[HN Gopher] Obtainium: Get Android App Updates Directly from the...
___________________________________________________________________
Obtainium: Get Android App Updates Directly from the Source
Author : janandonly
Score : 143 points
Date : 2024-11-02 13:24 UTC (7 days ago)
(HTM) web link (obtainium.imranr.dev)
(TXT) w3m dump (obtainium.imranr.dev)
| EVa5I7bHFq9mnYK wrote:
| Looks dangerous.
| ruiseal wrote:
| You're removing the middleman (Play or F-Droid) so I don't see
| how.
| pjmlp wrote:
| Usually the middleman validates what the stuff does, before
| we do it ourselves, yes even though malicious apps get
| through the cracks, still makes a difference.
| ramon156 wrote:
| So if obtanium does checks, the issue is resolved?
| fwn wrote:
| The safety-argument functions as an apologetic narrative
| to justify the gatekeeping.
|
| Strangely, almost everything the Play Store pushes at me
| (Temu, TikTok, millions of communication apps with
| dubious reputation) is crap.
|
| I would never install an app without checking the
| permissions it asks for, researching the owner of the app
| as well as the the tracking it includes - yet the store
| never makes those things transparent, quite the opposite.
|
| Google even takes money to show you bad apps through
| PlayStore app ads designed to look like an organic app
| listing. This is apparently a mechanism to profit
| directly from deceiving users. (Right now, for example,
| it shows a gambling app, some "beautifying" shovelware,
| and "Tango live streaming," which the author probably
| believes by heart is not made for porn.)
|
| So either Google is trying to protect its users and just
| isn't very good at it, or it's a fake argument to hide
| corporate power.
|
| But it's impossible to know for sure, isn't it?
| fluidcruft wrote:
| The safety argument with F-Droid is that F-Droid builds
| from source and the builds can be verified by anyone
|
| https://f-droid.org/docs/Reproducible_Builds/
| cubefox wrote:
| Unfortunately F-Droid sometimes distributes outdated
| software with security vulnerabilities. This happened
| with Fennec (Firefox variant), not sure what the reason
| was. I switched back to Firefox + Google Play after that.
| fluidcruft wrote:
| Yes F-Droid is too slow unfortunately. The reason I added
| obtanium to my mix was because F-Droid version of
| RedReader was so old it didn't work with Reddit anymore.
| And I couldn't figure out why or if there was an ETA or
| what and someone mentioned obtanium.
| EVa5I7bHFq9mnYK wrote:
| anyone == noone
| fwn wrote:
| It really depends. Many apps currently cannot be
| distributed through the stores or the maintainers have to
| endure a lot of bullying to stay in the stores. (Think
| NewPipe et al)
|
| In these cases, the middlemen like Google are the hostile
| party. Essentially the threat actor. It is natural: big
| tech is big tech, because they are very good at limiting
| user choice.
|
| For these applications, Obtainium is brilliant.
|
| It also shows that the store model that everyone is working
| to enshrine in digital policy is not the necessity that Big
| Tech would have everyone believe.
| pjmlp wrote:
| Mostly because certain apps refuse to adopt Android APIs,
| or insist NDK is a full blown GNU/Linux userspace,
| contrary to Android team official position on the matter.
| rpdillon wrote:
| The fact that the Android team's official position on API
| usage determines what software I get to install is
| exactly my problem with this gatekeeping.
|
| The latest victim of this travesty is the removal of
| syncthing from the play store and the subsequent
| discontinuation of the app. This was ostensibly due to
| syncthing's failure to leverage the storage access
| framework to access files on Android devices. In reality,
| developers were benchmarking the storage access framework
| as somewhere around 50 times slower than direct system
| access, and that made it infeasible for usage in apps
| like Syncthing. That bug has been open for years, and the
| Android team has done nothing other than claim it's fixed
| when benchmarks show otherwise.
|
| So I'm not sold at all on the value of these gatekeeping
| stores that have black box approval processes with
| changing rules. It is a system that is set up to be evil
| because it can reject and accept on a whim with no
| accountability. We should not so easily give up on
| installing the software of our choosing on the devices we
| purchase.
| __jonas wrote:
| How does that apply to F-Droid though? I don't think they
| are bullying any of the app maintainers, NewPipe seems to
| be on there?
| fluidcruft wrote:
| Honestly I started using obtainium because I can't figure
| out why F-Ddoid builds are a month behind. RedReader
| became completely broken and needed the newer version.
| Not sure what's up with that lag. It's extremely
| frustrating.
| g-b-r wrote:
| Never had a problem with RedReader, strange.
