Android apk repository?
-
@Dashrender How do you verify anything you can install on any operating system?
If you download iso files from microsoft for instance, they show the hash of the file on their website and you can check the files integrity. That is the standard way of verifying that the files are what you think they are.
Only a few android developers have direct download of the apk files from their websites. Often they are in odd places. For instance to find where mozilla put their firefox apks is not straight forward.
Problem with this whole thing is that a lot of android developers don't provide the apk files directly and you have to get them from google play. But to do that you need to sign up with google first, because google doesn't allow apk download from their site.
I also think that apks are signed software and you can verify that, but I haven't figured out how.
PS. @IRJ mentioned a couple of solutions to the problems above that I will check out.
-
We have a couple of bricked phones because of google. If you sign up with google and then you leave the company and your phone, you can't factory reset the phone and let someone else use it. You must have access to the original google account. If you don't, the phone is bricked.
That's google trying to "help" you. It was introduced in Android 5 something.
PS. I think you can get around this too but it involves tricking the bootloader and connecting it to a PC or something like that. Of course the people who steal phones know exactly how to do it.
-
@Dashrender said in Android apk repository?:
@IRJ said in Android apk repository?:
@dafyre said in Android apk repository?:
3rd Party Repos / APK Stores don't bother me so much...mainly because I understand that there is risk. Granted you have Risk even on the Google Play store as well... So as long as you expect risk (and use reputable sources), I don't see a problem with it for personal stuff.
Ding Ding!!!
I mean seriously... You gotta love the mentality. We know Google is selling our data and bending us over dry. The mentality of some 3rd party can bend you over worse is kind of silly to me. Sure it is certainly possible, but we have a known entity here that invades privacy and sells data like its no other.
Google is also known for sensorship through its outlets and doesnt even bother to show up to when the whole Facebook witch hunt was going on. Clearly stating that privacy is an issue it doesnt feel it needs to address.
I get what you're saying - but at least Google puts in an error to keep the shit out. Is it perfect - nope, no one is, but with a 3rd party (likely unmanged) repo - you have no clue what's happening there. What prevents hackers from uploading all kinds of infected shit with similar names to real things? or straight up replace real things with their own hacked version?
I honestly have no clue how 3rd party repos work - so just answer that question, don't be a JB about it.What an honor to be referred to as JB
I am just not a fan of google. So there are two major 3rd party app stores that work a little differently:
Aptoid
This is the biggest 3rd party app store. These guys allow pretty much anything in their store which can be dangerous. I'd say about 50% of their stuff they do scan and verify (which is marked in their store). Because they dont check certain apks, I personall avoid their app store.
F-Droid
Every app is scanned and checked by a volunteer community. This community has very strong ties with open source projects such as Nextcloud. In addition to their stable app, NC also has a beta version of some of their apps for the F-Droid community.
One other thing I really like about F-Droid is that adds and potential privacy issues are bolded on particular apps. Examples of apps that are marked as possible dangerous are any apps that connect to social media sites such as Facebook or Twitter. Even apps such as "Tin Foil Hat for Facebook" Which is a sandbox that runs facebook mobile is marked as AntiFeature.
-
@Pete-S said in Android apk repository?:
We have a couple of bricked phones because of google. If you sign up with google and then you leave the company and your phone, you can't factory reset the phone and let someone else use it. You must have access to the original google account. If you don't, the phone is bricked.
That's google trying to "help" you. It was introduced in Android 5 something.
PS. I think you can get around this too but it involves tricking the bootloader and connecting it to a PC or something like that. Of course the people who steal phones know exactly how to do it.
It isnt cheap, but Copperhead OS might be a solution your company could possibly look into. Instead of a subscription model, the cost is a one time up front cost. It offers a really nice, secure MDM solution without relying on Google. I have run Copperhead OS for over a year and absolutely love it.
-
@Pete-S said in Android apk repository?:
@Dashrender How do you verify anything you can install on any operating system?
If you download iso files from microsoft for instance, they show the hash of the file on their website and you can check the files integrity. That is the standard way of verifying that the files are what you think they are.
Only a few android developers have direct download of the apk files from their websites. Often they are in odd places. For instance to find where mozilla put their firefox apks is not straight forward.
Problem with this whole thing is that a lot of android developers don't provide the apk files directly and you have to get them from google play. But to do that you need to sign up with google first, because google doesn't allow apk download from their site.
I also think that apks are signed software and you can verify that, but I haven't figured out how.
PS. @IRJ mentioned a couple of solutions to the problems above that I will check out.
Personally I'm willing to give up some privacy for the protection that Google provides. IRJ might really hate - and I'm certainly not fond of it, but I deal with it for something closer to better security.
And for normals - don't eve get me started - the 99.9%'ers need as much hand holding protection as they can get.
Some game recently completely blew off going to any standard repo because they didn't want to pay the 30% store tax to the vendor. They get to keep that money for themselves instead of Google getting it - but at what cost? How many fewer people are getting the game because of the manual process the user has to go through? 30% less? maybe - who knows?
-
@Pete-S said in Android apk repository?:
We have a couple of bricked phones because of google. If you sign up with google and then you leave the company and your phone, you can't factory reset the phone and let someone else use it. You must have access to the original google account. If you don't, the phone is bricked.
That's google trying to "help" you. It was introduced in Android 5 something.
PS. I think you can get around this too but it involves tricking the bootloader and connecting it to a PC or something like that. Of course the people who steal phones know exactly how to do it.
I don't consider this a real issue - Companies should be providing company based Google accounts for these company devices - that solves the problem for the company. If the user is able to reset the phone and put only their own Google account into the phone - that's an HR issue.
