Hi all,

Interesting problem. An open-source project gets their app removed from google play, so they post a message on mastodon that -for the time being- you can download the app via direct download.

I post a reply saying that directing people to a direct link is not a good idea, as hackers could start doing the same to spread malwhere, better use an official repo (like f-droid, where they are already on).

A typical problem of somebody who writes a genuine post, but without realising it himself writes something that is very close to what a phishing message would look like.

However, this got me thinking. What you want to avoid is that people get used to the idea that it is OK to download and install apps from a random URL. But if you point people to f-droid, they need to also download the apk for that, and configure the security on your phone that apk’s downloaded via <browser> may be installed.

I guess, the later should surely be avoided as most people will then leave that option enabled. (I had to search deep into the security setting to find the option to switch it off again).

What are your opinions on this? What would be the best way to do this and not teach people bad security habbits?

Direct download or f-droid? Other ideas? Is there a good sollution for this?

Kr.

  • lurch (he/him)
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    I don’t trust f-droid as well, because some of its apps crash the (un)installer and can therefore never be removed.

    However, you need a trustworthy party and they have to digitally sign the APK after checking the code (changes) and compiling it themselves. They can also sign messages they send to the public.

    • kristoff@infosec.pubOP
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      4 months ago

      Hum , interesting point. If you are a hacker, would you not prefer software to be spread out everywhere so people would be even more confused what is the real source for some application?

      I guess people would then just depend on their search engine