Obtainium: Auto-Update FOSS Android Apps Without a Store

If you care about app provenance and want to stay current with FOSS releases, you have probably already weighed F-Droid against the Play Store. But there is a third path that is increasingly popular among power users: pulling APKs directly from upstream release pages - GitHub, GitLab, Codeberg, and others - with automatic update checks. That is exactly what Obtainium does. It is a free, open-source Android application manager that monitors release sources you define, notifies you when a new version appears, and installs it through Android’s standard PackageInstaller without any intermediary repository.

What Obtainium Is and How It Works

Obtainium is maintained by ImranR98 and lives at github.com/ImranR98/Obtainium. The project describes itself as a way to “get Android app updates directly from their source.” In practice, this means you add an app by pasting its upstream URL - a GitHub repository, a GitLab project, a Codeberg page, an F-Droid repo endpoint, an APKPure page, or one of more than 30 supported source types - and Obtainium takes care of polling for new releases.

When a new release is detected, you receive an in-app or system notification. Tapping it downloads the APK from the source URL and hands it to Android’s PackageInstaller. The OS performs its own signature verification before the install completes. Obtainium never touches the APK content itself.

The app stores a JSON export of all your configured sources, which doubles as a backup and a migration tool. You can import that file on a new device and rebuild your entire FOSS app library in a few minutes.

Installation and Initial Setup

Obtainium is available in two ways:

• F-Droid - search for “Obtainium” in the main F-Droid repository or add the IzzyOnDroid repo (apt.izzysoft.de/fdroid/repo) for faster updates.
• GitHub Releases - download the latest app-release.apk from github.com/ImranR98/Obtainium/releases. Importantly, you can then add Obtainium itself as a source inside Obtainium, so it updates itself.

Before adding any sources you need to grant the “Install unknown apps” permission to Obtainium. On Android 8 and later this is a per-app permission found at Settings - Special app access - Install unknown apps. On GrapheneOS, the permission is scoped to the Obtainium sandbox and does not propagate to other apps.

You should also decide on a background update interval. The default is every six hours, which is reasonable. The check runs as an Android background job, so it is subject to battery optimisation. If Obtainium is not notifying you about updates, add it to the battery optimisation exemption list.

Adding Your First App

The workflow for adding an app is straightforward:

1. Open Obtainium and tap the + button.
2. Paste the upstream URL - for example https://github.com/bitwarden/android for Bitwarden or https://github.com/signalapp/Signal-Android for Signal.
3. Obtainium identifies the source type automatically and fetches the latest release metadata.
4. Review the detected version and APK filename. If multiple APK assets are attached (common for multi-architecture releases), configure the APK filter.
5. Tap Add to save. Obtainium will show the current version and the source URL in your app list.

For apps on GitLab or Codeberg the process is identical - paste the project URL. For F-Droid-hosted apps you can paste either the F-Droid app page URL or the direct repo endpoint.

APK Filtering and Build Variants

Many FOSS projects publish several APK variants in each release: one per CPU architecture, one with and without Google Play Services dependencies, or a “fdroid” flavour stripped of proprietary analytics. Downloading the wrong one wastes space and may fail to install.

Obtainium exposes a filter field that accepts a regular expression matched against asset filenames. Common patterns:

Use case	Regex pattern
arm64 devices only (most modern phones)	arm64-v8a
Universal APK (works on any ABI)	universal
F-Droid flavour (no analytics)	fdroid
Exclude split APKs	^(?!.*split)
Prefer a specific version suffix	release$

If you are unsure of your device’s ABI, run adb shell getprop ro.product.cpu.abi (see ADB commands for Android power users for a full reference). Most devices sold after 2017 are arm64-v8a.

Obtainium vs F-Droid vs Play Store

Feature	Obtainium	F-Droid	Play Store
Source verification	Developer’s signing key	F-Droid build from source	Google signing key (or dev key)
Update latency	Minutes after developer tags a release	Hours to days after tagging	Varies (Play review)
Requires Google services	No	No	Partial (Play API)
Curated safety review	No	Yes (basic)	Yes (Play Protect)
Works on de-Googled ROMs	Yes	Yes	Requires microG or Sandboxed GP
App coverage	Any project with a public release page	~4,500 apps	3+ million apps
Backup/migrate app list	JSON export/import	Manual reinstall	Google account restore

The table makes the trade-offs clear. Obtainium delivers speed and breadth at the cost of the supply-chain guarantee that F-Droid’s source builds provide. For security-critical apps like password managers or VPN clients, you may prefer F-Droid’s rebuild process or the developer’s official signed binary from their own website - check our guides on the best Android password managers and best Android VPN apps for source recommendations per app.

Security Considerations

Obtainium sits in an interesting position on the Android trust model. Because it installs developer-signed binaries, you are trusting the developer’s own signing key and release process, the integrity of the release platform at download time, and TLS to protect the download in transit.

