Question about getting apps on android

Vince56 · March 19, 2026, 8:37pm

Hello everyone, I know that on the website it is recommended to use the APK files provided by the developer on github over f-droid due to security reasons but I talked to someone about this topic and they said that it is better to download apps from f-droid because on github the dev can just put anything not on the source code to the APK file on releases while f-droid builds straight from the source code. I’m quite confused on whether I should get apps from f-droid or use something like obtainium. What do you guys say?

ph00lt0 · March 19, 2026, 8:38pm

Here you go:

Vince56 · March 19, 2026, 9:21pm

Thank you but what about the possibility of the developer putting something unrelated to the releases apk? Is it still better then f-droid in that case?

ToughBird · March 19, 2026, 10:01pm

And that’s why its recommended to only use the apps and from devs you trust or care about. Not install anything willy nilly.

Vince56 · March 19, 2026, 10:18pm

I see thanks. Well I don’t have any apps from untrusted devs but I think there is still chance they could get hacked or something like that, or is that overthinking it?

ToughBird · March 19, 2026, 10:30pm

If you use select apps and are intentional about what you install on your device and know what you’re doing, then you’re fine. Just continue being mindful is all.

ctf · March 20, 2026, 1:42am

Yes there is always a chance they get targeted and hijacked. Using f-droid will prevent this in only two scenarios, assuming f-droid itself is not hijacked:

The developer contacts f-droid via a non-hijacked channel, prove their identity, and stop next update from being delivered.
The malware used by the hijacked is trivial enough to get detected by the simple scanner f-droid uses.

If it is the second case, virustotal, Google play protect, and other malware scanning/prevention measures will perform similar/better.

So you can always just depends on play protect, scan apks with virustotal, etc. to get similar level of scanning as f-droid.

The best way would be to use reproducible apps and then build them yourself to compare with delivered apks, or use a repo that creates reproducible builds like izzyondroid, and trust they don’t get hijacked.

You could also build the apps on your own, and bypass all this. But then you depend on hijacker not pushing malicious code (like xz backdoor) into the repo or contribute code that is malicious but accepted by the maintainer.

Secure software delivery is hard.

Libre_Software_Enjoyer · March 23, 2026, 2:05am

This is the main reason why I use F-Droid.
F-Droid ensures that the .apk 100% corresponds to the source code and that this can be verified.

How do you decide which devs you trust?
For most people this would mean just what their stomach tells them

Topic		Replies	Views
F-Droid App store General	11	1594	December 11, 2023
The anti-f-droid take is uninformed Questions	52	3901	March 27, 2025
How do you obtain your Android applications Off Topic	29	2539	May 17, 2024
Getting Android Apps + Obtainium Issues Questions software	8	999	October 9, 2025
Is F-Droid actually an unsafe source for apps? Questions	18	3066	October 24, 2025

Question about getting apps on android

Related topics