Obtainium overview | My favorite way to track Open Source apps

published 2023-03-20 · updated 2023-03-20 #apps #fdroid #security #android
Using an RSS reader is a popular way to tack OSS apps directly from their source. Obtainium automates this process and simplifies it.

Transcript

Please excuse any grammatical errors. I used a tool to generate the transcript and haven't had a chance to read through it yet. ✔️

Six months ago, I made a few videos on F-Droid and why you should stop using it. Shortly after the release of those videos, someone sent me a project on GitHub that says in the readme it was motivated by one of those videos. I didn't start using it then, but I kept an eye on the project.

Now, just over six months later, the project has over 900 stars on GitHub, and it has come a long way, to say the least.

In my original video, I covered how you could manually add the source for APKs you wanted to track and download to an RSS reader. While this method did work, it was cumbersome.

The app I'm talking about today is Obtainium, and it aims to automate the process of tracking and updating apps. While it doesn't solve the inherent problem with F-Droid and third-party app repositories, I do think it provides some viable alternatives to help reduce or even eliminate some of those concerns. As always, you should use my advice and experience as a starting point for your own research. Make sure to test and validate everything you hear, especially if you are considering using it.

I'm going to cover a few use cases and then talk about my experience the last two weeks using Obtainium on my main device, a Pixel 7. The demo you see today will be from my testing device, which is a Pixel 6A.

So, to obtain Obtainium, we're going to head on over to the official GitHub page. All links will be down below in the description box.

So, we're going to open up our browser and search for Obtainium GitHub. And this first one here is the one we want. And if you scroll down, we're going to select the "Get it on GitHub" under installation. We're going to expand the assets, and the one we want to select for the Google Pixel is the "app-arm64-v8a."

Select that, download anyway. Once that finishes, select "Open." If you've never used your browser to install an app before, you'll have to allow this permission. Once you see the install window pop up, select "Install."

Done, and we have now obtained Obtainium. You should now see it on your home screen, or if you swipe up, it should be in your app drawer. Ignore the X Recorder; I've had some issues with the built-in Android screen recorder, so I'm trying a different one.

You can now open the app, allow notifications. Notifications are done locally, so there's no need for Google Play services for notifications to work.

And I first want to start off by saying how refreshing it is to use an open source app that took design into consideration. I've noticed a lot of times that aesthetics is an afterthought, which is fine, but I think it hurts long-term adoption. I personally have motivation from a security and privacy perspective to use an app, even if the interface is less than ideal. Others who might not have as strong of a motivation to use an app could get quickly turned off by its looks.

So when I first opened Obtainium, I was pleasantly surprised by the design. The developer is very active on this project, so what you see on my screen right now might not be what you see if you're watching this video in the future, but the general overall concept should be the same.

Going through the interface, the first option is the apps. This is our apps list that we're tracking. Obtainium is added here by default so it can track and update itself, so that's pretty handy. We have add app, which we'll come back to shortly. Then we have import/export. If you're currently using an RSS reader like I talked about in my previous videos, there's an option here to import from URLs and file like OPML. The Repla app, the main export type that I had was OPML for its backups, so you could perform an export from that and import it to Obtainium. I didn't test this functionality; I just manually added the apps that I wanted. You can also perform an Obtainium export, so once you get everything set up, that's handy. You can export it, save it, and then if you switch devices or your phone gets lost or stolen, you can always import that backup so you don't need to set it up all over again.

The last option on the bottom is settings. I just left this set to the default, but feel free to change anything you might want.

Now let's add our first app. So select add app. We can see down here listed are the supported sources, and if we look next to GitHub and Codeberg, those are labeled as searchable. So in the second box here, we can search for an app. In this case, I'm going to search for NewPipe because that's on GitHub. Search, so you're going to be presented with a lot of results, especially for a project that's popular. But this first one here is the official one, Team NewPipe. Just to be safe, I always suggest that you check first to validate that it is the correct one. So let's go to that repo. We can see here, this is the correct one, the official NewPipe. So once you validate that, we're going to go back, select the first one, and then press pick.

There's a separate section for additional options for GitHub. The first one is to include pre-releases. By default, you should leave this unchecked.

Prereleases technically aren't releases that you should be using, so that's why it's left unchecked by default. The next option is fallback to older releases, and that is enabled by default. This option is for when developers on GitHub do not do the releases correctly, and they might have one release for iPhone and one for Android. If they are listed in different releases, when Obtainium goes to check what the latest version is, if the iPhone one was released latest, it will see that there's no Android APK available to install. Therefore, this option lets it fall back to an older release, which would be the Android version, and you can then update that.

Probably sounds confusing, so just leave that enabled like it is. There's another option here for filter release titles by regular expression. Again, this is for edge cases. I haven't needed this yet for any of the apps I'm tracking on my main device. The last option down here is for track only, and what this will do is it will just track it and will not actually try to download the updates and let you install them. I leave this disabled because I want Obtainium to download the APKs for me so I can install them, and then standard version detection, I just leave that set to the default. So those are the options that are listed.

We can now select Add. Obtainium needs permission to install unknown apps, a lot from this source. Let's go back. You'll see this screen next. We can see latest version 0.25.0 installed, a version none. I want to install it. Install done. And now if we go back to our apps list, we can see New Pipe is now here and being tracked. Latest version 0.25 installed version 0.25. Nice clean interface, and as expected, New Pipe is installed.

