I don’t have the skill and the know-how to read the source code and build an apk from source published in Github for example.
I wonder, in order to be somewhat sure that the apk file doesn’t contain any “badware”, is an online scanner like Virustotal reliable?
I just downloaded a random file from F-Droid and scanned it to test.
The result can be seen here.
Is the result trustworthy?
Virustotal and similar tools simply scan for software that has been previously flagged as being malicious. It is pretty limited in that respect. Any novel or unreported malware, as well as any malware that was obfuscated well enough, would not trigger any red flags.
If you don’t trust fdroid - in the sense that it could be hacked -, you can always download the apks from GitHub (they have those as well, not just the code) and verify the checksum before installing. Unless you think the developer’s GitHub account can be hacked as well. There’s no much escape really.
Sorry for my late reply!
Thank you both for your posts and good points you make.
I, naively, hoped that scanning them for malware on a site like Virustotal could give some indication as to if an .apk file is safe to install.
Thanks again!