@foss In reference to this post- https://lemmy.ml/post/6374732
For Molly, I kept seeing this popup by Google when downloading Molly FOSS from fdroid.
Should I be concerned? What should I do to ensure I am downloading Molly from a trusted source if Fdroid isn’t an ideal place (due to misleading names as depicted in the referenced post)?
This is kinda like Windows with the “We don’t recognize this application” message. Letting it scan will probably just help other users avoid this annoyance in the future. You can also shut off play protect from the play store settings.
It still does this with app scanning turned off, unfortunately.
Oh, wow, that’s absolute bullshit from Google in that case.
Yeah, I have it turned off by default.
Play Protect gives a lot of false positive warnings for me, and I usually just ignore them
FDroid is one of the safest, but you may need to go into settings -> repositories to check which repos are being used. What is checked off when you do that?
The repo a specific app comes from can also be checked by opening the list of versions, then clicking on one of the versions to show the details.
Of course, google is trying to dissuade you from using other app stores, nothing more. You might be able to download and install it from GitHub using obtainium if you really want to verify the origin of the app.
Eh, I think there’s definitely some legitimacy to doing a virus scan for applications with unrecognised signatures
Not everyone knows how to (or even can for many apps) manually verify the authenticity of their apks
And plenty of non-technical people will just install random shit from the internet without thinking
And yet most malware comes from the Play store.
I get this message every time I install an application with a different signature than be one on the Play Store.
F-Droid builds and signs apps themselves, so the signatures will always be different (Google wouldn’t allow you to upload an F-Droid signed APK even if you tried, they require you to let them do the signing process for you).
I think “we have known good signatures for this app and this isn’t one of them” is a fair way to detect modified APKs (i.e. copies from shady download websites that often stuff them with malware). Google should find a way to whitelist open source signatures like those of F-Droid, though. Their current approach is causing a lot of false positives.
If you downloaded the app off a reliable place, you shouldn’t be worried. Maybe double check the repositories configured in F-Droid if you’re concerned, but if you’re using the official ones there’s no direct cause for concern.
You can also try uploading the app to virustotal.com to see what other virus scanners are saying, just in case.
This BS is one of the last straws pushing me away from Google.
Running DivestOS, you can install MicroG as a user app in a secondary profile. So it runs only when you want it to. You can install play store there too, and again it only runs when you want it to.
That should limit this nonsense until I can replace my paid for apps with something else.
Shut up Google. Most malware comes from the play store.
It’s fine if you downloaded it from official place. Sometimes warnings are shown for apps which are patched or forked from original. If it’s the offical place then don’t worry
 In reference to this post- [https://lemmy.ml/post/6374732](https://lemmy.ml/post/6374732)](https://media.mas.to/masto-public/media_attachments/files/111/543/425/105/710/043/original/5c87e064026a207e.png){kind=link}