|
| Anyhow, when the apps stop being updated, it's usually
| due to something that was added that doesn't make them
| compliant with F-Droid's policies anymore; or, they
| changed something in the release process without telling
| F-Droid.
|
| Other times, the apps were set to be updated only at the
| developer's request, and for some reason they still
| haven't done that request (some developers deliberately
| update F-Droid less frequently, to be more confident of
| not giving bugged releases to the F-Droid usere).
|
| The normal delay, due to their manual (and lazy) signing
| process, is from few days to about ten
| realusername wrote:
| > Usually the middleman validates what the stuff does
|
| That's what they say for their defense yeah but personally
| I don't buy it. I've published an app myself and I've also
| seen the countless app scams which are allowed to advertise
| on YouTube.
|
| The value we get from the store is dubious.
| InsideOutSanta wrote:
| They're excellent at inconveniencing legitimate devs for
| "mistakes" like links to external payment options, but
| oddly bad at spotting actual scams. I think that tells
| you something about the actual goal of app review.
| realusername wrote:
| That's spot on, there's two main goals of the app review:
|
| - Make sure that they get their cut
|
| - Shift the blame of the privacy issues to the app
| developers since the duopoly is very often targeted in
| the media on this subject.
|
| Anything else has a lower priority.
| maccard wrote:
| The way you phrase mistakes is interesting, it's been
| abundantly clear that's not allowed for a long time. It's
| not a "mistake" if you link to an external payment method
| .
|
| I'm an iOS user but one of the reasons I like iOS is
| because I know that I'll be able to Sign in with Apple,
| and pay via the App Store. I recently signed up to a
| service which charged me for a free trial and I opened a
| support ticket. They refunded me, and charged me again
| immediately.
|
| I trust apple and google (rightly or wrongly) to have my
| back in that situation, but this dev clearly didn't.
|
| It resolved itself fairly quickly when I got my bank
| involved, but it took a month from start to finish. I
| have never, not once, had that issue with App Store
| managed purchases.
| g-b-r wrote:
| One of the reasons I don't like either iOS or the Play
| Store is that I don't want to make an account with them
| (which can link all the flood of data sent by your phone
| to your real name, and force you to agree to their terms)
| InsideOutSanta wrote:
| Apple _does_ allow links to external payment options in
| some cases (see App Store Review Guideline 3.1.1), and
| sometimes rejects apps for links that it itself says
| should be legal, and is even legally required to allow in
| some jurisdictions. Which is not surprising, app
| reviewers spend only a few minutes looking at each app,
| and don 't always understand the current rules.
| gchamonlive wrote:
| This is the case if the app store is done right, that is,
| if it has the end user's interests in mind. But as with all
| things Google, the end product always boils down to how
| much profit it can extract from its services in ad
| revenues, so there isn't really that much incentive in
| Google to keep the Play Store tidy.
|
| This or some variation of the idea. The result is the same,
| what should protect the user becomes a vector to help
| spread malicious apps.
| mj-j wrote:
| It is if the crowdsourced sources are bad. Outside of that
| happening, you are just going directly to the project instead
| of through a curator.
| g-b-r wrote:
| With F-Droid you have at least a guarantee that the app
| builds, and at least during the initial review nothing bad
| was found
|
| You can argue you're adding F-Droid to the entities you trust
| ( _unless it 's a reproducible build_), but at the same time
| you're relying a lot less on a random's developer honesty
| (and security)
| oguz-ismail wrote:
| Yeah. I only update my bank app and Chrome and wouldn't trust a
| random app with that
| smeej wrote:
| Do you just not install other apps? Or do you have some kind
| of preference for unpatched, insecure old software?
| oguz-ismail wrote:
| I have M&W Dictionary, PlantNet, SoundCloud, and
| Stellarium+ installed. I don't plan to update any of them
| as long as they keep working/until I buy a new phone.
| ch1kkenm4ss4 wrote:
| Curious and thoughtful observation.
| jacoblambda wrote:
| Obtanium exists for a very specific use case.
|
| 1. You have an app you want to use.
|
| 2. That app isn't on the google app store or you don't want
| to/can't use google services.
|
| 3. The app is not open source so it can only be built and
| packaged by the first party.
|
| 4. You don't want to manually update the app by downloading a
| new APK every time.
|
| 5. You don't want to give a black-box closed-source app you
| downloaded from the internet permissions to install new apps
| (and therefore grant them certain new permissions as well).
|
| My example of this is WhatsApp. I hate the app. I think it's
| scummy as shit. However if I want the version of WhatsApp that
| doesn't package google services, I either have to download a
| 3rd party app store, update the app from their web page
| manually, or grant the app permission to update itself. I
| obviously don't want to install a (often closed source) 3rd
| party app store just to install this app without granting it
| keys to the castle. So instead as I already use F-Droid, I can
| install the FOSS build of Obtanium and pin my trust on F-Droid.
