This is your periodic reminder to install Amethyst (and all other Nostr clients) through Obtainium instead of Google's PlayStore.
You not only receive faster updates (the PlayStore is currently 4 versions behind) but you also start the process of freeing yourself from your invisible digital overlords.
Just follow this video: https://cdn.satellite.earth/2bd7e308c1797d64fca09b1d61e9bde24c68dd45e501c7383eff1e85392df11f.mp4
Fdroid (and even Google Play) verify apk signatures and hashsums.
The lack of integrity and authenticity verifications in Obtanium (which just fetches apks over https) certainly put it at a severe disadvantage when it comes to security.
Obtanium is as much censorship resistance as possible but we should be clear about the trade-offs. Unless there is a standard way for devs to publish hashsums and sigs on Github Releases that Obtanium could use for verification, things are not likely to improve.
Direct APKs (Obtainium, GitHub etc.) are signed with the developer release key.
What have you been smoking.
You're trusting the release key the first time you install an apk.
If a malicious app is published to GH releases, users who try to update are protected due to signature mismatch but first time installers would get rekt.
A developer has control over their GitHub account not more or less as they have over their Google Play or Fdroid account, not sure what you expect Google Play or Fdroid to verify there.
They are curated databases of trusted keys.
If you have 60 apps installed, you don't have to trust that 60 different devs have propper opsec on their Github accounts.
Instead you can delegate trust to a handful of parties that aggregated trusted keys.
I can obtain nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z 's Google Play credentials and submit a fake APK for Amethyst as much as I can obtain his GitHub credentials and put the APK there.
This is getting nowhere.
You can't submit an apk to Google Play with a different signature (without opening a ticket and asking for manual intervention).
Developer keys are decoupled from Github and Google Play accounts. Even if those online accounts get compromised, it's up to those original keys to assuee authenticity.
Yes the developer key is subject to the same opsec as the Google Play or GitHub credentials.
Of course if all eggs are in the same basket and all accounts and keys are compromised, nothing can be done but you're just gaslightning me with a worst possible scenario.
Even in that case, 3rd party curation is at least marginally better since another set of eyes has to vet each release. Yes, it's certainly less censorship resistant, but a tradeoff is a tradeoff.
Makes sense, but I am not sure if the trade off is that much. In the PlayStore, you have to TRUST Google to not fuck around in first-time installs. There is no first install check in the PlayStore as well for those attack vectors.
Have you heard of https://github.com/soupslurpr/AppVerifier ?
It's at least an attempt to have a sort of community run trusted attested developer keyring. Obtainium was considering some kind of integration
Like I said, trusting Google/Fdroid to attest first time installs is arguably better (securitywise) than expecting common users to attest each app vendor individually.
Dunno how Vitor handles this but I stick everything into my password manager.
You should push for signature verification to be implemented into Obtanium.
