Cleanapk.org security

I can’t find much info on cleanapk.org.

How do they get apks? Who submits/maintains them? How do I know the apks haven’t been tampered with?

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services

See the Security section at https://info.cleanapk.org/.

Apart from that … You just discovered why a number of /e/ users use F-Droid and Aurora Store instead of the /e/ Apps installer .

It have been said, To be sure, you have to compare the apk files

There is a FAQ on Apps here

the FAQ says “Apps are checked either using a PGP signature check, or a checksum.” – who does that?

I should have said that I have of course read info.cleanapk.org. But have found zero other sites talking about it.

Aurora store gets apks directly from google play store, is that correct? I guess I can consider that more secure but less private?

“Who are they?” and “Who owns them?” are both good questions All I can find out is

1. They are ‘not affiliated in any manner with Google or Google Play’ - this what they say on their only visible web page, so it must be true
2. The domain registrant is based in the Ile-de-France region of France (according to the only unredacted information at https://whois.gandi.net/en/results?search=cleanapk.org
   [edit]
3. Their servers are based in Germany, according to https://cleanapk.org.ipaddress.com/

So they may be secure, and they may ‘support Privacy & Freedom’, but they don’t seem interested in openness or transparency. So they don’t get my business

Correct. It’s an Open Source client for the Google Play Store.

Aurora Store offers you to get the Apps with its own Google account, so you can stay anonymous in that regard.
Using your own Google account is optional (though it may be needed to get paid Apps or Apps restricted in availability to your region).

It is now possible again to get Anonymous access to region-restricted apps: see this post for details (though, in my experience I didn’t need to use a VPN, just enable the Insecure anonymous session setting)

Is this not the same process used by
Divest/Hypatia?

1905380753679088779622456_0473×987 36.7 KB

That would be cool if it is the case as I installed hypatia after reading about it on the divestos thread

@rainwalker Sorry, maybe my question wasn’t clear. If I am not mistaken you are being critical of how the /e/ app store processes .apks, correct? (" ‘Apps are checked either using a PGP signature check, or a checksum.’ – who does that?") My question is, isn’t a similar/same process used by Divest/Hapatia looking for malicious apps? Please see my screenshot posted above, “Checked all SHA/MD5…”.

Ah, lol, no my question was genuine - as in, who is checking the app signatures, the /e/ team or the cleanapk team. I’d feel better if the /e/ team were doing it.

On a separate note, your screen shot shows hypatia successfully checked md5 hashes, but mine always fails to find the md5 database. Do I need to also selected large database in settings?

39 posts and we arrived at no answer!

I use the default databases and have not adjusted.

I currently use F-Droid (with a few added repositories) and Aurora (for a couple apps Sandboxed using Shelter) only. But yes agreed, it would be nice if team /e/ was verifying themselves, that seems to be a large task.

My bad on misinterpreting your original post, sorry. I now see my error.

To further explain App Store performs some sanity checks here based on information received from cleanapk. It verifies shasum for google apps and pgp signature for fdroid apps. Apps store cannot directly verify signature of google apps because there is no reliable service which can provide this info so it relies on cleanapk. We are trying to improve this process though.
Also as mentioned previously if there is a better option of an application store which caters to all users - those who want FOSS only and those who want apps they used on stock ROM’s then we will be more than glad to use it. Off course it would still require a lot of customization of code to adapt it to work seamlessly on /e/OS.

Perhaps /e/ could host their own application store along the same lines as Cleanapk. At least we know who owns and runs /e/. Or, as a major user of cleanapk’s API’s, /e/ could ask Cleanapk to be more open and transparent about who they are.

I’m relatively happy that the apks from Cleanapk, that /e/ serves up via Apps, are safe and haven’t been tampered with (I’ve not heard of any problems with them), but I really don’t like doing business with organisations that try to hide their ownership and/or location. It makes me wonder what else they have to hide.

/e/ cant do that because it is illegal, you can’t redistribute as stated in Gooles tos So i think they are lucky they have found cleanapk

If it’s illegal for /e/ to do it then surely it’s illegal for cleanapk too? So /e/ won’t break the (unspecified) law, but they’re happy to use an anonymous company that will break the (unspecified) law. Not a lot if difference that I can see.