| Then I use Obtanium to manage my WhatsApp updates.
|
| Technically this also extends to open source apps where you
| trust the first party enough to use the app but not enough to
| let it update itself and where you want to be able to just
| download updates from github releases.
| maccard wrote:
| Why do you trust it to run code and to install updates from
| their website but not to execute that update? What's the
| threat model there?
| g-b-r wrote:
| I sure don't use dubious WhatsApp mods, but in general, the
| advantage of updating through a website rather than through
| an internal update, is that you're much less likely to
| receive "customized" updates; it's more likely (though of
| course not guaranteed) that what's distributed through a
| website stays always the same, for everyone
| Brian_K_White wrote:
| You don't see the difference between allowing whatsapp to
| run, vs allowing whatsapp to install apps?
|
| You don't see the difference between allowing a dedicated
| app installer app written by an author with no other goal
| and no other source of reputation to install apps, vs
| allowing a random app to install apps just to hopefully
| only use that power to keep itself updated and do so in a
| way that only serves your interests and not those of the
| apps author? (ie it will never be a Facebook and one day
| decide that _it_ wants you to use Messenger, and that 's
| the nicest example let alone something hidden)
|
| The thing that you give permission to install apps must be
| a seperate thing written by a seperate author who has no
| incentive to install or remove any other apps.
| vednig wrote:
| Maybe android can limit allowing apps to install updates
| of themselves, only if this could be implemented,
| https://issuetracker.google.com/issues/378112214
| dan-0 wrote:
| In the same way as walking. Stick to well trafficed places you
| know and your risk drops significantly.
| greenglob wrote:
| Love this app, makes it really easy to keep non-store apps up to
| date by linking directly to the apps GitHub repo for example.
|
| Obviously you have to be careful what you install, just as with
| any app not found in Play Store, but if you're getting your apps
| elsewhere anyway this is really convenient.
| idle_zealot wrote:
| > just as with any app not found in Play Store
|
| I would recommend caution with apps from the store too. Not
| only are many predatory practices not disallowed, outright
| malware can and does slip through review. The advice is the
| same as ever when it comes to computers: don't run programs you
| don't trust, and set your bar of trust high.
| aucisson_masque wrote:
| Agree, the play store isn't secure one bit.
|
| We hear enough story how Google removes legit app without
| reason, using automated process, to know that there is at
| least as much malicious app that goes through being
| undetected.
| nox101 wrote:
| it's worse than that imo. People claim the web is dangerous
| because it runs untrusted code but apps do the same with auto
| updates from stores and that the majority of apps are just
| webviews running code from the net but without the same level
| of sandboxing as a browser
| furyofantares wrote:
| Alright, well I don't think I personally know anyone who has
| ended up with malware on their phone. I'm sure it could be
| better but it seems alright. I'm not gonna advise everyone I
| know to stress out about it by trying to have a high bar of
| trust and evaluate every app they wanna try only to have the
| exact same result they've had for years.
|
| The advice is absolutely not the same as it's always been -
| it would be weird if the advice from the early aughts, when
| it was common to be affected by malware or viruses, was the
| same as the advice now when it's rare.
| shakna wrote:
| You knowing someone personally is different from the
| objective millions of infections [0] that we've seen in the
| real world.
|
| [0] https://www.tomsguide.com/news/these-35-malicious-
| android-ap...
| furyofantares wrote:
| Nevermind that being downloaded a million times doesn't
| mean by a million people, as scammers download their own
| app to boost numbers -- a million is what, 1 in a few
| thousand smartphone users?
|
| I'd love it to be zero but the amount of vigilance
| warranted has gotta be a lot less than it was in the past
| unless there's some argument that magnitude of harm has
| gone up by a massive amount while probability has gone
| down by the same amount. Which, idunno, maybe that
| argument can be made actually.
|
| Also I guess 2001 felt unsafe to visit trusted websites,
| so the advice upthread was already a bit lessened.
| amelius wrote:
| > Obviously you have to be careful what you install
|
| How?
| msephton wrote:
| I use this to update Koreader on the Android tablet I use only
| for reading ebooks.
| tedchs wrote:
| Wow, what a great name!
| sigmonsays wrote:
| i've been using this app and i honestly prefer it this way.
|
| Lets not forget that certificates are created and checked for
| github.com, so unlikely for a middleman to get in.
|
| I trust github much more than google right now. Especially since
| the object being fetched is generic as opposed to a appstore.
