I’ve looked through Obtainium source code a while back and there seems to be no hash verification whatsoever. Looks too susceptible to supply chain attacks to me.
I don’t like that Aurora Store sends a list of installed applications to Google and the only way to stop it is to blacklist.
Is there an option that combines multiple sources together like Obtainium but contains automatic hash verification for added security (I am aware updates are protected by Android)? Something I can use to download non-FOSS apps from a mirror but make sure it’s the APK from the Play Store?
If you’re really paranoid about it, you can download AppVerifier and have Obtainium automatically send the downloaded apk to it and verify the sums before installing
that’s still a manual process for most apps I’ve tried