TIL: You can use Obtainium as a complete f-droid client replacement
Obtainium just keeps surprising me. Yesterday through nostr:npub1tr4dstaptd2sp98h7hlysp8qle6mw7wmauhfkgz3rmxdd8ndprusnw2y5g I found out you can add f-droid apps (even from 3rd party repos) to Obtainium and even search for them!
I tried to migrate all my f-droid apps to it and managed to do it. I even uninstall the fdroid client I was using: droid-fy.
Whhhaaaaaat thats fekken sick.
If you want to avoid trust towards Obtainium, you can install the first apk directly from the devs github. that way manipulation of updates via Obtainum becomes impossible, because Android wouldn't install and upgrade packages with a different signature than the one from the initial installation.
obtainium this it? https://github.com/ImranR98/Obtainium
cool idea and will be even better when we can get off github to nostr
This does not depend on github at all, it's just an apk retriever and github is just a common source.
It's up to devs to host apks elsewhere and some do so on their websites.
Nostr shines for light text notes over relays not huge chunks of binary data no relay wants to host. Don't fall for the cult, nostr is not the solution to everything, always look for the right tool for the job.
nostr is likely not the right solution for nostr, it will change, p2p will come
if a server somewhere can host an apk i don't see why a relay couldnt, but nostr will likely serve as the catalog with other resources serving the apk
Yes you can.... but should you?....
Im waiting for the day when a github repository is hacked and thousands of mobile devices are infected because they are using obtainium....
If it hasn't happened yet, don't worry, it will happen.
#ethicalhacking #infosec #cybersecurity #nostr
How do you check apk signatures via Obtainium?
You don't, unfortunately.
That's why Obtainium is a bad option when it comes to security.
Using official repository of F-Droid you mitigate cyber risk.
That's not true. You are just trusting fdroid maintainers since they are the ones signing apks with their keys.
You're using a centralized curation service. Arguing that is more "secure" is very dubious.
If the original devs don't provide sigs, there's not much you can do.
