Oddbean new post about login | logout This is your periodic reminder to install Amethyst (and all other Nostr clients) through Obtainium instead of Google's PlayStore. You not only receive faster updates (the PlayStore is currently 4 versions behind) but you also start the process of freeing yourself from your invisible digital overlords. Just follow this video: https://cdn.satellite.earth/2bd7e308c1797d64fca09b1d61e9bde24c68dd45e501c7383eff1e85392df11f.mp4
Watch this video! This is the "best" "sovereign" UX to install apps we've got The bar is low nostr:note1dzwu8k3snuwneufxkr5f2rpksq7d2j682eyffd2u87hlq9nxyllsswsjel
I’ve been an obtanium maxi for some time. This is the way.
Obtainium has some problems. If you're interested I dove deep into this topic: https://stacker.news/items/404908
I've been installing APKs like a caveman!
I'm getting this error message https://m.primal.net/HaxL.jpg
Did you have a previous version installed? If so, you may need to unistall first.
It worked.thanks
So GitHub is our new middleman.
For now. :) Until GitStr :)
obtanium works on a lot of sources in addition to github. But one step closer to direct from developer is still an upgrade imo
Been doing this for a few months now. And not just for Nostr apps. 👇👇👇 nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgq3qgcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqxpqqqqqqzumg39q https://image.nostr.build/abaa00d1dc23cba9394d8a7e7cc59cd257ed83036157b9c84b3ad6f8cb5992fa.jpg
You can also find Obtainium in F-Droid nostr:note1dzwu8k3snuwneufxkr5f2rpksq7d2j682eyffd2u87hlq9nxyllsswsjel
How does Obtainium handle package/apk verification?
It doesn't. They are adding a way to check for hashes against a "trusted database", but afaik not live yet
Keep in mind that this is only needed for first installs
What do you mean "only for first install"? Shouldn't you verify packets at every release?
It doesn't but if you are provided a malicious update to an already installed app android handles the verification and will prevent the installation of the update if it was not signed by the developer. The first installation is only time you usually risk a mitm attack
F-droid is pretty mature. What's the goal here?
F-droid is as centralized as Google. Just different overlords.
A FOSS app on GitLab is as centralized as the Google app store? It seems odd to take that strong of a position and then think Microsoft's GitHub of all things is the answer. I think it's cool. It's just confusing and contradictory. I don't see how centralization is being solved here. That's why I wonder what the goal is. Because if this is the entire goal then I'm either a moron or something doesn't add up.
Yes, the app is FOSS, but the app is the least important part of F-droid. The key is the catalog of apps that is extremely controlled by a few individuals that review. To give you an idea, Firefox is not opensource enough for F-Droid's review board. Which is bonkers. To me, as an app developer that publishes constantly to both Google and F-Droid, the F-droid review board has been way more controlling of what I can do in the app than what Google does. Which is also bonkers. But again, neither Google, nor F-droid is there to decentralize things from themselves. Both are incentivized to keep as much control as possible. And that's my hole point to move away to Obtainium. FOSS doesn't mean necessarily mean decentralized.
Product pages like yours https://github.com/vitorpamplona/amethyst should really highlight that straight APKs from Obtainium or GitHub or whatever are the preferred download. Because of different signatures the app source can't be easily changed later, it requires a reinstall with migrating data from the old to the new install, which can be a hassle. Ran into this the other day wanting to install SimpleX from GitHub after originally getting it from Google Play.
But we do, the preference to install is in order. Both on GitHub and on https://amethyst.social
There is no "review board". If the code doesn't compile using only free software, it is rejected. F-droid is about pure open source. Way too many random apks from the internet are loaded with 3rd party tracking, at the least. Anyone can setup their own f-droid repo and serve up their own apks. Izzydroid, divested, guardian project, calyx, cromite, etc have all done this. Obtanium is basically a fancy curl interface. It doesn't verify anything and so long as the binary blob downloads, you can install it. Its no different than a user browsing and downloading binaries off the internet. F-droid needs lots of work, and it's a constant work in progress, but I feel it's vastly better than the alternatives right now.
