Clearly not everyone.
The security concerns of F-Droid are valid and IMO, it does place them to be the worst option (in terms of security) since a user can’t mitigate most of those issues and the F-Droid team has been quite reluctant over the years to fix them which also does not inspire much trust in them.
Still, the point is people are fine using Linux and desktops in general.
The trusted party problem
Slow and irregular updates
Use third-party repositories to mitigate these issues.
F-Droid’s ridiculous inclusion policy and its consequences
That doesn’t make it worse than Obtainium.
Low target API level (SDK) for client & apps
F-Droid Basic targets a higher SDK.
Confusing UX
Non-issue.
F-Droid also warns of apps with certain anti-features or privacy issues which no other app store appears to do afaik.
Recommending against F-Droid entirely and telling them to only install apps from the Google Play Store is bad for privacy since readers will just download the Play versions which depend on proprietary Google Play Services while some F-Droid versions of apps don’t.
Still does not mean they wholly approve of Linux’s security.
Does that not negate the use of F-Droid?
Except sometimes, it does leave you with outdated libraries which is a non-issue for Obtainium.
Many apps listed on F-Droid still target a lower SDK.
I would say you are conflicting your own statement.
It doesn’t because third-party repositories is what makes F-Droid a better alternative to Google Play. You’re not confined to Google’s walled garden. This is like saying using Arkenfox user.js negates the use of Firefox.
It’s not a UX issue. It’s a repository issue. Obtainium doesn’t use repositories it just downloads APKs off different websites.
Good point, maybe the Obtanium section should include more information? As far as I can tell, if you verify your apps, Obtanium would be a much more secure option than F-Droid.
I (and probably most others here) are not fine with the state of desktop Linux security, we very much want it to drastically improve. But we can’t wish those improvements out of thin air, so most of us who care deeply about privacy or freedom simply have to put up with Linux in its current state while trying to spread awareness. This isn’t the same situation on Android since it’s already a much more secure platform and therefore people will have higher expectations for anything built upon said platform.
Yeah unless we’re missing something I think point #1 needs to be amended or removed. Otherwise it seems like the other 6 points they make are still valid concerns.
Unless i am misunderstanding, the article has a full paragraph explains the difference.
On the other hand, Play Store now manages the app signing keys too, as Play App Signing is required for app bundles which are required for new apps since August 2021. These signing keys can be uploaded or automatically generated, and are securely stored by Google Cloud Key Management Service. It should be noted that the developer still has to sign the app with an upload key so that Google can verify its authenticity before signing it with the app signing key. For apps created before August 2021 that may have not opted in Play App Signing yet, the developer still manages the private key and is responsible for its security, as a compromised private key can allow a third party to sign and distribute malicious code.
Wow, totally missed that. That’s what I get for multitasking while writing replies lol.
For non-technical people, yes, I’d agree. There is a good chance they would just be installing random APKs. I was speaking more on the assumption that we’re thinking in terms of “the average PrivacyGuides regular”, whom I’d trust to be aware of such risks, using audited software regardless of the storefront (or lack thereof), and verifying signatures with AppVerifier on initial install.
This probably wasn’t the best assumption to make on my part, though to my credit the very first line of the description we current give for Obtainium reads:
Obtainium allows you to download APK installer files from a wide variety of sources, and it is up to you to ensure those sources and apps are legitimate.
That said, I wouldn’t agree that F-Droid is any better in that regard, since if my assumption is false, they would need to download a “random APK” to start using it to begin with - which very well could be malicious for all they know.
Aurora Store does this, with the help of Plexus and Exodus Privacy. Here are some pictures from the pages for Aegis Authenticator and Discord.
I don’t think anyone said this? The current guidelines seem to suggest downloading through the Play Store, Aurora, or getting the app directly from the developers if possible. Perhaps it feels the same to you, but there’s definitely more “wiggle room” in the actual guidelines than “you should never use F-Droid and always use the Play Store”. Additionally, though it is true that the Play Store (and by extension, Aurora Store) versions of apps will sometimes contain proprietary blobs the F-Droid versions do not, from what I’ve seen the non-proprietary versions of these apps are ALSO directly available from the developer when they exist - see Molly as an example.
“Deranged” feels a little harsh, but I’ll give the benefit of the doubt and assume no harm was meant.
This is on me for being too vague - to be clear, I was NOT advocating for using Obtainium to download apps from F-Droid repos - I was implying you could lessen the load on F-Droid servers by not connecting to them at all, by downloading directly from the source.
In regards to checking apps downloaded from the source, again, this is on me - I should have been more explicit about that. It felt implied to me because I’ve been doing it for so long and because of the aforementioned line we currently have:
I’m not particularly knowledgeable about what “signed metadata” entails, am I right to think that if all of the following are true:
…then signed metadata doesn’t add anything additional? Or does signed metadata accomplish something else?
What I meant was since one would only be using third party repositories then is it much different than using Obtainium at that point?
I did not mean any personal insult, just that I don’t agree with the logic / find it flawed.
yes, that does help, but I like being extra clear.
this has too few apps and the developer is refusing to add any more for unknown reasons.
this still requires trusting the source of the public key you’re comparing to and is too technical for most people.
eg. the repository list contains both the expected app signature as well as a file hash and itself is signed and checked against a pinned key or eg. tofu key
you can even go further and have the CA or even specific key (eg. certbot has the reuse_key option to renew a single cert for long term pinning like other use of eg. TLSA) of the web server of the primary repository pinned too.
And we use desktop Linux anyways.
And they need to download a “random APK” to start using Obtainium.
They’d be using both the official and third-party repositories and it’s different from Obtainium because of the curation aspect.
Yes, hence saying it “wouldn’t be any better” - the implication is they are equally bad in that regard.
It isn’t very obviously documented, but soupslurpr has said this is because it is too difficult to maintain. I’ve considered forking and trying to maintain the database myself, but I am not yet very knowledgeable in Kotlin or the finer details of Android, so I wouldn’t be able to do anything more complicated than maintaining simple hashes and simple fixes.
It can still be used to compare with other people, or with other versions of an APK. (ie, if the APK is published on a developer-owned website and GitHub, I can compare them to each other to lessen the trust of a single server).
I see, thanks for the explanation!
But they aren’t equally bad in that regard because F-Droid has repositories to install apps from while Obtainium is an app manager for downloading “random APKs”.
Agree to disagree, I suppose. The way I see it, F-Droid repositories are just as “random” to the average person because they are being maintained and recommended by F-Droid, the provider of the original “random APK”. They need to be able to trust F-Droid and the developers of anything they want to download, much like they’d need to trust Obtainium and the developers of anything they want to download.
Much like they’d need to trust Google and the developers of anything they want to download from the Google Play Store even though it’s bundled into the system.
it’s a very basic process relying on badness enumeration (this doesn’t work by the way) which consists in a few scripts scanning the code for proprietary blobs and known trackers.
Still better than nothing at all.
