Hello,

several times I now read about potential security issues of F-Droid Repositoty (see here for example:
https://wonderfall.dev/fdroid-issues/) and that many people recommend using (Sandboxed) Play Store instead, as most F-Droid Apps can be found there, too.

I am still not very happy with giving Google Apps like Play Store/Services network access. N alternative is Aurora-Store as a Play Store Client

So, what do you think: Is it more secure to use Aurora instead of F-Droid? And is it then even more secure to login via Aurora instead of using anonymous login?

Thank you very much and best regards

    GraphyGraphy

    One of the problems with the F-Droid repository is that they build and sign apps themselves. So, yes, I'd personally use Aurora instead of F-Droid when it's possible.

    Also, some app devs release two versions of their apps, a Google Play version and an open source version. In those cases, I prefer to install the apk released via Github releases directly if possible.

    • [deleted]

    GraphyGraphy Fdroid is very good. If you want an application store without google and without account there is only that available. I think google is more dangerous for our society than fdroid.

      • [deleted]

      [deleted] You can just use feeder on github, a notification to each update and it's more secure.

      F-droid signs all app releases using an air gapped machine, but it is still a single point of failure.

        • [deleted]

        • Edited

        AtriumCompound It is google that signs the apk.
        From google:

        • "For apps created before August 2021, you can still upload an APK file and manage your own keys instead of using app signing through Play and publishing through an Android App Bundle file. However, if you lose your key store or it is compromised, you will not be able to update your app without publishing a new app with a new bundle name. For these apps, Play recommends using app signing by Play and switching to app collections."
        • [deleted]

        AtriumCompound Fdroid does not give information about users to the government.

        Hi,

        thank you very much for the informative and controversial answers!

        I would like to continue with another question.
        I do not really understand why it is such a problem, that the F-Droid-Team digns all apps in the F-Droid repo themselves. Is it better to trust every single developer of all installed Apps (to not "lose" their keys) instead of only one source?
        Or is it more a "community-problem", because many users would be affectet, if there would be a problem with the F-Droid repo?

        Thank you!

          GraphyGraphy The main issue is that if F-Droid's signing keys are compromised, then every single app installed through the store can be compromised since any update would appear to come from the original legitimate source. [deleted] Pointed out that since August 2021 Google now stores developer keys in their own cloud. So, theoretically, a flaw in Google's security could lead to those developer keys being compromised too. Imo, this seems far less likely.
          Standardwaste Links to a post that does a good job explaining these issues and more, definitely worth a read if you're curious to know more.

            I have moved away from f-droid and actually use a little known app called 'obtanium' it is basically a front end where you can add direct links for apps, be it from fdroid, github, mullvad, gitlab. It will track them as they update via those links and advise when there is updates, taking out fdroid as the middleman and running directly from github for those apps that work through releases (or similar with gitlab)

            Check it out here - https://github.com/ImranR98/Obtainium

            I was using aurora store on my LOS device, however now that it is sandboxed (and quite cool, i might add, on GrapheneOS on my P7Pro) I still use google play as I have a few crucial apps that I use that i have paid for long ago that I can't give up... Maybe when my pinephone pro is fully up to speed i could, but for now it is what it is.

            I also use Obtainium. Seems to be doing the job fine. Strange thing is all my stores seem to "think" that they have installed all my apps.

              Thank you all! Obtainium sounds also very interesting! And for sure, droid-ify or Neo-Store, too.

              AtriumCompound Thank you very much, so the problem would be, that many of the installed Apps could become problematic at the same time. And as I understand, from case to case, this could be more problematic with one app than another. Apps without network permission are less problematic I think?
              Could that lead to a workaround in which one uses F-Droid for example for Apps without network permission only?

              Another thing: F-Droid is criticized because updates do not alwayd come in time. But my experience is, that this is althoug right for Aurora Store at least with anonymous login. While on one phone, the Play Store updates an App, sometimes the update is shown on another phone in the Aurora Store several days later. Than sometimes it helps to restart Aurora a few times what also means to login with different anonymous accounts until there is one, that already gets the update.
              Because of that, I assume, updates via Play Store are not rolled out to all users at the same time. Is this right? If so, Play Store would not really be better in this aspect!?

              Thank you all very much!