Proposal to change the preferred order of installing apps on Android.
1. GrapheneOS App Store
Barely has any apps but is preinstalled on GrapheneOS and the most secure way to obtain the few apps on that store.
2. F-Droid
Most of the security issues addressed in this article have either been fixed or can be mitigated by using third-party repos like IzzyOnDroid and using F-Droid Basic (smaller attack surface and newer SDK).
Advantages over Obtainium:Curation, apps are signed and scanned (on the official and IzzyOnDroid repos)
Advantages over Google Play Store: Developers often release libre versions of apps on F-Droid that don’t depend on Google Play Services, no account required, doesn’t depend on Google
3. Obtainium (for apps not on F-Droid)
Add a note that users should verify all their apps installed from Obtainium, possibly using AppVerifier.
4. Aurora Store (as last resort)
Relies on the Google Play Store which is what many of us are trying to avoid. We shouldn’t be recommending Google Play versions of apps over the F-Droid versions especially if the F-Droid versions remove Google Play Services.
Somebody correct me if I’m wrong but I remember there were security issues concerning how f-droid builds and signs apps. I thought they used a severely outdated version of debian as their building environment, and sometimes app devs are forced to incorporate outdated/insecure toolchains into their apps specifically for f-droid because of how fd’s building process works. I don’t remember the specific issue but something about the way keys for signing apps are done also opened up a security risk iirc.
Full disclosure, I don’t know a ton about app development, I’m just relaying what I’ve heard from being involved with grapheneos discussion spaces
My best guess is that you’re referring to the following:
Unlike other repositories, F-Droid signs all the apps in the main repository with its own signing keys (unique per app) at the exception of the very few reproducible builds. A signature is a mathematical scheme that guarantees the authenticity of the applications you download. Upon the installation of an app, Android pins the signature across the entire OS (including user profiles): that’s what we call a trust-on-first-use model since all subsequent updates of the app must have the corresponding signature to be installed.
Normally, the developer is supposed to sign their own app prior to its upload on a distribution channel, whether that is a website or a traditional repository (or both). You don’t have to trust the source (usually recommended by the developer) except for the first installation: future updates will have their authenticity cryptographically guaranteed. The issue with F-Droid is that all apps are signed by the same party (F-Droid) which is also not the developer. You’re now adding another party you’ll have to trust since you still have to trust the developer anyway, which isn’t ideal: the fewer parties, the better.
I fail to see how making a request with Obtainium would be any more stressful for F-Droid’s servers than doing so using an F-Droid client. I completely missed the linked discussion, but I maintain the below.
If you’re worried about too many people making requests to F-Droid’s servers, Obtainium is actually the solution. Many open source apps have APK releases right on their repository (as in, GitHub, GitLab, Codeberg, etc, not the F-Droid repo). You can (and should) be using Obtainium to download directly from the developer whenever possible.
Could you substantiate this claim? This is the crux of the issue. If F-Droid addressed most of the security concerns, I assume people here would be more open to recommending it so long as there wasn’t a fatal unresolved issue.
Regarding mirror support, this issue on Obtainium’s repository suggests that it does support mirrors. Please correct me if I am wrong or if I have totally misunderstood the issue.
no, no, no!
This is deranged, I assure you.
Any non F-Droid client does not handle mirrors correctly or at all.
Any non F-Droid client does not handle delta index updates or localizied metadata correctly or at all.
If you want apps from F-Droid, you need to use F-Droid offical client.
Getting apps from sources is fine, but you must check them, many times the F-Droid variant is the only truly FOSS variant, and the GitHub one may contain proprietary blobs or more trackers.
Obtainium itself is just a scraper with zero verification or validation mechanisms. It does not support signed metadata like any of the other stores.
I really dont see how recommending 3rd party fdroid repo’s over obtainium is a good move.
How is a random guy curating the available apps for you better than doing it yourself?
DDOS attacks are only a problem with unofficial clients. This is why PG only recommends F-Droid Basic and not Neo Store or Droid-ify anymore.
APK releases downloaded from Github aren’t usually verified and independently reviewed. You have to verify the app yourself.
As SkewedZeppelin pointed out, getting random APKs from Github repos sets us back a decade in security. It’s not much different from downloading .exe files off websites and installing them.
There are advantages of using Obtainium, primarily faster updates, but some developers host their own F-Droid repos with up-to-date packages. Additionally, IzzyOnDroid delivers reasonably fast updates while reviewing each app for security.
A lot of the stuff in PrivSec’s article might be outdated now.
Sometime last year I moved everything to Accrescent, Obtanium and, for proprietary apps Aurora Store. However, I’m getting tired of Obtanium errors here an there. I miss the curation of FDroid and like that they build from source. Accrescent is stalled-out with few apps and needs a notable cash infusion to progress.
I’m feeling inclined to re-balance by reintroducing FDroid Basic for apps that are signed by the dev, are on Izzy, or have their own repo. It is easy to see which FDroid apps are developer signed with App Manager (as well as trackers, permissions and open links). When I last used FDroid the majority of the apps were developer signed.
I haven’t read the whole thread but I don’t see any fixes which address the security issues with F-Droid, only someone who made a case for why they like F-Droid despite those existing issues.
This is in response to the fact PrivSec recommended Droid-ify (and now NeoStore) instead of F-Droid Basic in another article. Nowhere is there any indication that their security concerns have been addressed.
Not to sound rude but unless you accidentally sent the wrong comments, this is looking like a low effort response where you’re not even reading your own sources.
To avoid an unproductive back and fourth I’ll acknowledge that there are ways the user can make better use of F-Droid and there are a few good qualities to F-Droid, but none of that seems to negate most of its security issues and most people who use F-Droid will not follow said best practices.
Neither will most people who use Obtainium or any other app store. Most people aren’t going to verify every app they install through Obtainium. More likely they’ll install random APKs and end up installing malware. I’m not saying Obtainium is bad and shouldn’t be recommended, but it’s not much better than F-Droid. It is however less normie-friendly than F-Droid.
F-Droid isn’t any less secure than any Linux package manager yet everyone is fine with that. The current PG page suggests F-Droid is the worst of all the options and should only be used as a last resort when the other options are at best not much better.
F-Droid uses their own signing keys? So does Google Play. Iirc Aurora Store doesn’t verify signed metadata, has retrieved wrong versions of apps, other issues.