Third-party F-Droid repos security

FuzzyWolf

I was wondering how the security of third-party F-Droid repos compares to other options, like Obtainium. For example, if I would want to install NewPipe or SimpleX Chat using their own respective F-Droid repos, would it mitigate the current issues that F-Droid has with its main repo? With issues, I am of course referring to this article from PrivSec. By using F-Droid Basic, you can avoid the low API level of the app store and by using a third-party repo, you could avoid trusting F-Droid (only the dev), its policy and its slow and irregular updates. Also, compared to Obtainium, you would not have to trust GitHub (or any other Git service) or be worried about malicious fake repos.

Of course I know that Accrescent will be a way better alternative to both of these options, but its current alpha state it not going to change any time soon. If I would like to avoid using Play Services, what would be the right choice in this case? Thanks in advance.

Eirikr70

FuzzyWolf Of course I know that Accrescent will be a way better alternative to both of these options, but its current alpha state it not going to change any time soon.

This is partly in our hands.

FuzzyWolf

Oh I forgot about the Aurora Store... But that also has issues of its own. How does F-Droid with third-party repos compare to Aurora?

oci3o

This has been discussed multiple times also, so I'll leave some articles.
https://privsec.dev/posts/android/f-droid-security-issues/ <- as you mentioned from privsec.dev
https://github.com/obfusk/fdroid-fakesigner-poc?tab=readme-ov-file#update-2024-12-30-2 <- Obfusk is an ex F-Droid developer.
https://news.ycombinator.com/item?id=42764108 <- Some discussion on HN back in 2022.
https://discuss.grapheneos.org/d/18731-f-droid-vulnerability-allows-bypassing-certificate-pinning <- One of the posts on this very forum.

In terms of trust, your always trusting someone else, unless you can verify every line of code, know how the app is designed, and build from source, its about who to trust.

F-Droid build the apps and distributes them, with their own keys, if their signing server is compromised, they can push malicious updates, the fix here is to use individual signing keys for the app, which is why Github is a good alternative, as its the dev with the key, not the platform.
But in the past their attitude towards security wasn't great either.

https://discuss.grapheneos.org/d/21269-problems-with-aurora-and-neo-stores-not-sure-what-they-are-insight-needed/10#:~:text=GrapheneOS%20has%20never,way%20of%20usage. and another

Now, in some of the discussions (especially on Reddit), they mention GrapheneOS is on the extreme end of security, and while yes they are, it doesn't mean they are wrong, and its good to point out these issues.
So, research and decide based on your threat model, if it allows you to use Google somewhat, get your apps from the Play store where possible, if not pick your sources for app installs.

mrket

oci3o The question is about third party repositories, not the main one; that is literally the title of this post (the PrivSec article you linked is also linked in the OP btw).

Many apps have their own F-Droid repo, the question in the OP is how secure it is to use a repo like that compared to getting the same app through Obtainium, for example.

I don't know the answer, but I assume the security is similar. I personally use third party F-Droid repos, and I try to verify the APK before the first install; subsequent installs should fail if the key used to sign the APK changes, so this doesn't seem much different to Obtainium, unless I'm missing something.