F-Droid App store

Hello,

since I am new to the open source apps and have only been using the Google Play store since I have been using Android (25 years or so) I’m kind of wary of using F-Droid.
So I guess this thread is there to calm my spirits :sweat_smile:
I have found this so far that it is probably the most secure way to download those kind of apps.
Still want to put it up for discussion.

1 Like

No I’m not haha
Whenever galaxy S2 came out

Congrats on being from the future! /sarcasm

Anyways F-Droid is mainly blamed for two reasons :

  1. The client (F-Droid app) using an older Android SDK version which causes the OS to apply weaker protections to the app.

  2. The repository (server where the F-Droid apps are hosted) having poor security practices such as F-Droid signing all their apps with their own keys (which means if the F-Droid key gets compromised it could cause massive destruction) compared to the Play Store which requires developers to sign their apps with their own keys.

There are ways to avoid these two issues :

  1. Using F-Droid Basic (a more modern client using more recent SDK versions so it supports auto-updating apps).

  2. Using alternative repositories (such as the IzzyOnDroid repository) which require apps to be signed with the developer’s keys.

There are caveats though - the main F-Droid repo still has official downloads of certain popular apps (for example, the Element Matrix client) and it still contains old un-updated Android apps.

However, if you are sensible and install only apps you know you can trust, you are very likely to stay safe. I use F-Droid and personally it’s fine if you use a client that auto-updates and not install old apps from the main repository.

4 Likes

I have F-Droid Basic installed but 95% of my apps that are seen on the “My Apps” section of F-Droid have “Ignored All Updates” because I use Obtainium. However, you should use Obtainium only when you get apps officially from the developer’s website or github (and the likes).

I use F-droid to help myself find new foss apps (I’m aware of the website ver. too but I like the app more) and there are some apps that only gets updates through F-Droid.

If you don’t intend to check updates frequently (let’s say everyday) then I don’t see any harm going with F-Droid. I suggest using the official clients tho reason stated here. (PG recommends F-Droid Basic).

There are also foss apps on Play Store so you don’t have to fully throw it under the bus (if you don’t feel comfortable migrating to somewhere else).

EDIT: Added more input regarding my Obtainium usage in the first paragraph.

2 Likes

They have to build and sign apps themselves to ensure that all the apps meet their inclusion policy and to mark any Anti-Features that the app has.

Another and the best way to do this is reproducible builds. This way F-Droid can still ensure that the app meets their inclusion policy, and they can mark Anti-Features if needed and developers can sign the apps themselves.

It’s up to developers to make their apps reproducible on F-Droid. Go blame them for not making their apps reproducible and trusting F-Droid to sign their apps for them, this isn’t F-Droid’s fault.

They also have an excellent track record, and they do everything they can to protect signing keys.

4 Likes

F-Droid <=1.16 has targetSdk 25.
F-Droid 1.17 and higher already has targetSdk 28.
F-Droid Basic has targetSdk 33.

It must be noted that this repository contains apps that are not necessarily fully free, they may have proprietary compile time or runtime dependencies.
And Izzy purposely removes any packages from it once/if they land on F-Droid.org official repo.

You really should be using F-Droid client, it verifies the index metadata and downloaded app signatures, and it also properly downloads files across the available mirrors instead of hammering F-Droid.org main server.

5 Likes

Just checked. F-Droid version is 1.18.0.
I downloaded from the F-Droid homepage so I figure it should be the Basic version.:thinking:

I’ll check the wife’s phone as well.
I’ll go over the rest at work.
Thanks guys so far

Oh I forgot to mention that I use Obtainium but I don’t use it to install/update apps directly from f-droid—rather from github, codeberg, or from their official websites.

I will edit my former statement to give more clarity on that matter. Thanks for pointing that out!

Here is a direct link to the download page for F-Droid Basic: F-Droid Basic | F-Droid - Free and Open Source Android App Repository

For future reference, you can also find this link at the end of the ‘F-Droid’ section (in the highlighted blue box) in the Privacy Guides “Android” page: Android Recommendations: GrapheneOS and DivestOS - Privacy Guides

2 Likes

What about alternative clients like Droid-ify?

1 Like

@bqfls
all the alternative clients have the same issues.

F-Droid.org is pushing 200+TB a month. Please use the mirrors, they exist for a reason.

2 Likes

If you want F-Droid to prosper, i’d say it’s best to follow with whatever’s the most reasonable thing to do—which is using their original clients. (but ultimately, donating to them matters.)

I used Droid-ify for 4 months then switched to Neo Store for another 6 months because it seemed to update more frequently. It’s because of their features (i.e. target sdks, background updates, ui, etc.) I decided to switch from the original clients at start.

But these past few months I’ve switched back to F-droid (Basic Ver), and although it’s lackluster IMO—at least I’m mitigating the potential risks of using other clients at the moment.

EDIT 1: punctuation fixes

EDIT 2: slight words added at the end

LAST EDIT: added donating to f-droid in the first paragraph

2 Likes