Accrescent.app will be a much better alternative, protecting users from unsafe apps without making life hell for developers.
I'm not really supposed to ask yet as it's invite only, but have you seen accrescent.app? It's a much more developer and user friendly app store. I'm sure they'd love to have Amethyst on there if you asked.
Use Obtainium instead of Google Play Store or F-Droid.A lot simpler, no centralization, no account needed and faster updates. nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz3mhxue69uhkummnw3ezummcw3ezuer9wcpzq3svyhng9ld8sv44950j957j9vchdktj7cxumsep9mvvjthc2pjuqvzqqqqqqyh6tx8k
Do I need to delete the Google play version first?
yep
my King
Unfortunately yes it has a different cryptographic signature that's signed by Google. Good to prevent fake apps from grabbing your real app data. Bad that it locks you into Google unless you uninstall.
Done here! My app downloaded through the Play Store was three versions behind! It didn't allow updating the existing app, so I had to uninstall and do a fresh installation through Obtainium.
Did you need to reenter your nesc?
If you uninstall a version, yes. But it's better to use Amber.
Is there an Amber app? All I could find the github repository
Yes https://github.com/greenart7c3/amber into Obtainium.
Do you know if I can download #primal through Obtainium? I tried here, and it gave an error.
@CAPiVARA nao abriu o video aqui... por onde baixou o amethyst atualizado sem ser pelo google play?
Por aqui, baixa esse Obtainium e dentro dele da para puxar o Amethyst direto do repositório, mas era bom ver o vídeo pq tem uns passo a passo https://github.com/ImranR98/Obtainium
You convinced me and I have a number of my main apps going in it. I am noticing that I have to uninstall some apps to get the version thru Obtanium to install without errors, but small price to pay to cut the cord with google on as many apps as I can.
Thank you! this is so clear and simple.
Dumb question: what is a "universal" APK when getting the choice? I know v8a vs v7a, but what's the use case for universal?
Go for it! It's easier than it sounds... nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsdjlsqa
I don't know what I'm doing wrong. I've installed obtainium but when I search amethyst nostr it displays unauthorized
Did you copy/paste the Amethyst github repo? If not obtanium is a tool to get updates for apps from locations but not a traditional market so you can't search for things. Try pasting this in if you didn't already try it: https://github.com/vitorpamplona/amethyst
How's this compared to Aurora Store?
No idea. The main question is who decides what shows up in Aurora's app catalog?
Aurora Store is just a frontend for the Google Play Store, to be used on devices that can't access it
Aurora store is access to the play store without a Google account. Good for degoogling but still the same version and relying on Google's hosting
Wow didn't even know this existed! Thank you nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz3mhxue69uhhyetvv9ujuerpd46hxtnfdupzq3svyhng9ld8sv44950j957j9vchdktj7cxumsep9mvvjthc2pjuqvzqqqqqqy27wsgg
I run Graphene and I don't even have f-droid installed thanks to Obtanium. nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsdjlsqa
Fdroid (and even Google Play) verify apk signatures and hashsums. The lack of integrity and authenticity verifications in Obtanium (which just fetches apks over https) certainly put it at a severe disadvantage when it comes to security. Obtanium is as much censorship resistance as possible but we should be clear about the trade-offs. Unless there is a standard way for devs to publish hashsums and sigs on Github Releases that Obtanium could use for verification, things are not likely to improve. nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz9mhxue69uhkummnw3ezuamfdejj7q3qgcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqxpqqqqqqzvh4att
You should push for signature verification to be implemented into Obtanium. nostr:nevent1qqswehak0rjukxhxvne7908t4hlzx890tjfytwg3rp636hjhz7f0gvqpz3mhxue69uhhyetvv9ujuerpd46hxtnfdupzp5x7h70mzt00s86r6lrfg2dm0pyp9tq7f5k48gszmd42cl4yk3nvqvzqqqqqqy7fjueq
Meu Sansung não está permitindo a instalação de apps de fontes estranhas e não consigo alterar essa configuração.
