
i've been using this app and i honestly prefer it this way.
Lets not forget that certificates are created and checked for github.com, so unlikely for a middleman to get in.
I trust github much more than google right now. Especially since the object being fetched is generic as opposed to a appstore. Google's app store has only shown to hinder publishing. Take syncthing for instance.
The only thing I wish was better was the .apk selection process. It would be nice if a database existed with filename formats or a little extra metadata to match the correct asset.
A great example of this would be the XZ backdoor, which never got commited to the source tree, but got implanted in the release tarballs, which were built on the attacker's systems
Finally, a no nonsense Auto-App-Updater App! if only sites would include a version number somewhere on the download page so obtainium could find it. Looking at you https://grayjay.app (it doesn't seem to work for partial file hash either so I had to turn auto updates off for this one)
We sorely need 1:1 replacement of app store trust and discovery mechanisms too without any kafka-esque approval hoops. Obtainium app config sharing and perhaps a standard for APK release webpages would be a great first step towards that.
No need. Obtainium already supports downloading from third-party F-Droid, so users can add Grayjay this way:
1. Enter the URL "https://app.futo.org/fdroid/repo/"
2. In "Override Source", select "F-Droid Third-Party Repo"
3. For "App ID or Name", enter "grayjay"
4. Press "Add"
5. Done
Github reserve the right to stop serving those release downloads at any time. They usually just kick you off entirely if your project gets unwanted attention. I don't see them allowing revanced (modded popular social apps) forever so we still need a better way to trust outside that touch and go easy relationship.
If it's a social app users should worry about account take over making you look bad/illegal or tricking you to enter your password to other OAUTH accounts. Privacy implications etc. Similar to if the app owner changed hands to someone trying to milk it. As always you be suspicious of any permission asks to limit damage in these cases.
2. That app isn't on the google app store or you don't want to/can't use google services.
3. The app is not open source so it can only be built and packaged by the first party.
4. You don't want to manually update the app by downloading a new APK every time.
5. You don't want to give a black-box closed-source app you downloaded from the internet permissions to install new apps (and therefore grant them certain new permissions as well).
My example of this is WhatsApp. I hate the app. I think it's scummy as shit. However if I want the version of WhatsApp that doesn't package google services, I either have to download a 3rd party app store, update the app from their web page manually, or grant the app permission to update itself. I obviously don't want to install a (often closed source) 3rd party app store just to install this app without granting it keys to the castle. So instead as I already use F-Droid, I can install the FOSS build of Obtanium and pin my trust on F-Droid. Then I use Obtanium to manage my WhatsApp updates.
Technically this also extends to open source apps where you trust the first party enough to use the app but not enough to let it update itself and where you want to be able to just download updates from github releases.
You don't see the difference between allowing whatsapp to run, vs allowing whatsapp to install apps?
You don't see the difference between allowing a dedicated app installer app written by an author with no other goal and no other source of reputation to install apps, vs allowing a random app to install apps just to hopefully only use that power to keep itself updated and do so in a way that only serves your interests and not those of the apps author?
(ie it will never be a Facebook and one day decide that it wants you to use Messenger, and that's the nicest example let alone something hidden)
The thing that you give permission to install apps must be a seperate thing written by a seperate author who has no incentive to install or remove any other apps.
I do see a theoretical difference, but in reality there’s no guarantee that they don’t ship AB testing in the ipa/apk and do it at runtime. In fact, everything points to them doing exactly that already. By running a closed source medsenger client with a closed backend service, they have the power to say “WhatsApp off, use messenger now” if they want to- and they don’t need to push a client update to do so. I’m not concerned about meta having root access to my device - they already have access to my contacts for messaging, all ny message data (I’m in Europe, WhatsApp is my default communication method),Bluetooth and WiFi settings because you need it for location stuff. They have the data, and the permissions already. The only thing they can’t do is install another app (which I would have to grant the permissions WhatsApp already has) to do the nasty, but they can just do the nasty in the app I’m already running.
I sure don't use dubious WhatsApp mods, but in general, the advantage of updating through a website rather than through an internal update, is that you're much less likely to receive "customized" updates; it's more likely (though of course not guaranteed) that what's distributed through a website stays always the same, for everyone
Usually the middleman validates what the stuff does, before we do it ourselves, yes even though malicious apps get through the cracks, still makes a difference.
It really depends. Many apps currently cannot be distributed through the stores or the maintainers have to endure a lot of bullying to stay in the stores. (Think NewPipe et al)
In these cases, the middlemen like Google are the hostile party. Essentially the threat actor. It is natural: big tech is big tech, because they are very good at limiting user choice.
For these applications, Obtainium is brilliant.
It also shows that the store model that everyone is working to enshrine in digital policy is not the necessity that Big Tech would have everyone believe.
Mostly because certain apps refuse to adopt Android APIs, or insist NDK is a full blown GNU/Linux userspace, contrary to Android team official position on the matter.
The fact that the Android team's official position on API usage determines what software I get to install is exactly my problem with this gatekeeping.
