I know that it is not safe to download files through tor, and then open them outside of tor. Do we have the same issue with installing apps?
I have a Pixel 10 with Graphene OS installed. I used the sandboxed Google Play Store to instalk Yelp to my phone. When I downloaded Yelp, the Google Play Store was force-running through tor, thanks to Orbot. after it was done downloading, I opened it, but I didn’t open it through tor because I had not yet added Yelp to the apps that are controlled by Orbit. Does this mean that I have may have accidentally run a corrupted version of the Yelo app, and my entire phone is now compromised?
Google Play should, I think verify the signatures of the apps it downloads - even on GrapheneOS. (whether you route google play through Tor or not doesn’t matter) You not routing Yelp via Orbot only means that you left a not-tor-protected network footprint of that connection.
As far as I remember Google Play has pretty good security measures against malicious actors, and are unlikely to serve you a corrupted copy of apps without noticing. Though downloading an app that isn’t Yelp but have a similar name (consider cybersquatting but for app store) is not included, though Play Store will deal with them after spotted.
Also Android has strong security guarantees in place that prevent user-installed apps from compromising other apps or the whole device, unless if you haven’t been updating your device for a while and someone uses some newly patched vulnerabilities (n-day vulnerability) to attack your device (rare) or your attacker uses some zero-day vulnerabilities to attack your device (even rarer).
But just in case, can you download AppVerifier (From here or Accrescent app store), copy the following text, and verify the Yelp app with “Verify from clipboard”?
This is how Yelp app’s signature looks like for me when I downloaded it from the Play Store. If attackers are targetting you but not me, the Yelp app’s signature on our devices are likely to be different.
IMO the danger of downloading files through Tor network is kind of overblown, if you download files from reputable sources that aren’t likely to target you (just because you’re accessing though Tor), then you’re likely to be fine. The cases that require the most caution are when you download files (any files) from onion sites that are of unknown origin (so onion sites like officialTor project onion site doesn’t count), lesser-known sites, or sites that allows users to upload arbitrary files (including but not limited to file sharing sites like Dropbox or Mega). But that’s just my opinion.