Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes but:

- it's harder to trust apkpure than aurora

- apkpure has a lot of ads

- apkpure has some outdated packages

- apkpure is missing packages



>it's harder to trust apkpure than aurora

All apks are signed so if you don't trust apkpure checking the certificates you can check the certificates yourself.


Why is Aurora more trustworthy?


The aurora client is open source, and you can see it fetches directly from the app store.

apkpure is proprietary and store the apk in a intermediary opaque server. So basically they can inject pretty much anything in the packages you install, and it's much harder to check than aurora if they do.


> and it's much harder to check than aurora if they do.

APKs are fundamentally extended JARs so you can easily check if an APK has been tampered with using standard Java tools [1].

[1] https://stackoverflow.com/questions/7104624/how-do-i-verify-...


APKs from the google play store are signed by the developer. Apkpure would not be able to change the APKs without resigning the file, something that would be trivially detectable against an authentic APK.


This is no longer true as of 2021. You as a Google Play user with very limited exception (see next paragraph) have no assurance whether you've received the mobile application bundle (.aad) the developer intended you to have, nor are you receiving the same application bundle everyone else in the world receives. Signatures controlled by Google are now used to sign the application bundle sent to each device[2]. It's not quite as bad (yet) as the Apple situation, but not far off.

For a security conscious developer such as Signal who publish an APK (.apk) and signatures publicly[2], a user with a rooted device could theoretically unpack the official application bundle received from the Google Play Store and check the executable code and resources match those in the publicly available APK. Or just not use the Google Play Store and obtain your applications directly from the developer or an intermediary you place more trust in.

[1] https://developer.android.com/studio/publish/app-signing

[2] https://signal.org/android/apk/


It's no longer true that APKs are signed by the developer, but it is still true that it is signed in such a way that a third party APK mirror site could not tamper with the file without being detectable.

Google could have tampered with the file before the mirror site got it, but you can verify that whatever a mirror site is offering was signed by them.


Where would you get one of those up compare against?


There's browser extensions for Chrome and Firefox that let you get the APK, and probably other ways too if you search.


The aurora client is open source, and you can see it fetches directly from the app store.

Am I correct to assume that you have to compile it yourself in order to keep this trust? Otherwise, there's no way to know if the binary being distributed alongside the source fetches from the same place, and we're right back to untrusted apps.


Fdroid compiles it not aurora themselves. So you just have to trust f-droid. (which I do)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: