Oddbean

don't trust. verify. make sure your apks are official and haven't been tampered with. #appverifier lets you easily verify apk app signatures. get it on #accrescent with automatic updates #cybersecgirl #privacytechpro #security #apps #grapheneos #android #foss #opensource https://github.com/soupslurpr/AppVerifier

Oh damn I was looking for something like this. However I've been making sure im careful to install from the legit source intitally. Isn't that enough? I'm using Obtainium, so relying on that initial install to protect me from compromised updatates that haven't been signed with the same sig #stilllearning

yes, and no. be sure to get your apks directly from the source whenever possible. download and verify the apk file the first time (before install), then install add the app link to obtaniun and use #obtanium to keep them all up to date (android verifies the signatures of updates). you can also retroactively verify already installed apks with #appverifier

ofc. most of the time you'd be fine, but apks can be compromised by github/gitlab vunerabilities (like the oauth attacks in 2020 & 2022) or anyone with access to the devs git repos, or malicious devs. it's best practice to always verify.

also, the app and database are still growing and most apps don't publish hashes. here's what the dev had to say... --- In reply to (redacted):matrix.org thanks for all the great work on this. some apps have green checkmark, others dont; is there anything us users can do to help get more apps checked? Yes, please read https://github.com/soupslurpr/AppVerifier/blob/master/CONTRIBUTING.md and if you can, it would be appreciated to contribute directly to the internal verification info database in code so it is easier for me to review and merge as I don't have to write that part myself, only cross-verify. > <@(redacted):matrix.org> perfect so just to make sure i understand whats goin on... the database includes a signing key hash taken from an app's website or github or whatever to later compare to the file, is that correct? The app is installed from all the sources it is available on and the verification info is viewed and exported using AppVerifier. Most apps don't publish hashes. --- until then we can try to verify by checking the apk site or repo for the hash signature for the apps we have and paste that into the appropriate app in appverifier or download different apps from the same developer and compare their hashes. please note most apps don't publish hashes and the same app on google play, f-droid, and direct from dev apk can have different hash signatures etc

yes, first get accrescent from the official github repo. most secure: use android developer apk signer to verify the accrescent signing certificate hash, then install appverifier from accrescent and use it to verify obtanium apk file. if it checks out, install obtanium, then use appverifier to verify all downloaded apks before installing and adding to obtanium (android verifies app update signatutes) https://accrescent.app/faq#verifying less secure: install accrescent from github, install appverifier from accrescent. use appverifier to verify accrescent and obtanium apk. if it checks out, install obtanium. then use appverifier to verify all downloaded apks before installing and adding to obtanium (android verifies app update signatutes)

Who is Accrescent? Is Logan Magee the main person? Are they public? What does the name mean? Are they trying to be a better F-Droid? I wonder if they've considered working with Obtainium. New to Graphene. Currently I'm verifying with gpg on my computer when possible. This is all a bit complicated/tedious. The price one needs to pay? God help the normies.

Checked on github. It doesn't look like Accrescent or AppVerifier can be verified with gpg. I don't have apksigner. How does one obtain that? gpg is fairly available. I use it while booted in Tails. I wish developers would continue to use it as a verification option. I was able to verify Obtainium with gpg. Sorry for so many questions.