F-Droid (FOSS Android App Store)

F-Droid really needs to be reconsidered, so I opened this topic for discussion.

7 Likes

Can you add your counter arguments for why it should be?

Yes. But first, I need to know what exact issues are currently present in F-Droid that leads to PG team not recommending it.

Perhaps check the website before opening a thread

I already saw these non-issues and issues that aren’t present anymore. But I guess I will work with those. Will post a reply with counterarguments after I’m back home.

  1. Low target API level (SDK) for client & apps
  • F-Droid Basic (another client made by F-Droid team) targets latest SDK and supports unattended upgrades without privileged extension. This is coming to the main client too.

  • Apart from things like supporting unattended upgrades and stuff, it doesn’t matter what target SDK does F-Droid client have. If you don’t trust F-Droid and their client, then don’t use it.

Now, regarding apps that use low target API. The thing is it’s just basic OPSec to check if the app isn’t updated and targets low API. If it does, then don’t use it, plain and simple.

  1. The trusted party problem
  • Reproducible builds

  • You aren’t stuck with the main F-Droid repository. You can use the one hosted by the developer and countless other repositories.

  • When you obtain your app directly from the developer you’re 100% trusting the developer to not include anything spooky in the app and the more apps you have the more developers you’re trusting. If you have 20 apps from 20 different developers, then you’re trusting 20 different developers.

You can verify that the app doesn’t have any spookiness included if you reverse engineer it and do it for every single version of it, but good luck with that! Only a few people are capable of that, and even less people would or does it.

Let’s compare that to F-Droid, now you only have to trust F-Droid team with all of your installed apps instead of trusting the developer of every single app.

You might be thinking that I’m dumb because you still have to trust the developer of the app, right? But the thing is that F-Droid builds their apps from source which is a lot less difficult to inspect then reverse engineering APK files, and it’s a lot more risky to include spookiness in your source code.

So it’s up to a user and their threat model if they want to trust F-Droid team or every single developer for every single of their apps.

  1. Slow and irregular updates
  • Reproducible builds, other repositories

  • Slower updates, only have to trust F-Droid team, your apps are 100% open-source and things like FCM are replaced with other solutions, scanning for malware and trackers OR faster updates and you trust developers of all of your apps. Pick your poison.

Edit: Use F-Droid or F-Droid Basic clients. Don’t use Obtainium, etc for obtaining F-Droid apps.

5 Likes

I agree with this.

1 Like

You misunderstood point 1. This about the client itself. Not about apps you can install using it. I would not call that basic opsec. It is quite impossible for a normal user to see this.
Neo Store is only recommended if you really have no other option. It’s definitely not recommend as they way to obtain applications.
Obtainium isan open suggestion discussed in another thread. F-droid basic is in alpha. PG has clear requirements and doesn’t permit alpha kr beta software for obvious reasons.
I highly disagree also about the target SDK not being important. Never versions are more robust and provide better security defaults and permission segregation.

Point 2. If you remove the main repository the app is quite useless. You can just get the apps elsewhere directly from the developers. You do not need the F-droid client. Besides that such advice becomes way to complex and unclear for the general public.
Reengereeing is not solution to this at all, it’s incomprehensive for the general visitor of PG and I am 100% confident that you are not doing so on every apps update. Also you are wrong not having to trust the original developer anymore. You would need to trust both. And so does the developer need to trust fdroid with handling their reputation.

Poimt 3. Replacing FCM is not something you need F-droid for. Besides FCM not being much of an issue at all given it’s contents are end to end encrypted. Pretty sure we picked the right posion here. Updates on F-droid’ repository have been reported to be slow. This is definitely a disadvantage.

No, I didn’t. I talked about the client in the first three points.

For me, it’s basic OPSEC, I always check if the app is maintained and if it’s maintained properly, etc.

Neo Store is recommended as an alternative client because the main one doesn’t support unattended updates and targets low API level.

I just pointed out that Obtainium can be used instead of official F-Droid client for obtaining F-Droid apps.

The latest release of F-Droid Basic isn’t marked as alpha, while the previous two are.

Common sense tells me that it’s not alpha anymore. The other possibility is that these two versions were alpha of alpha? Which doesn’t make any sense at all. Either way the client works perfectly fine and I didn’t experience any issues with it.

If you already trust F-Droid enough to install their clients and use the apps compiled by them, then how does it matter what SDK their client targets? Apart from not supporting unattended updates, etc.

Now let’s talk about F-Droid not enforcing the minimum target SDK on their apps.

GitHub and other sources from which you can obtain apps by using the RSS feed (recommended by PG) or by using Obtainium don’t enforce the minimum target SDK either, so why is F-Droid criticized for this?

I think it’s perfectly valid for F-Droid to support older Android versions and have apps that target a lower SDK. Would you rather these people that come to F-Droid for these old apps that target a low SDK and support older versions of Android go get those apps from some random source? Not everyone can afford a new phone.

By using the RSS method (recommended by PG) or by using Obtainium, users could download apps from a malicious repository, download a 32-bit app on a 64-bit phone, or download an alpha or beta version (I have seen this happen with people getting Brave Browser from GitHub), etc. Heck, there are even some people who think that all the apps on GitHub are open source.

Getting an app that is not maintained or not properly maintained is poor OPSEC.

If you’re a malicious developer or Alphabet Boys forced you to include something spooky in your app, would you do it in an apk that you provide, which would need to be reverse engineered for people to find out this, or include it in the public source code, which is easy to audit and everyone can see it?

