F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
Fdroid is a secure repositorie and the applications are reviewed before being made available for end users.
The repository is also highly focused on privacy and security and will warn if applications have security flaws or depend on non free services.
As an example, I use NewPipe instead of the standard YT app and it has a warning it depends on non-free services.
One other example I can give is Librera. It’s a very feature rich ebook/pdf/etc reader. At some point, a security flaw was discovered and the app was instantly flagged has having such problems and users were advised to not install it.
Malicious apps can make it onto F-Droid as they can onto any app store. The biggest difference is that F-Droid compiles apps from the published source code rather than accent uploads from the developer directly. That means only apps with source available are installable by default, built from the source everyone else can read.
If there’s any malware in these apps, the malicious code can be found in the public source code.
There is a manual vetting process before an app is accepted into the repo which should detect shady behaviour but updates aren’t subject to this strict process, so it’s not a full fix.
This is a bit of a fallacious point in this context - it suggests:
apps will be investigated by its users (not guaranteed, nor even likely for unpopular apps)
an app will even have users capable of detecting malware (I don’t know squat about phone malware patterns, so I wouldn’t be effective at it even if I did scan through thousands of lines of code)
What I can tell you is that Google was extremely detailed in their monitoring of my apps - even looking up e.g. rate limits of the steam api to check if I properly deal with those. And I pick that example since I don’t want to talk about the ways I mishandled user data out of negligence or ignorance.
Back then I perceived it as harassment.
Today I will certainly not install any apps that didn’t pass their testing.
And we’re not even talking about deliberate malware but simple incompetence. I would consider the average hobby app project to be borderline malware and a proper QA needs qualified personnel.
I don’t see how F-Droid can ever reach those standards.
Play’s reputation for being full of malware stands directly at odds with your assessment.
Hobbyists are rarely incompetent. They actually take pride in their work, and aren’t just trying to quickly slap something together for a quick buck.
Not sure what gave you the impression that most phone apps have gone through professional QA, but I very seriously doubt that they have.
As for mishandling user data, it’s a lot easier to avoid doing that when user data never leaves the user’s device in the first place. Proprietary apps collect user data for profit; free and open source apps often don’t.
I use F-Droid as my main app store, and while I trust most of the apps on there and haven’t found any asking for permissions they don’t need, I wouldn’t claim any Android app store is more secure than the Play Store. This post goes into technical detail comparing the two: https://privsec.dev/posts/android/f-droid-security-issues/ - Note: emphasis in the conclusion mentioning that these criticisms may or may not really matter, depending on your threat model. (as an aside - if anyone here doesn’t know what a threat model is, determine yours before participating in any privacy community or you’ll just end up with useless paranoia)
That said, I would guess that Play Store may have a higher risk of malicious apps only due to the fact that there are far, far, far, far more potential victims, and being the default app store, victims less likely to be technically experienced enough to notice false apps. So, almost all attackers will probably aim for the most targets and only bother targeting the Play Store, despite the extra challenges.
I did make up my mind, and both I and the article both explicitly emphasise people to apply the facts it presents to their own circumstances. What you just wrote is very condescending and insulting.
Well my intention was not to offend you. However, I still firmly believe that using a proprietary app store run by google is not as good as a app store that takes libre software as a priority.
Sorry if you interpreted as a insult. I just don’t like when people blindly follow others. I am not sure if that’s some you are doing but its something I see a lot of. I’m not perfect either and I probably should work on my wording to make it less harsh.
It’s alright, and just to be clear, I do use and support F-Droid because I personally think it is better and suits my privacy goals. I didn’t mean to sound as if I wasn’t supporting it, just that it’s a bit more nuanced when talking about the security side: like almost everything in security, it’s more complex than one took being universally better than another.
Even small companies have to deal with, “supply chain”, attacks, criminals putting code into open source repositories to steal data and get access to servers. App stores are major targets too.
There have been weather apps that need your location to show you weather and oops we also send your location history to our data center in China and sell that data.
There have been, “document scanner”, apps that help you take pictures of things like credit card statements and did we not mention we send those images to Russian servers?
Do use a major brand phone like Samsung, keep your OS up to date, and don’t expose private info to these apps or give them special privileges, especially, “accessibility”, or, “screen reader”, and you should be okay.
I’ve always had a niggling worry that downloading apps from 3rd party app stores came with a higher risk of getting apps with viruses and spyware.
any truth to this?
Not really.
Fdroid is a secure repositorie and the applications are reviewed before being made available for end users.