This is essentially the same trust model as manually downloading an APK from a developer’s official release page, which Android has always permitted. The risk is that if a developer’s GitHub account is compromised and a malicious release is published, Obtainium will offer to install it on schedule. Mitigations include:

• Enable “require user confirmation for each update” in Obtainium preferences. This is the default and means no update installs silently.
• Check release notes before confirming an update. Obtainium displays the changelog from the GitHub release body.
• Use verified sources - stick to well-maintained repos with an active commit history and a track record of signed releases.
• Android signature pinning - once an app is installed, Android will refuse to install a later version signed with a different key. This protects against a scenario where an attacker replaces the APK on the release page with one signed by a different key.

For a broader view of sideloading risks and Android’s permission model, the sideloading Android security guide covers the PackageInstaller flow, signature verification, and common attack vectors in detail.

Practical Tips for Daily Use

Export your app list regularly. Go to Settings - Export Apps to generate a JSON backup. Keep this file in your password manager’s secure notes or an encrypted cloud location. It makes restoring a de-Googled device trivial.

Use the “Pinned version” option sparingly. Obtainium lets you freeze an app at a specific version. This is useful if a developer ships a breaking change, but it means you will not receive security patches. If you pin a version, set a calendar reminder to review it periodically.

Batch update from the app list. The “Update all” button runs through every app and queues updates. On a fresh device setup, use “Add via JSON” to import your backup and then “Update all” to install the latest versions in one pass.

Combine with F-Droid for the best of both. Nothing stops you from adding F-Droid repo apps to Obtainium using the F-Droid source type. You get Obtainium’s centralised notification and update UI while still pulling from F-Droid’s curated index.

Monitor Obtainium’s own issue tracker. Source adapters break occasionally when a hosting platform changes its API or HTML structure. The GitHub issues page is the fastest way to find workarounds while a fix is in progress.

Notable Apps Well-Suited to Obtainium

A few FOSS Android projects benefit especially from Obtainium’s direct-source model:

• Signal - Signal releases its own signed APKs at signal.org/android/apk/ and via its GitHub releases. The Play Store version is identical, but pulling from the official release page removes Google infrastructure from the delivery chain.
• Bitwarden - The F-Droid version sometimes lags several releases behind. Obtainium tracks the github.com/bitwarden/android releases and delivers the same binary Bitwarden distributes directly.
• NetGuard - The Play Store version has features disabled due to Play policy; the GitHub release is the full version.
• NewPipe - Actively maintained, rapid release cadence, available on GitHub and the NewPipe F-Droid repo. Obtainium handles the fast update cycle well.
• KeePassDX, Aegis Authenticator, Shelter - All publish signed releases on GitHub and benefit from Obtainium’s timely update notifications.

Obtainium does not change the fundamentals of Android’s security model: you still grant permissions per app, installs still go through PackageInstaller, and Android still enforces signature continuity. What it removes is the intermediary - whether that is Google, F-Droid’s build farm, or a third-party APK mirror. For users who have already worked through an Android privacy hardening checklist and moved to a de-Googled device, Obtainium is the logical final piece: a self-hosted, source-direct update pipeline that keeps FOSS apps current without phoning home to anyone.

FAQ

Is Obtainium safe to use?

Obtainium installs developer-signed binaries via Android's standard PackageInstaller, which enforces signature verification before completing any install. Every update requires explicit user confirmation by default. Once an app is installed, Android refuses any later version signed with a different key, blocking the most common APK-swap attack. The risk profile is the same as manually downloading an APK from a developer's own release page. Using well-maintained repositories with a visible commit history reduces risk further.

Can Obtainium update itself?

Yes. After the initial installation from F-Droid or GitHub, you can add Obtainium's own GitHub repository as a source inside the app. From that point, Obtainium monitors its own upstream releases and prompts you to update exactly as it does for any other app. This makes it fully self-sustaining without needing the Play Store or a separate update mechanism.

What is the difference between Obtainium and F-Droid?

F-Droid rebuilds apps from source code on its own build farm, adding a supply-chain verification layer. Obtainium downloads the developer's own signed binary directly from the release page, which means faster updates - often minutes after a tag - but you are trusting the developer's key rather than an independent rebuild. F-Droid covers around 4,500 curated apps; Obtainium works with any project that publishes APK assets on a public release page.

Does Obtainium work on GrapheneOS or CalyxOS?

Yes. Obtainium works on any Android-based OS including GrapheneOS, CalyxOS, DivestOS, and LineageOS. On GrapheneOS the Install unknown apps permission is scoped per-app, so you grant it only to Obtainium and it does not propagate to other sandboxed apps. There is no dependency on Google Play Services, Google Play Protect, or any Google infrastructure.