Is there a threshold at which the obsidian developers might consider distributing the Android Catalyst version through other means? I get that using an insiders-only discord channel makes things really simple, but the more popular Obsidian becomes the more attractive the discord server becomes as an attack vector. It also completely sidesteps the only cryptographic mechanism protecting the average user (the package’s signing key) because a user must remove the app entirely when switching between back and forth between the public and catalyst, and with it goes the signing key.
We also have no good way to verify the provenance of the .apk files on this channel. I have a lot of assumptions about where it comes from, but no guarantees. I would guess that the admins have restricted file uploads on the server so only Obsidian reps can upload an apk. But that’s just a guess. But even then, when I skim through this discord I’m not even sure who the obsidian reps are. Can’t be the OBSD tags, though that was my first thought. Is it those with purple text? How do I know that an .apk is actually from Obsidian? Sure if I’ve already installed the catalyst version then upgrading will validate the updated package’s signature, but if I’m switching back from the production version?
Yes, I know the file will be in a pinned message, I know. I know it’s unlikely that a bad actor will impersonate an Obsidian employee on Discord to target Obsidian users en-masse.
My point isn’t that such an attack is likely, I don’t think it is. My point is that this weak chain-of-custody in the Android Catalyst distribution is uncharacteristically insecure compared to the standard of security elsewhere in Obsidian. I mean, look at Obsidian’s features and it’s clear that security is taken seriously: offline-first architecture; regular client code audits; 2FA for online account and most of all E2E (!) encryption for Obsidian Sync. I can’t think of another piece of software I use that has zero-trust encryption and retains such a smooth user experience, let alone continues to improve that encryption with a full migration assistant. The amount of tedious work to put all that together into such a seamless experience is nothing to sneeze at!
And yet if the “distribution” phase were to be compromised (even once!) all those features might as well have been turned off.
I am not trying to condemn the team or the code. On the contrary, I signed up for a catalyst license because I love Obsidian and am thrilled to see an extremely competent team make such high quality software. I myself am an android developer of 11 years and have been blown away with how responsive the Obsidian devs have managed to keep this app, and how well it integrates with Android APIs. I can even use all my hotkeys with a bluetooth keyboard! Truly impressive stuff.
So it is all the more saddening for me to have to discontinue using Obsidian Catalyst on my Android devices. I use Obsidian to write my most precious thoughts, ideas, and communications, and until I have confidence in the provinence of the Catalyst package I am unable to entrust my vault to it.
Maybe I’m not the right user for the catalyst program, and that’s okay too. But I hope I can be again one day. I will, of course, continue using Obsidian every single day.
Thanks again for the wonderful software, I owe you all a great debt.