The repository is also highly focused on privacy and security and will warn if applications have security flaws or depend on non free services.
As an example, I use NewPipe instead of the standard YT app and it has a warning it depends on non-free services.
One other example I can give is Librera. It’s a very feature rich ebook/pdf/etc reader. At some point, a security flaw was discovered and the app was instantly flagged has having such problems and users were advised to not install it.
Reviewed by who though? Malicious apps even get through apple and Google’s screening. I can’t see how fdroid can match the capabilities of those guys.
Malicious apps can make it onto F-Droid as they can onto any app store. The biggest difference is that F-Droid compiles apps from the published source code rather than accent uploads from the developer directly. That means only apps with source available are installable by default, built from the source everyone else can read.
If there’s any malware in these apps, the malicious code can be found in the public source code.
There is a manual vetting process before an app is accepted into the repo which should detect shady behaviour but updates aren’t subject to this strict process, so it’s not a full fix.
How is Librera to download now?
Works fine for me.
The benefit of open source apps is anyone can view the code to see if there is malware or other installed.
This is a bit of a fallacious point in this context - it suggests:
What I can tell you is that Google was extremely detailed in their monitoring of my apps - even looking up e.g. rate limits of the steam api to check if I properly deal with those. And I pick that example since I don’t want to talk about the ways I mishandled user data out of negligence or ignorance.
Back then I perceived it as harassment. Today I will certainly not install any apps that didn’t pass their testing.
And we’re not even talking about deliberate malware but simple incompetence. I would consider the average hobby app project to be borderline malware and a proper QA needs qualified personnel. I don’t see how F-Droid can ever reach those standards.
Play’s reputation for being full of malware stands directly at odds with your assessment.
Hobbyists are rarely incompetent. They actually take pride in their work, and aren’t just trying to quickly slap something together for a quick buck.
Not sure what gave you the impression that most phone apps have gone through professional QA, but I very seriously doubt that they have.
As for mishandling user data, it’s a lot easier to avoid doing that when user data never leaves the user’s device in the first place. Proprietary apps collect user data for profit; free and open source apps often don’t.
Thats what they want you to think
But its because they want your money
Yes but F-droid is an exception. Be careful of adding third party repos though
What is your justification for this claim?
I use F-Droid as my main app store, and while I trust most of the apps on there and haven’t found any asking for permissions they don’t need, I wouldn’t claim any Android app store is more secure than the Play Store. This post goes into technical detail comparing the two: https://privsec.dev/posts/android/f-droid-security-issues/ - Note: emphasis in the conclusion mentioning that these criticisms may or may not really matter, depending on your threat model. (as an aside - if anyone here doesn’t know what a threat model is, determine yours before participating in any privacy community or you’ll just end up with useless paranoia)
That said, I would guess that Play Store may have a higher risk of malicious apps only due to the fact that there are far, far, far, far more potential victims, and being the default app store, victims less likely to be technically experienced enough to notice false apps. So, almost all attackers will probably aim for the most targets and only bother targeting the Play Store, despite the extra challenges.
[tagging @elbowgrease@lemm.ee ]
You should make up your own mind. Don’t be a puppet to some guy online who wrote an article
I did make up my mind, and both I and the article both explicitly emphasise people to apply the facts it presents to their own circumstances. What you just wrote is very condescending and insulting.
Well my intention was not to offend you. However, I still firmly believe that using a proprietary app store run by google is not as good as a app store that takes libre software as a priority.
Sorry if you interpreted as a insult. I just don’t like when people blindly follow others. I am not sure if that’s some you are doing but its something I see a lot of. I’m not perfect either and I probably should work on my wording to make it less harsh.
It’s alright, and just to be clear, I do use and support F-Droid because I personally think it is better and suits my privacy goals. I didn’t mean to sound as if I wasn’t supporting it, just that it’s a bit more nuanced when talking about the security side: like almost everything in security, it’s more complex than one took being universally better than another.
deleted by creator
Even small companies have to deal with, “supply chain”, attacks, criminals putting code into open source repositories to steal data and get access to servers. App stores are major targets too.
There have been weather apps that need your location to show you weather and oops we also send your location history to our data center in China and sell that data.
There have been, “document scanner”, apps that help you take pictures of things like credit card statements and did we not mention we send those images to Russian servers?
Do use a major brand phone like Samsung, keep your OS up to date, and don’t expose private info to these apps or give them special privileges, especially, “accessibility”, or, “screen reader”, and you should be okay.