F-droid security

Onyx

I saw in the Reedit answered by the official GrapheneOS account (I hope) that F-droid is not a trustworthy source for downloading apps according to the context of the discussion. Which goes against everything I've ever researched.

After all, is F-droid safe or not? And what is the reason for being or not being?

Link: https://www.reddit.com/r/GrapheneOS/comments/16fsewh/what_is_default_launcher_in_grapheneos/

[deleted]

Onyx I saw in the Reedit answered by the official GrapheneOS account (I hope) that F-droid is not a trustworthy source for downloading apps according to the context of the discussion.

You are misinterpreting It. The GrapheneOS account said F-Droid is not a trustworthy source for Google's Pixel Launcher, not other apps.

Onyx Btw F-Droid has many security issues, you can know about them here: https://privsec.dev/posts/android/f-droid-security-issues/

User2288

Onyx

Read these:

https://discuss.grapheneos.org/d/6095-what-is-a-good-appstore-to-use-on-graphene-considerations/14

https://discuss.grapheneos.org/d/6095-what-is-a-good-appstore-to-use-on-graphene-considerations/39

https://discuss.grapheneos.org/d/2962-app-repositories-google-vs-aurora-vs-apk-vs-fdroid/

In summary:
The objections put towards fdroid actually don't apply in a lot cases and for most people. In simple terms that means fdroid is safe to use if you are downloading known (popular) apps that adhere to recent sdk and if you are using an alternate frontend like droidify or neostore.

[deleted]

This has been discussed numerous times. Please read those past discussions.

Onyx

The ones I read didn't come to any conclusions.
If it is already a saturated topic anyone who wants to contribute can insert links without any problems.
If not, just ignore it.
Thanks!

[deleted]

Onyx

I dont think this is a complicated, or saturated topic without solid conclusions, at all.

One can deduce enough to make a call on this without reliance on someone else's opinions.

Check F-Droid apps' stats vs PS/GH/GL. You will typically see FD lagging several versions behind, sometimes spanning months.

The next question would be, how do hackers/3LAs/deviants know which CVEs/bugs/0d's to exploit? Why, of course because the easiest would be those that are clearly stated as freshly patched. Which is announced in every new release for the whole world to see.

It would follow that those had hadn't updated with patched versions would make easiest prey.

Think of it as forgetting to lock your front door. That's a CVE that is made much worse by the news outlet announcing publicly that such is the case, to anyone who cares.

This is but one issue with FD, there are many more. See Side of Burritos (as another source) who covers it.

Hope this helps!

[deleted]

https://privsec.dev/posts/android/f-droid-security-issues/

[deleted]

[deleted] Btw F-Droid has many security issues, you can know about them here: https://privsec.dev/posts/android/f-droid-security-issues/

Read my post above yours. :-P

[deleted]

[deleted] Yes lol

Lukas

https://discuss.privacyguides.net/t/reconsider-f-droid/13650

Wonderfall

Lukas Chiming in since the following really ticked me off:

When you obtain your app directly from the developer you’re 100% trusting the developer to not include anything spooky in the app and the more apps you have the more developers you’re trusting. If you have 20 apps from 20 different developers, then you’re trusting 20 different developers.

You should never use F-Droid or any other repository with that assumption.

You might be thinking that I’m dumb because you still have to trust the developer of the app, right? But the thing is that F-Droid builds their apps from source which is a lot less difficult to inspect then reverse engineering APK files, and it’s a lot more risky to include spookiness in your source code.

I'm sorry to have to say this again: when you're using F-Droid, you are not only trusting F-Droid, but also the developer. F-Droid does not conduct a deep security analysis of every app source code.

It would be extremely difficult, as time has shown security vulnerabilities can be tricky to spot with a mere human review of the source code. Moreover, security vulnerabilities can be cleverly obfuscated, making them even more trickier to notice that way. Many GitHub repos are actually hosting obfuscated malware code: one should not think the source code is safe just because everyone can see it. Source code is quite hard to inspect, and I wouldn't even deem Dalvik bytecode reverse engineering as a lot more difficult.

It is even more difficult when you take into account that every source code update should be reviewed. This is not humanly possible and I doubt F-Droid have the resources for that. Not even Google or Apple do. F-Droid does check for binary blobs and the likes that would violate their inclusion policy. They may check for known security vulnerabilities through automated ways (mostly scripted libraries checks). They also literally run virustotal. Which is not harmful, but far from flawless. However, this approach can become harmful the second you think this is a robust security guarantee.

Things have evolved since the blog post linked above was written. F-Droid does now offer a more reasonable client with less attack surface and an updated target SDK, and honestly you should just use it in lieu of other third-party clients if you're going the F-Droid route. Reproducible builds are now more common, there were only a handful apps in 2022, and they're now close to 200. Most modern apps on F-Droid are also distributed through Play Store, so they benefit from Play Store strict inclusion guidelines as a side effect.

You can use F-Droid, but don't use it for the wrong reasons. Use it because you like what they do and you like having a catalogue of FOSS-only apps if that's your thing. Nothing wrong with that. Personally, I love FOSS apps and I don't use F-Droid, and Obtainium is now good enough to make the process of updating apps from GitHub a lot less painful that it was.

DeletedUser28

There's not much of alternatives to F-Droid, so arguing whether it has 10/10 security* or only 7/10 is irrelevant for most people. Because otherwise there's only:

Obtainium (to get APKs from sites like Github, Gitlab, APKMirror) -> good alternative but more "manual"
Accrescent -> has got barely any apps at this point
Aurora Store -> might break any day depending on how our overlords at Alphabet Inc feel today
Google Play Store -> proprietary, requires Play Services, requires a Google account, which in turn requires you to give them your phone number and other data...
other vendor stores (Huawei AppGallery, Samsung Galaxy Store, Amazon App Store, ...) -> less apps than the Play Store but similar downsides.

There's also a couple of apps that are found on F-Droid but not in the Play Store.

So I'd say for 99.99% of users, there is no reason to be afraid of using F-Droid. You don't have to use the default client, there's also Neostore, Droidify and F-Droid Basic.

* security is not to be confused with privacy!

[deleted]

Wonderfall F-Droid does not conduct a deep security analysis of every app source code.

Definetly. Here's a real world example of malware getting into the Official F-Droid repository: https://github.com/nextcloud/news-android/issues/1109

User2288

Wonderfall thanks for this update. It is very helpful.

The question of fdroid is a continuous question for gos users. It might be useful to add a section in the faq about it.