You still need to trust the developer, but the risk is a lot smaller, and you mainly have to trust F-Droid instead of 20 developers if you have 20 apps from 20 different developers (one developer including malware in their app is enough; the more developers to trust, the bigger the risk).

F-Droid also scans for malware (and they have caught malware and vulnerabilities in the past) and trackers, and apps from the F-Droid repository don’t have any proprietary code. Last but not least, they have an excellent track record.

I know a lot of apps that use FCM for the Play Store and GitHub versions but use different solutions for notifications for the F-Droid build. I also know some apps that replace Google Maps with OSM in their F-Droid build, etc.

This is a MASSIVE issue. How is having to install Google’s proprietary services to receive notifications not an issue?

Another thing is that while I’m not entirely sure about this part, I think Google can see from which apps you receive notifications, and of course they know when you receive them.

Edit: Use F-Droid or F-Droid Basic clients. Don’t use Obtainium, etc for obtaining F-Droid apps.

4 Likes

Latest F-Droid 1.17 has targetSdk at 28 and F-Droid Basic has targetSdk 33

Other clients should NOT be recommended due to lacking mirror support for downloads, incremental index database downloads, or any metadata localization support.

Use of other clients without mirror support effectively ddos’es f-droid.org and it is negligent to recommend them.
f-droid.org pushed out nearly 186TB in June alone.

There are now over 160 published reproducible author builds: F-Droid: "Our monthly overview of F-Droid apps published wi…" - FLOSS.social

Besides FCM

Encrypted or not, it is a proprietary serivce.

8 Likes

Damn. That’s new to me, thanks for sharing.

Does Obtainium even actually verify F-Droid repo metadata before it goes and downloads apps? Oh, just a basic scraper from the API for available versions?
Great, by recommending it over official F-Droid client it ends up putting users in a worse situation.

This flagrant anti-fdroid sentiment has repeatedly been directly detrimental to the users more than the actual issues are.

5 Likes

If PG team somehow decides to not recommend F-Droid then atleast remove Neo Store recommendation and advice to use one of their official clients.

Didn’t knew that, like I stated above.

That’s true. Everyone just took that article about F-Droid’s issues without any critical thinking. I mean, even PG stopped recommending F-Droid. I was like that too because I relied on PG and other people’s opinions that didn’t recommend F-Droid until I actually started thinking and saw that those issues were non-issues.

3 Likes

I believe both obtainium and fdroid will be better options than RSS Feeds since it’s immensely inconvenient. I don’t think that an average user including me will bother to follow feeds and compare signatures.

For obtainium, I was not really aware of the lack of signature checks. This should be an important consideration.

2 Likes

The top recommendation of PG is the Aurora Store, which is unreliable and clunky, and at the end of the day, apps are coming from Google, and Google could pull the plug at any moment.

Another option is RSS feeds, which are worse than Obtainium and F-Droid, and if you go to RSS feed recommendations to pick an RSS app for Android, their recommendation is only available from the Play Store or Aurora Store. At that point you might aswell get all of your apps from there.

And the good option that has been the gold standard for obtaining FOSS apps for years is not recommended.

That page needs a rewrite.

(Forgot to mention that Neo Store is a recommended client if you want to use F-Droid which is not great as stated by @SkewedZeppelin above. You should be using F-Droid or F-Droid Basic)

1 Like

Signature checks are handled by the OS. But please keep the discussion on obtainium out ot this thread. Let’s keep this on topic.

Well yeah I do not use F-droid at all. Not via obtainium either. Maybe that’s why you do not understand me.

I do not think fdroid is doing bad. I just don’t see any point in including them in the chain of trust. I get applications from the developers of the services I use like signal, proton etc. They can just be directly obtained from the vendor. There is no need for some middleman that should be trusted with the reputation of those vendors nor my endpoint security.

Trusting and using secure standards isn’t the same. Higher SDKs simply minimize risk also for the fact that they cannot be downgraded on update. Android 14 also blocks old target SDKs for security purposes.

Google cannot force a developer to add something spooky to an app. Stop the FUD or add references.

We both know malware scanners are not going to cut this issue. It’s irrelevant to the discussion.

I think we should focus on the discussion of the F-droid reposotory before even considering possible clients for it. Arguments against Neo Store belong in another thread however may valid.

I really don’t see how FCM is much of a threat when using sandboxed play services. It really isn’t much of an issue imho. Closed source doesn’t mean it is bad. But again not really relevant to the discussion as F-droid is not the only place you can get apps without FCM.

1 Like

Everybody has different preferences, opinions, threat models, etc. I don’t see a point in arguing about this anymore.

A higher target SDK does minimize the risk; that’s true. But again, I trust the F-Droid team, and I could give root access to their clients, just like I fully trust GrapheneOS and use their OS. At this point, it is irrelevant to me if their client has a lower target SDK.

When I was writing that post I predicted that someone might mistake alphabet boys (NSA, FBI, etc) with Alphabet company but I still wrote that. I wasn’t talking about Google.

Better than no scanning. It doesn’t hurt. There is also that event where F-Droid caught a vulnerability in Simple Gallery, I think. If they didn’t catch that, vulnerability would still be present today.

You need proprietary Google Play Services on your phone for notifications to work, apps need to have proprietary Google code in them for this to work, and this is a proprietary service.

You’re purely depending on Google and their proprietary services for basic things such as receiving notifications, which is pure madness. They also probably see from what apps you’re receiving notifications and when you receive them.

Good luck receiving notifications with this without FCM: Release Element Android v1.6.5 · element-hq/element-android · GitHub

There are quite some apps that only provide alternatives to FCM, Google Apps, etc in their F-Droid build.