Oddbean new post about | logout
ciori | 8 months ago (raw) | root | parent | reply | flag 
 How does Obtainium handle package/apk verification?
franzap | 8 months ago (raw) | root | parent | reply | flag 
 It doesn't. They are adding a way to check for hashes against a "trusted database", but afaik not live yet
franzap | 8 months ago (raw) | root | parent | reply | flag 
 Keep in mind that this is only needed for first installs
ciori | 8 months ago (raw) | root | parent | reply | flag 
 What do you mean "only for first install"? Shouldn't you verify packets at every release?
franzap | 8 months ago (raw) | root | parent | reply | flag +1 
 No, Android checks that for you. It's a bit like SSH (trust on first use)
ciori | 8 months ago (raw) | root | parent | reply | flag 
 Oh wow didn't know that. Guess I have something new to learn now, thanks.
Late Night Blog | 8 months ago (raw) | root | parent | reply | flag +1 
 It doesn't but if you are provided a malicious update to an already installed app android handles the verification and will prevent the installation of the update if it was not signed by the developer.

The first installation is only time you usually risk a mitm attack