Fdroid Security Issues

A common app store often recommended to privacy enthusiasts is FDroid which aims to be an alternative app store to Google Play Store. But the problem is that the app utilizes API Level 25 and bypasses Android security policies resulting in a increased attack surface. The devs claim that they need more persons willing to contribute to increase the API Levels. If anyone is willing to help them, please do so as it means better software for everyone.

See-
https://android.googlesource.com/platform/system/sepolicy/+/refs/tags/android-12.0.0_r21/private

Fdroid does not utilize TLS Cert Pinning which makes it a possibility for man in the middle attacks.
Fdroid did think of it though 7 years ago and not a working implementation as of today -

This really makes you think about their security practices.


They also do not force a minimum API Version on the apps available on the fdroid unlike Play Store which enforces a minimum API Level 30.

It also has a problem regarding the adoption of new signature schemes as they held out on the v1 signature scheme (which was horrible and deprecated since 2017) until they were forced by Android 11 requirements to support the newer v2/v3 schemes (v2 was introduced in Android 7.0). Quite frankly, this is straight-up bad, and signing APKs with GPG is no better considering how bad PGP and its reference implementation GPG are (even Debian is trying to move away from it). Ideally, F-Droid should fully move on to newer signature schemes, and should completely phase out the legacy signature schemes which are still being used for some apps and metadata.

Currently we have no good solutions. Pulling apps directly from github and running apksigner is what I would recommend for now. A graphene dev is working on a alternative app store called Accrescent which he claims is secure. Currently under pre alpha.
See-GitHub - accrescent/accrescent: A novel Android app store focused on security, privacy, and usability

1 Like

I personally know nothing about the issues but @Raznick was talking about this and I bet he has some interesting points

While there are tons of more problems, he has already mentioned one of the biggest.

The problems I know of are the good old trust party problem, slow updates, bad target SDK and some more “minor” ones like mixing multiple repos in one app, F-Droid not supporting the unattented update API (SDK 31 / Android 12) and hosting an outdated F-Droid APK on the website.

There is lots of more problems, but these are the biggest ones I know of.

Basically just read A brief and informal analysis of F-Droid security | Wonder's Lab if you want to know more. Otherwise simply a “do not install anything from F-Droid” practice should be more than good enough for your security.
F-Droid is great for finding FOSS apps, but not as a repo.

You can download most F-Droid apps from GitHub and add the releases to your RSS feed. If I remember correctly, following the
https://github.com/:owner/:repo/releases.atom should work.
Taking NewPipe as an example, you simply change it to: https://github.com/TeamNewPipe/NewPipe/releases.atom

2 Likes

Reading that article you mentioned in the other thread, the best practice for security in this case is using either the Aroura store, or going to the Github page of the official app.
Since everything on fdroid is on github or gitlab, should be easy enough.
Only thing I’m concerned about is the trackers that are put in to google version of the apps, but then again just download the apk. Not that hard.

2 Likes

F-Droid is less secure than the Play Store or App Store for various reasons. I recommend looking for apps on F-Droid, but installing them via the Play Store (if possible). This way you can find loads of new FOSS apps, but downliad them in a more secure way

1 Like

Yes. F-Droid and security is currently impossible.
There are some F-Droid forks that solve SOME problems, but simply using github releases is the best solution in most cases.
If you do not find the software there, you can also use the Aurora Store. The Aurora Store uses the Google Play Store as a source for it’s apps, so most security features can be applied.

1 Like

“Keep spending most of our lives, living in the privacy paradise”

  • Coolio (Probably)
1 Like

Wrong. Aurora Store has it’s own set of problems. No TLS Cert pinning (The dev is quiet regarding this issue), usage of Legacy Storage Permissions.

I haven’t denied that, just that the Aurora has far fewer problems than F-Droid. As you should have read, my go to recommendation is directly from the repo releases and using Aurora only if you can’t find the app otherwise somehow.

Aurora store has it’s own problems. Getting apps from Github verifying with apksigner is tiresome and exhausting, also only Signal makes their key available to the public(best of my knowledge,some others may do it I donno. Play Store is not privacy friendly. Take your pick.

Or in other words: Technology kinda sucks and you have to pick your poison.

But that doesn’t change the fact that generally speaking you should pick the order of getting apps like this:
Source code compiled yourself > Directly from the developer > Third party repository

Yes that is more work (and requires you to compile verified code yourself), but something you should be comfortable with if you really care about security & privacy

Otherwise simply download the app from github. This might not be the perfect solution, but AFAIK better than the FOSS stores we currently have.

adding more :fire: to the discussion You should uninstall F-Droid - Part 1 - YouTube

1 Like

Android - Privacy Guides has a good outline of the F-Droid (app and repository) challenges and some tips you can evaluate based on your threat model.

I switched from F-Droid to Neo Store and after auditing all my FOSS apps changed my repository preference to:

  1. Google Play (if the full version of app doesn’t violate Google policies)
  2. The developers own F-Droid repository
  3. IzzyOnDroid
  4. The official F-Droid repository

Most of my FOSS apps fell into category number 1 and only one into category number 4.

I also think What should you use? - F-Droid, Droid-ify, Aurora Droid, Neo Store, Google Play, Aurora Store? is worth watching.

But, in digesting all this info and working though what made privacy vs security sense for me I became a little disenfranchised… and found SkyDroid which seems to promote itself not as a FOSS app/repository but a Decentralized App Store for Android. Does anyone have any experience or insight on SkyDroid?

2 Likes

F-Droid applications are always free, both from trackers and from in-app purchases whereas the same application on G store can have both.

So how does something like Aurora Droid with IzzyOnDroid, which fetches binaries from the respective repositories, compare to F-Droid and direct-from-repo downloads?

So what can be done to fix this? Perhaps a app underwriter group that is fully privacy respecting and people preferring apps with their seal upon them? That is probably the best free market solution. One thing for sure is that I am not going back to Google Play Store.

I could be totally wrong, but I think the problems with Fdroid are a result of being understaffed. I think there’s literally only one guy who works full-time on Fdroid. I can understand why a project as default as this but with such few resources could have problems. I’m not sure how you get more resources to Fdroid besides just growing the use of custom ROMs. :confused:

This was one of the first apps where I thought “hang on, I don’t think that FOSS always means secure.” It does make you look back at the Google Play Store to appreciate what you can do with serious resources.

Hi Miu, just presenting a different experience/perspective. JJ

This is from IzzyOnDroid not F-Droid

Ads & Analytics: Our favorites. Software being free and open source doesn’t mean the compiled app cannot have some extras. Usually, if there are ad or analytics modules, that’s also pointed out in the „AntiFeatures“ in the app description.

NetGuard has “PRO features” that can be purchased (ad blocking is not possible with the Play store version because Google does not allow ad blocking apps in the Play store).

Both Google Play NetGuard and F-Droid NetGuard report zero trackers and eleven permissions with Exodus.

Specifically in regards to trackers in Google Play vs F-Droid app versions I’ve not found a difference in trackers with either Exodus or a local scan with Warden in any of my FOSS apps.

1 Like

privacyguides.org has these general tips:

Neo Store supports seamless updates on Android 12 and above without needing any special privileges and targets a higher API level.

The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers’ own repositories.

2 Likes

A Sandboxed Google Play Services and Store would be the best option.(Note you need to sign in, so just make a throwaway account)

Only available in Graphene and ProtonAOSP.

1 Like

This is pretty much what i’m starting to do now. I still have a lot of apps from F-Droid, but I will try and only update them from Aurora Store