| Google's app store has only shown to hinder publishing. Take
| syncthing for instance.
|
| The only thing I wish was better was the .apk selection process.
| It would be nice if a database existed with filename formats or a
| little extra metadata to match the correct asset.
| g-b-r wrote:
| > Lets not forget that certificates are created and checked for
| github.com, so unlikely for a middleman to get in.
|
| What?
|
| Don't assume that the APKs are generated by GitHub's CI,
| anyhow, anything can be uploaded as a release
| rcMgD2BwE72F wrote:
| Github should provide a certificate when binaries are built
| from source with their tools.
| g-b-r wrote:
| They added something to verify if the binary came out of
| their CI only a few months ago; I haven't checked now, but
| it seemed extremely convoluted
|
| In any case, there's for sure no GitHub certificate added
| to the APKs
| yonatan8070 wrote:
| A great example of this would be the XZ backdoor, which never
| got commited to the source tree, but got implanted in the
| release tarballs, which were built on the attacker's systems
| ap-andersson wrote:
| Do you mean https://apps.obtainium.imranr.dev/ or something
| else? That seems to be a crowdsources list of configurations
| for different apps.
| CommanderData wrote:
| Would prefer everything is hosted on GitHub to reduce the attack
| surface. But this is cool!
| theage wrote:
| Github reserve the right to stop serving those release
| downloads at any time. They usually just kick you off entirely
| if your project gets unwanted attention. I don't see them
| allowing revanced (modded popular social apps) forever so we
| still need a better way to trust outside that touch and go easy
| relationship.
| CommanderData wrote:
| Your app is a massive target, if your domain or web server is
| taken over, what implications would this have on the end
| users using your app (if any)?
| mikae1 wrote:
| 1. F-Droid
|
| 2. FFUpdater
|
| 3. Obtanium
|
| 4. Aurora Store
| Idesmi wrote:
| You can manage Firefox updates from Obtanium itself.
| theage wrote:
| Finally, a no nonsense Auto-App-Updater App! if only sites would
| include a version number somewhere on the download page so
| obtainium could find it. Looking at you https://grayjay.app (it
| doesn't seem to work for partial file hash either so I had to
| turn auto updates off for this one)
|
| We sorely need 1:1 replacement of app store trust and discovery
| mechanisms too without any kafka-esque approval hoops. Obtainium
| app config sharing and perhaps a standard for APK release
| webpages would be a great first step towards that.
| sesm wrote:
| What's the point? If you install from source, the idea is to
| build on your own machine and review/test the code. Gtihub
| releases don't even have minimal review scripts that Play Store
| does.
| anovick wrote:
| Can't access the site. It says: "Sorry, you have been blocked You
| are unable to access imranr.dev"
| compootr wrote:
| here's their github: https://github.com/ImranR98/Obtainium
| piratey wrote:
| Hmm if only I had an app to easily install it from github
| TobTobXX wrote:
| When you install Obtanium from an APK, it prefills the
| Obtanium source for self-management.
| avipars wrote:
| same here
| ksynwa wrote:
| I've been using it for a while I'm surprised that Android allows
| third party app installers that can update apps in tbe
| background. I don't follow the specifics of Android developments
| but I 100% expected it to get more locked down with time.
| Zak wrote:
| The opposite happened; for a while, it did not allow third
| party installers to run without user interaction but now it
| does. EU legislation probably had a role in that change.
| encom wrote:
| I'll give this a shot. F-Droid is broken on Android 15 and nobody
| cares.
| ap-andersson wrote:
| What is broken in F-Droid? I just got Android 15 and are using
| F-Droid but have not noticed anything broken yet.
| encom wrote:
| Crashes on startup. Offers to send a stack trace, which I've
| done. I've been updating apps manually, which is tedious.
| lollobomb wrote:
| I use this and it's great. Only problem is when: 1) you want
| something outside of github (from my experience, already gitlab
| and codeberg can be buggy here, although very rarely), and 2)
| when you need a specific release channel (example: Firefox Beta,
| which requires a bit of work). But overall it works great. Now,
| one has to consider the security aspects: stores like Google Play
| (and, to a lesser extent, F-Droid) do perform some antimalware
| checks. It's not bulletproof, but it gives a bit more trust in
| case the dev goes rogue or is compromised. BUT you have to trust
| the store. With Obtainium, you have to trust: 1) the app's
| developer 2) Github/Gitlab/Codeberg 3) Obtainium's developer. So,
| it depends what's your threat model. I'm looking forward to
| seeing wider adoption for Accrescent!
___________________________________________________________________
(page generated 2024-11-09 23:00 UTC)