A common app store often recommended to privacy enthusiasts is FDroid which aims to be an alternative app store to Google Play Store. But the problem is that the app utilizes API Level 25 and bypasses Android security policies resulting in a increased attack surface. The devs claim that they need more persons willing to contribute to increase the API Levels. If anyone is willing to help them, please do so as it means better software for everyone.
While there are tons of more problems, he has already mentioned one of the biggest.
The problems I know of are the good old trust party problem, slow updates, bad target SDK and some more “minor” ones like mixing multiple repos in one app, F-Droid not supporting the unattented update API (SDK 31 / Android 12) and hosting an outdated F-Droid APK on the website.
There is lots of more problems, but these are the biggest ones I know of.
Reading that article you mentioned in the other thread, the best practice for security in this case is using either the Aroura store, or going to the Github page of the official app.
Since everything on fdroid is on github or gitlab, should be easy enough.
Only thing I’m concerned about is the trackers that are put in to google version of the apps, but then again just download the apk. Not that hard.
F-Droid is less secure than the Play Store or App Store for various reasons. I recommend looking for apps on F-Droid, but installing them via the Play Store (if possible). This way you can find loads of new FOSS apps, but downliad them in a more secure way
Yes. F-Droid and security is currently impossible.
There are some F-Droid forks that solve SOME problems, but simply using github releases is the best solution in most cases.
If you do not find the software there, you can also use the Aurora Store. The Aurora Store uses the Google Play Store as a source for it’s apps, so most security features can be applied.
I haven’t denied that, just that the Aurora has far fewer problems than F-Droid. As you should have read, my go to recommendation is directly from the repo releases and using Aurora only if you can’t find the app otherwise somehow.
Aurora store has it’s own problems. Getting apps from Github verifying with apksigner is tiresome and exhausting, also only Signal makes their key available to the public(best of my knowledge,some others may do it I donno. Play Store is not privacy friendly. Take your pick.
But, in digesting all this info and working though what made privacy vs security sense for me I became a little disenfranchised… and found SkyDroid which seems to promote itself not as a FOSS app/repository but a Decentralized App Store for Android. Does anyone have any experience or insight on SkyDroid?
So what can be done to fix this? Perhaps a app underwriter group that is fully privacy respecting and people preferring apps with their seal upon them? That is probably the best free market solution. One thing for sure is that I am not going back to Google Play Store.
I could be totally wrong, but I think the problems with Fdroid are a result of being understaffed. I think there’s literally only one guy who works full-time on Fdroid. I can understand why a project as default as this but with such few resources could have problems. I’m not sure how you get more resources to Fdroid besides just growing the use of custom ROMs.
This was one of the first apps where I thought “hang on, I don’t think that FOSS always means secure.” It does make you look back at the Google Play Store to appreciate what you can do with serious resources.
Ads & Analytics: Our favorites. Software being free and open source doesn’t mean the compiled app cannot have some extras. Usually, if there are ad or analytics modules, that’s also pointed out in the „AntiFeatures“ in the app description.