Downsides to installing APKs from Github?

I haven’t seen much discussion about this other than people recommending to verify the APK installation for the first time. Another argument was that you have to trust each developer individually not to release a malicious update. If you are using their app it means you already trust them so I don’t see how this argument applies. Are there any other downsides that I am not aware of?

1 Like

With an appstore that is properly vetted, you have an outside authority looking over updates to make sure they are not malicious. You don’t have this when just downloading APKs.


One downside may be the fact that many apps don’t give auto-updates for GitHub Releases.

1 Like

I was planning on using Obtanium anyway. This leads me to another question, would it be better to use the self-update functionality for apps or just use Obtanium? My way of looking at it is that If use Obtanium (even for a self-updating app), I have less apps with the “Install unknown apps permission” which reduces my attack surface. Is my point of view correct?

2 Likes

That depends. If the app can verify the hash of it’s own updates, use the app’s own updater.

Obtainium does not make an effort to verify hashes of apps, so what Obtainium is downloading may be maliciously modified without you knowing about it beforehand. This is also true for when downloading apps using Obtainium with F-Droid as a source - it does not verify signatures.

How would I know if the app does that?

unless you can read the code, or if it’s explicitly stated somewhere, there’s no real way to know beforehand.

This is not true, Android always verifies the signature of app updates, including updates downloaded via Obtainium. You should use Obtainium (for the reason you mentioned @anon5233878, to reduce the number of apps with extraneous permissions), unless the self-updater is much faster than Obtainium for some reason or something.

1 Like

I just now realised that in my haste, I mixed up “hash” and “signature”

dumb mistake, I’ll go back and edit it.

1 Like