I’ve looked through Obtainium source code a while back and there seems to be no hash verification whatsoever. Looks too susceptible to supply chain attacks to me.
I don’t like that Aurora Store sends a list of installed applications to Google and the only way to stop it is to blacklist.
Is there an option that combines multiple sources together like Obtainium but contains automatic hash verification for added security (I am aware updates are protected by Android)? Something I can use to download non-FOSS apps from a mirror but make sure it’s the APK from the Play Store?
I’m going to parrot what people in the GrapheneOS community would say: “The most secure place to get apps from is Accrescent. If an app isn’t available there, the next best place is the Play Store itself with an anonymous Google account.” Some bother to add that Obtainium+AppVerifier can be used if it isn’t available for either of those methods. Anyways, they’re very stingy about where they get their apps from.
Here is my take: Despite claims of F-Droid and Aurora Store having security issues, I don’t care. It’s based on your threat model and personal preference. Google may soon be forced to open up Play Store apps to more third parties, so more secure methods of getting them may crop up in the future. You’ll really never have a 100% private way to get apps, that’s the unfortunate reality of how things are. If your threat model is against Google and supply chain attacks, those limit your options down to some less-than-convenient methods. If you do decide to use AppVerifier, do note that you only need to verify the hash once and you’re good for the rest of your phone’s life.