-
@IRJ said in Android apk repository?:
@Dashrender said in Android apk repository?:
@IRJ said in Android apk repository?:
@dafyre said in Android apk repository?:
3rd Party Repos / APK Stores don't bother me so much...mainly because I understand that there is risk. Granted you have Risk even on the Google Play store as well... So as long as you expect risk (and use reputable sources), I don't see a problem with it for personal stuff.
Ding Ding!!!
I mean seriously... You gotta love the mentality. We know Google is selling our data and bending us over dry. The mentality of some 3rd party can bend you over worse is kind of silly to me. Sure it is certainly possible, but we have a known entity here that invades privacy and sells data like its no other.
Google is also known for sensorship through its outlets and doesnt even bother to show up to when the whole Facebook witch hunt was going on. Clearly stating that privacy is an issue it doesnt feel it needs to address.
I get what you're saying - but at least Google puts in an error to keep the shit out. Is it perfect - nope, no one is, but with a 3rd party (likely unmanged) repo - you have no clue what's happening there. What prevents hackers from uploading all kinds of infected shit with similar names to real things? or straight up replace real things with their own hacked version?
I honestly have no clue how 3rd party repos work - so just answer that question, don't be a JB about it.What an honor to be referred to as JB
I am to please
You were (and continue to) being cool to me and my questions - I just wanted to toss that out there in case you were getting irked at my leading questions.
Thanks.
-
@Dashrender said in Android apk repository?:
Personally I'm willing to give up some privacy for the protection that Google provides.
What protection is that?
Anyone could upload any app they made to the play store. You have no clue what the app does. Google only provides convenience by having a lot of apps in the same place, not security. They also provide inconvenience because you have a lot of crappy stuff there as well, so it can be difficult to find what you are looking for.
-
@Pete-S said in Android apk repository?:
@Dashrender said in Android apk repository?:
Personally I'm willing to give up some privacy for the protection that Google provides.
What protection is that?
Anyone could upload any app they made to the play store. You have no clue what the app does. Google only provides convenience by having a lot of apps in the same place, not security. They also provide inconvenience because you have a lot of crappy stuff there as well, so it can be difficult to find what you are looking for.
While not a perfect job - they do curate the store. They have automated systems that look for bad behavior in APKs and kick them out of the store.
As for crappy things - sure, any place that has a mostly open door policy will have that problem. Just not something you can really control, short of not being an open door type place.
-
@Dashrender said in Android apk repository?:
@IRJ said in Android apk repository?:
@Dashrender said in Android apk repository?:
@IRJ said in Android apk repository?:
@dafyre said in Android apk repository?:
3rd Party Repos / APK Stores don't bother me so much...mainly because I understand that there is risk. Granted you have Risk even on the Google Play store as well... So as long as you expect risk (and use reputable sources), I don't see a problem with it for personal stuff.
Ding Ding!!!
I mean seriously... You gotta love the mentality. We know Google is selling our data and bending us over dry. The mentality of some 3rd party can bend you over worse is kind of silly to me. Sure it is certainly possible, but we have a known entity here that invades privacy and sells data like its no other.
Google is also known for sensorship through its outlets and doesnt even bother to show up to when the whole Facebook witch hunt was going on. Clearly stating that privacy is an issue it doesnt feel it needs to address.
I get what you're saying - but at least Google puts in an error to keep the shit out. Is it perfect - nope, no one is, but with a 3rd party (likely unmanged) repo - you have no clue what's happening there. What prevents hackers from uploading all kinds of infected shit with similar names to real things? or straight up replace real things with their own hacked version?
I honestly have no clue how 3rd party repos work - so just answer that question, don't be a JB about it.What an honor to be referred to as JB
I am to please
You were (and continue to) being cool to me and my questions - I just wanted to toss that out there in case you were getting irked at my leading questions.
Thanks.
Google does irk me. Not you...lol
-
What about Amazon Appstore? It could be a really good alternative to Google's Play Market in the view of no Google services installed.
-
@Darek-Hamann said in Android apk repository?:
What about Amazon Appstore? It could be a really good alternative to Google's Play Market in the view of no Google services installed.
It is an alternative, but Amazon is known for quite a bit of tracking themselves. It may meet his need though.
-
@Pete-S
Aptiod is a good start but made for personal usage.
but If I were you I would unify my smart phones, install google play on mine and export APKs and put them on shared location, cause you only need like a couple of them.
That said Google has good AV security feature and you dont want to put something that can install apps and handing it over without securing it.
Oh I recall I installed all phones with 1 account, it was nice to track stolen phone but contacts synced on all phones and bite me back in the
-
@Emad-R said in Android apk repository?:
@Pete-S
Aptiod is a good start but made for personal usage.
Aptoid is not really a good solution. So much known malware and bad apks. I would avoid it all cost. If you are looking for a free pro version of something this is where people try to go. Most of the time they just end up with malware.
Aptoid does check some apps (which they note), but definitely not all.
-
@Emad-R said in Android apk repository?:
@Pete-S
but If I were you I would unify my smart phones, install google play on mine and export APKs and put them on shared location, cause you only need like a couple of them.
That said Google has good AV security feature and you dont want to put something that can install apps and handing it over without securing it.
Oh I recall I installed all phones with 1 account, it was nice to track stolen phone but contacts synced on all phones and bite me back in the
This functionality is built in to Aurora Store. You can actually use your Google Creds and download APKs that you legitmately paid for DIRECTLY. Auroroa Store is essentially a Google Play client that passes default creds (unless you enter your own). So the apks you are downloading are directly from Google.
Yalp Store also has this ability, but uses only default creds. I dont believe you can use your own Google creds on yalp.
-