Syncthing (Catfriend1) on Android

A few questions about syncthing installation on Android:

1. I see there is not “official” app for Android, but the recommended installation in this forum seems to be GitHub - Catfriend1/syncthing-android: Syncthing-Fork - A Syncthing Wrapper for Android.. How trustful is Catfriend1? If it is the way to go, why syncthing do not let us know in their download website that this repository is the way to go?

2. if I am installing the apk from their github repository by Obtanium, I would like to check the apk hash. Where can I get that? The hash should be published elsewhere and not only in the github repository. So I can verify by AppVerifier.

Thanks

The f-droid repository provides a hash for each built apk to verify.

E.g. https://f-droid.org/repo/com.github.catfriend1.syncthingandroid_1290300.apk.asc corresponds to https://f-droid.org/repo/com.github.catfriend1.syncthingandroid_1290300.apk

While the Fork isn’t mentioned on the official Downloads page explicitly, it is listed inside the community contributions in the official Documentation. If it wasn’t trustworthy, it wouldn’t be there.

image1671×514 72.9 KB

Firstly, many thanks for your app. I am happy user for years.

My questions come now because I am getting a bit more concern about security, and giving I have a lot of trust on your app (network and files permissions):

Can I find somewhere the “APK signing key hash”? so I am able to check your apk by AppVerifier, GitHub - soupslurpr/AppVerifier: Verify apps easily.

Thanks

I haven’t seen that. Thanks for pointing it out.

Hashes are here: https://github.com/Catfriend1/syncthing-android/wiki/Switch-between-releases_Verify-APK-is-genuine

AppVerifier uses SHA-256 hash. You don’t publish this hash anywhere, right?

4c653ef8-890b-4b6e-a55a-e1c713fd5b341080×2400 226 KB

Someone asked this before. Short answer: no, but feel free to add it to the wiki as well for reference .