zlacker

[return to "F-Droid Fake Signer PoC"]
1. CountH+37[view] [source] 2025-01-03 23:46:16
>>pabs3+(OP)
Guess I'm immediately uninstalling F-Droid. That chain of events looks really poor for them.
◧◩
2. Larrik+Oc[view] [source] 2025-01-04 00:44:57
>>CountH+37
And using what instead?
◧◩◪
3. CountH+bp[view] [source] 2025-01-04 02:45:17
>>Larrik+Oc
Nothing. I'll sideload what I need to. I didn't find it that useful.
◧◩◪◨
4. yjftsj+xG[view] [source] 2025-01-04 06:38:19
>>CountH+bp
Okay, but sideloading is worse? AFAICT the problem we're discussing was in F-Droid doing extra verification (somewhat incorrectly, apparently) of an APK before handing it to Android to install. Regardless of F-Droid, Android will check signatures on updates against the installed version. So your response to F-Droid imperfectly checking signatures as an extra verification on first install... is to skip that entirely and do zero verification on first install? That's strictly worse for your security.
[go to top]