Hi as per title, should we be worried if we’re using obtaininum?
I doubt this issue is limited to Obtaininum, since this could happen to any software that you get from anywhere else (both open source and proprietary software) if they use the libs or the packages from those malicious repos in their apps, etc.
can we do anything to limit our damage if it were to occur? Limit how many apps we install? Go back to fdroid?
If you can’t trust your apps’ developers, the only thing you can do is to uninstall the apps.
It doesn’t seem to be an issue of too much concern, just be vigilant and careful and only use reputable software. While this articles says these are advantages for attackers (and perhaps they are), it makes attacks not as likely on users IMO
- Know what you are installing, know who the actual developer is and how to find the official versions of that software.
- Source it through legit official channels (direct from the developer or a 3rd party you trust as much or more than the developer)
- Hope that the developers of the software you use are also careful themselves when it comes to #1 and #2
And also checking digital signatures is a good thing to do.
From what I understand these are all typosquatted repos/forks, not actual compromised original/official repos.
I mentioned this as an issue previously:
Hmm so I’m guessing i should prioritise where i get my apps, as follows:
- Gplay store
- Fdroid
- Github/Obtainium (last resort)
Is that a better upgrade?
Is there any app you cannot find in either Google play/aurora store or fdroid?
why play store over fdroid???
I think because playstore removes apps that are malicious and fdroid doesnt. Safer.
That isnt true. The main issue revolves around how fdroid signs apps itself versus how GP uses dev signed apps (fdroid is working on using reproducible builds, but there are a couple other security issues with fdroid that im not too familiar with. I still love fdroid though and use it instead of google play )
@exaCORE
Google Play signs apps too these days.
If you haven’t already done so, enroll in Play App Signing, which is the mandatory way to upload and sign all new apps since August 2021.
And nearly all new apps on F-Droid are developer signed.
Ah! Thanks for the information! Is this done through reproducible builds?
I think that, yes, that’s the case.