The latest victim of this travesty is the removal of syncthing from the play store and the subsequent discontinuation of the app. This was ostensibly due to syncthing's failure to leverage the storage access framework to access files on Android devices. In reality, developers were benchmarking the storage access framework as somewhere around 50 times slower than direct system access, and that made it infeasible for usage in apps like Syncthing. That bug has been open for years, and the Android team has done nothing other than claim it's fixed when benchmarks show otherwise.
So I'm not sold at all on the value of these gatekeeping stores that have black box approval processes with changing rules. It is a system that is set up to be evil because it can reject and accept on a whim with no accountability. We should not so easily give up on installing the software of our choosing on the devices we purchase.
Honestly I started using obtainium because I can't figure out why F-Ddoid builds are a month behind. RedReader became completely broken and needed the newer version. Not sure what's up with that lag. It's extremely frustrating.
Anyhow, when the apps stop being updated, it's usually due to something that was added that doesn't make them compliant with F-Droid's policies anymore; or, they changed something in the release process without telling F-Droid.
Other times, the apps were set to be updated only at the developer's request, and for some reason they still haven't done that request (some developers deliberately update F-Droid less frequently, to be more confident of not giving bugged releases to the F-Droid usere).
The normal delay, due to their manual (and lazy) signing process, is from few days to about ten
This is the case if the app store is done right, that is, if it has the end user's interests in mind. But as with all things Google, the end product always boils down to how much profit it can extract from its services in ad revenues, so there isn't really that much incentive in Google to keep the Play Store tidy.
This or some variation of the idea. The result is the same, what should protect the user becomes a vector to help spread malicious apps.
The safety-argument functions as an apologetic narrative to justify the gatekeeping.
Strangely, almost everything the Play Store pushes at me (Temu, TikTok, millions of communication apps with dubious reputation) is crap.
I would never install an app without checking the permissions it asks for, researching the owner of the app as well as the the tracking it includes - yet the store never makes those things transparent, quite the opposite.
Google even takes money to show you bad apps through PlayStore app ads designed to look like an organic app listing. This is apparently a mechanism to profit directly from deceiving users. (Right now, for example, it shows a gambling app, some "beautifying" shovelware, and "Tango live streaming," which the author probably believes by heart is not made for porn.)
So either Google is trying to protect its users and just isn't very good at it, or it's a fake argument to hide corporate power.
Unfortunately F-Droid sometimes distributes outdated software with security vulnerabilities. This happened with Fennec (Firefox variant), not sure what the reason was. I switched back to Firefox + Google Play after that.
Yes F-Droid is too slow unfortunately. The reason I added obtanium to my mix was because F-Droid version of RedReader was so old it didn't work with Reddit anymore. And I couldn't figure out why or if there was an ETA or what and someone mentioned obtanium.
> Usually the middleman validates what the stuff does
That's what they say for their defense yeah but personally I don't buy it. I've published an app myself and I've also seen the countless app scams which are allowed to advertise on YouTube.
They're excellent at inconveniencing legitimate devs for "mistakes" like links to external payment options, but oddly bad at spotting actual scams. I think that tells you something about the actual goal of app review.
The way you phrase mistakes is interesting, it’s been abundantly clear that’s not allowed for a long time. It’s not a “mistake” if you link to an external payment method .
I’m an iOS user but one of the reasons I like iOS is because I know that I’ll be able to Sign in with Apple, and pay via the App Store. I recently signed up to a service which charged me for a free trial and I opened a support ticket. They refunded me, and charged me again immediately.
I trust apple and google (rightly or wrongly) to have my back in that situation, but this dev clearly didn’t.
It resolved itself fairly quickly when I got my bank involved, but it took a month from start to finish. I have never, not once, had that issue with App Store managed purchases.
Apple does allow links to external payment options in some cases (see App Store Review Guideline 3.1.1), and sometimes rejects apps for links that it itself says should be legal, and is even legally required to allow in some jurisdictions. Which is not surprising, app reviewers spend only a few minutes looking at each app, and don't always understand the current rules.
One of the reasons I don't like either iOS or the Play Store is that I don't want to make an account with them (which can link all the flood of data sent by your phone to your real name, and force you to agree to their terms)
With F-Droid you have at least a guarantee that the app builds, and at least during the initial review nothing bad was found
You can argue you're adding F-Droid to the entities you trust (unless it's a reproducible build), but at the same time you're relying a lot less on a random's developer honesty (and security)
I have M&W Dictionary, PlantNet, SoundCloud, and Stellarium+ installed. I don't plan to update any of them as long as they keep working/until I buy a new phone.
Well I have installed latest APK from their site. Browsed for and installed apps without a problem. On my Pixel 9 Pro. So at least its not a bug affecting everyone.
What's the point? If you install from source, the idea is to build on your own machine and review/test the code. Gtihub releases don't even have minimal review scripts that Play Store does.
Obviously you have to be careful what you install, just as with any app not found in Play Store, but if you're getting your apps elsewhere anyway this is really convenient.