So, I know that took a few minutes to go through and talk about, but in reality, it only takes 30 seconds to add an app, and now in the future, Obtainium will check for updates in the background and notify you when they are available. As always, you should be skeptical of anything open source or any app for that matter, especially something that will be installing apps on your behalf or for you. So one extra precaution that you can take is to install the app manually first from the source, and then add it to Obtainium. When you install an app, Android pins the certificate and enforces signature checks for app updates, so even if something malicious was happening with Obtainium, it wouldn't be able to install a malicious app update because the signature check would fail.

So as an example, let's go ahead and install Dev X5. I know their source code is on GitHub, so I'm going to search for that. I know this is the official repo for it. I'm going to go to the releases and download the latest one. Let's open and install that.

So now at this point, Dev X5 has been installed. We downloaded it from the trusted source that we know; therefore, the certificate has been pinned by the OS. So any updates that are installed either manually by us or using Obtainium must pass the signature check, which means that the APK is signed by the developers. We can see Dev X5 was installed. Let's now add it to Obtainium. We just copy this URL, go back to Obtainium, add app, paste in the URL, select add. We can see that it found that Dev X5 is installed, latest version 4.3, installed version 4.3.

There's no updates to install. So now, if we go back, then go back to the apps list, we can now see that DAV X5 is listed there. We installed it from a trusted source, and now we're going to let Obtainium handle any future updates.

There are a few other caveats or features that I want to go over. So, going back to the "add app" option, we can see here that Malvad and Signal are both listed as sources. If we select one of those, Malvad publishes their APK on their website, so we can just copy this, and Obtainium on our behalf will find the APK for us and download it.

Select "add," and we can see in the background downloading Malvadvpn. So it's pretty handy that the developer went ahead and built in this functionality for us already. Even though we're not actually adding the exact page the APK is on for the apps listed there. In this case, Malvad and Signal, the app automatically knows where to look. It's a good minute to finish.

Once it finishes, we're prompted to install. Now, if we go back to the apps list and refresh, we can now see Malvad is shown here and being tracked.

Just to show an example of what updates look like, I went ahead and installed an older version of New Pipe. You'll receive a notification, and then when you go inside the app, you'll see a notification next to the app that needs to be updated. In this case, New Pipe. Select the purple download icon, and you can see the download. So Obtainium went ahead and downloaded the APK for us. We now select "update," and now New Pipe was successfully updated.

One of the easiest ways to find where the source code for an open-source app is hosted is to use the F-Droid website. So if we go to f-droid.org in our browser and then scroll down and let's search for New Pipe as an example, the second one is the one we want.

To access the source code for the application, we need to scroll down to the section above the donate button and click on the link to the source code. By examining the URL, we can see that the source code is hosted on GitHub. If we scroll down further to the releases section, we can see that NewPipe publishes their APK on GitHub, which means Obtainium can download it from there.

Returning to fdroid.org, we can find that some developers only publish the APK on F-Droid, even if they have already published the source code on GitHub. As an example, let's search for a productivity app that starts with "Good Time," which is the fifth one down. Looking at the source code, we can see that it is also hosted on GitHub. However, when we scroll down to the releases section, we notice that they do not publish the APK on GitHub; only the source code is available. In this scenario, our only option is to return to F-Droid, copy the F-Droid link, and paste it inside Obtainium.

After adding the app and pasting the F-Droid URL, we can see that Obtainium found the app and we can proceed to install it. Upon returning to our list of apps, we can see that Productivity is now installed, and it shows that it is signed by F-Droid.

Using Obtainium is still a better option than the official F-Droid app because it avoids some of the shortcomings mentioned in the previous video, such as targeting out-of-date SDKs. Although the process might seem complicated, it is relatively simple once you go through the steps yourself. It has made the process of downloading, installing, and updating apps much more accessible for the past two weeks, and the update functionality and tracking have worked flawlessly. The experience so far has been enjoyable, and the plan is to continue using it.

However, there are a few limitations to be aware of that are listed on the GitHub readme. The first one is that app installs occur asynchronously, and the success or failure of an install cannot be determined directly. This results in install statuses and versions sometimes being out of sync with the OS until the next launch or until the problem is manually corrected. If you notice any unusual behavior, close the app and relaunch it.

The second limitation, which will be revisited later, is that auto unattended updates are unsupported due to the lack of a capable Flutter plugin. Also, for some sources, data is gathered using web scraping, which can easily break due to changes in website design. In such cases, more reliable methods may be unavailable, and scraping is an unreliable method to gather data. If you have ever used NewPipe and noticed that it broke randomly because YouTube changed its layout one day, that is a similar situation to what the developer is describing here. It is not the app developer's fault, but rather the nature of web scraping.

Regarding the second limitation mentioned above, before making this video, the app developer was contacted to see if there was anything specific they wanted to mention. They requested that any Android developers watching the video take a look at issue number 25, linked below, to help complete the auto-update feature before releasing version one of Obtainium. Contributions to help with that would be greatly appreciated.

Overall, using Obtainium has been a great improvement and has made the manual tracking process much more efficient. Although it is not a solution to the underlying problems that still exist, it is a step in the right direction. The plan is to continue using it, and there are no plans to go back to the RSS reader method.

And while it's not a solution to the underlying problems that still exist, which I covered in my previous videos, it is a great improvement and makes the manual tracking process much more efficient. So, I hope you enjoyed this video. If you did, check out this top one here, and the bottom one has been automatically selected for you.