Does anyone know if an app downloaded via APK or through Obtainium can be updated automatically by the Play Store? I ask because the apps I installed in this way continue to show up in the Play Store as 'installed.' I believed that I would lose this link if I installed them outside the official Android store 🤔
Yes, google play checks for the crypto signature of each apk. And if it matches the googme play version, it will consider it installed ^^
No, they are different things with the same name. That's why it shows as installed. But the PlayStore update will never work because the signature is different. Once you switch to Obtainium, you have to keep using it or uninstall and try another method.
Got it! I was concerned about installing apps outside the Playstore, and if there was an update through the Playstore, my phone might force the update through the native store. Thank you!
Well it's not obvious. I only started noticing this once I developed my first apps. And somehow google play could update my manually downloaded test APKs as soon as my app got released. The magic is in the signing key :)
Oh I see! Didn't realize they used different signing keys.
interesting. Does Obtainium use the release added in github repos?
I get conflicting package errors all the time with Obtanium
Strange. I have used Obtainium for over a year and never gotten an issue. Are those with Amehyst? Do you also use other forms of installation?
@Vitor Pamplona and the version on F-Droid? I just don't want 9 different app stores - already have 3 without Obtainium installed.
No need for F-droid (which is also very centralized) if you have Obtainium
but FDroid is more safe (they compile software themselves), github dev can add malicious code to the build.
If the dev is malicious, F-droid will compile the malicious code as well (F-droid doesn't review any changes to the actual code). There is no extra safety being added by F-Droid. They only check if the code is open source, that's it.
if the application has a sizeable user base, there will be users (most likely contributors) who will discover the change, they have about 1 day, but many FDroid users rarely update repositories, so more than 1 day. Malicious functionality in builds can go unnoticed for years.
Could be interesting to have an organization that would specialize in reviewing code with results integrated into a directory with nostr. Badges and additional marketing exposure could be a benefit. Members could be both producers and users and could pay for the service.
There is no need such "organization". Just trust your favorite developer. E.g. if you use Amethyst, that means you trust Victor Pamplona. And so on...
Google play doesn't let me install amethyst. F-Droid does.
Great!
It's on fdroid too which is nice.
Do F-Droid or Obtainium migrate all apps to new device automatically?
I've never used obtainum, but I believe fdroid isjust to install appa. Android has a backup mechanism which would likely work for data migrations. I've never tried a migratiln tho. The idea of starting fresh is nice. It declutters and renews. The downside is reconfiguration,... But that's also useful for learning.
I need this nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsdjlsqa
#privacytechpro tip: use #obtainum to get your #android and #grapheneos apks. as a long time obtanium user it's nice to see @Vitor Pamplona promoting it as the official method for getting #Amethyst nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpp4mhxue69uhkummn9ekx7mqzyprqcf0xst760qet2tglytfay2e3wmvh9asdehpjztkceyh0s5r9cqcyqqqqqqgem985y here are all the sources you can pull apks from: https://image.nostr.build/e5f8f80c2ea9bb006c72a1de559329485824a44cf4ae59f8523fb185c95ad801.jpg #cybersecgirl #obtanium #amethyst
Sideloading is a double edged sword careful now.
That's is what play store people love to tell you :)
A tutorial on how to install apps using obtainium. You can use this to install apps from fdroid too. nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpzdmhxw309akx7cmpd35x7um58g6rsd3eqgsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqrqsqqqqqpgcrzx5
Now that Google banned my account, I'm *all-in* on Obtainium 😂 nostr:note1dzwu8k3snuwneufxkr5f2rpksq7d2j682eyffd2u87hlq9nxyllsswsjel
A tutorial on how to install apps using obtainium. You can use this to install apps from fdroid too. nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsm5mvq4
I think this is what you're looking for nostr:nevent1qqsx38wrmgcf78fu7yntp6y4psmgq0x4fdr4vjy5k4wrltlszenz0lcppamhxue69uhkummnw3ezumt0d5pzq3svyhng9ld8sv44950j957j9vchdktj7cxumsep9mvvjthc2pjuqvzqqqqqqy8zzm2c
