I already did lots on research on this question but couldn’t find a final answer.
First off: I am trying to avoid google play.
I want to install SimpleX.
As installing it from the f-droid.org repo comes with many issues security wise and the speed of updates wise I have now two options.
Obtanium (SimpleX github) or F-droid repo from the SimpleX team.
From my current knowledge you don’t have the issues anymore with F-droid.org if you just use the the self hosted repo from the developer directly. Because then you always get the updates directly without a delay and the developer signs the apk and you don’t have to trust the f-droid.org team that its actually the software from the developer. Then self hosted repo from the developer should be security wise as good as the github repo via obtanium.
I know how to use Appverfiier to verify the Hash before installing the app.
If I am correct neither obtanium or the SimpleX f-droid repo is doing this automatically. But I am not 100% sure about it.
########
Now. What’s better for security: The official hosted F-droid repo from SimpleX or the official github?
#######
Please correct me if one of my assumptions above is incorrect.
Get SimpleX from Obtainium if you’re avoiding F-Droid, get it from F-Droid if you are using F-Droid.
Both have their own issues. Technically Google Play is better for security, but not for privacy. Obtainium is better for privacy (Even if you’re connecting to GitHub), but not for security. F-Droid from my understanding is better for privacy if you trust the F-Droid developers, and F-Droid servers, but bad for security. It seems like it is agreed that Obtainium is somewhat better than F-Droid for security, and definitely for reducing the amount of trust you need to have.
Since the question isn’t specific for SimpleX in the title I’m just going to point the existence of Accrescent as well.
Not a super viable app store but some apps there are super helpful.
Now, focusing on SimpleX installation the risk from Obtainium and the self hosted repo from the SimpleX developer is about the same. You will always have some level of risk installing apps and in this case they are pretty much the same I’d say. You are trusting on the developer and in the Github integrity.
You may be overthinking on this or I may be too incautions on this.
Okay.
Thanks.
So my assumptions are right that in this specific example with SimpleX obtanium and f-drokd developer repo are the same.
Accresscent tries to address all the issues and solve them. But right now they don’t have a lot of apps available.
Then I’m gonna install it from the self hosted f-droid developer repo.
Then I trust the developers website and not github.