It can mislead people into wrongfully thinking an app is open
Just because itâs on GitHub doesnât make it open source.
Source availability does not equal open source.
1 Like
Then it can mislead people into thinking an app is source available
For me, I am very happy to be using F-Droid Basic over Google Play, Aurora, and Obtanium. The maintainers of F-Droid seem to do an excellent job vetting the apps, flagging issues in apps that are not in keeping with FOSS ideals, and keeping users safe when apps go rogue.
For example, when Simple Mobile Tools got bought by a shady company, F-Droid users were safe, but for those with the app from Google / Aurora would have auto-updated to the adware/spyware versions of the apps.
4 Likes
F-Droid having these requirements for software has led to security issues:
For example
In December 2022, the Snikket project published a blog post that addressed the users of their app who downloaded it from F-Droid. It sought to allay any panic from users if they receive a warning from F-Droid âtelling them that the app [Snikket] has a vulnerability and that they ârecommend uninstalling immediatelyââ. In a subsequent blog post, Snikket clarified that this warning from F-Droid âwasnât entirely accurate, as the problem wasnât with the Snikket app itself but specifically F-Droidâs own build of the app that was using an outdated version of the WebRTC libraryâ (emphasis added).
Indeed, as the first blog post by the Snikket project details, the WebRTC component of Snikketâs F-Droid version pulled third-party binaries from Googleâs Maven repository (which stopped releasing new builds in January 2020), presumably to adhere to the parts of the inclusion policy that forbid the use of âNon-Freeâ dependencies and build tools. Note that the developer-signed versions of Snikket published on the Play Store were not affected by this issue, for they were built with a modern WebRTC version. Furthermore, the second blog post by Snikket reveals how the older third-party version of WebRTC used for their F-Droid app actually hindered the addition of new improvements to the app from upstream.
3 Likes
Most of the security issues are of the F-Droid repository itself for which you recommended to use third party repositories in your first post which takes away the reason you would want to use the official repo since the third party repos are not âvettedâ by F-Droid.
I would think the main concerns with F-Droid was security issues which led to it being the last recommended option and you havenât properly addressed those issues.
1 Like
Do you have the response from F-Droid?
Thanks for sharing the Snikket example from 2022; I was not aware of that issue. Nevertheless every dev team makes mistakes from time to time and just about every app and app store has security vulnerabilities from time to time. This was apparently an oversight by the F-Droid team from almost three years ago that I presume was dealt with in short order. Do you have more recent examples of security issues?
That was partly my mess: Flag many apps with KnownVuln (!11496) ¡ Merge requests ¡ F-Droid / Data ¡ GitLab
Also no, it isnât fixed. There is some talk here: webrtc - how to proceed? (#2064) ¡ Issues ¡ F-Droid / Data ¡ GitLab
For apps needing WebRTC, F-Droid is currently shipping v129 I think. That is 10 major versions behind.
- v139 latest: Chromium Dash
- v134: GitHub - threema-ch/webrtc-android: WebRTC builds for Android
- v129: https://mvnrepository.com/artifact/im.conversations.webrtc
- v119: iNPUTmice/webrtc-android - Codeberg.org
- v115: GitHub - dbrgn/webrtc-android: Vanilla WebRTC builds for Android, published to Maven Central.
- v107: GitHub - snikket-im/webrtc-android: Vanilla WebRTC builds for Android, published to Maven Central.
1 Like
Hi,
Iâm new to the forum although Iâm a long time Privacy Guides website user. Iâm also a long time F-Droid user and I always thought it was better than Google Play, security and privacy wise. So this discussion and Privacy Guides recommendation to avoid F-Droid caught me by surprise.
I understood the problems on F-Droid but I donât know if using Obtainium is much better than it. I replacing F-Droid by Obtainium worth for the lack of a searchable repository of open source mobile apps. Additionally, getting âanyâ apk direclty from the softwareâs Github isnât so secure in my opinion because it is difficult to attest on the use of security best practices just by browsing itâs Github page.
So, after reading all these comments Iâm very confused. What I want to know is: how can I be sure about the security of an app I want to install? Is it even possible?
I personally use Droid-ify mainly for app discovery, and then Obtainium for downloading. This solves the problem about finding apps, while giving direct, faster updates. If an appâs source code doesnât have the APK, and F-Droidâa reposity does, then I update in Droid-ify (like AntennaPod).
As for security, it may just boil down to what youâre comfortable with. Like others posted about, AppVerifier has its own database issues, F-Droid doesnât always have the most up-to-date practices for compiling (plus the wait for updates in general). Some apps do have their hashes in the download section of the source code, so you could always compare them directly yourself, but not every app does this.
What I meant with the security concerns is if the app developer is following best practices like using keeping dependencies up to date, using some kind of SAST to avoid vulnerabilities on code, the build process is hardened etc. I see some people talking about the flawed F-Droid build process but what guarantees I have that the app build process isnât flawed too? On F-Droid we have Reproducible Build for some apps, which is a step forward, although itâs not widly adopted. A bonus for F-Droid is their âanti-featureâ analysis that we donât get by getting the app directly from the developer.
Maybe Iâm being too paranoid after reading about F-Droidâs security issues and probably there isnât any solution for this now. Maybe we need some kind of âsecurity certificationâ (maybe something from OpenSSF), some integration with Exodus to check for trackers etc⌠Or maybe it would be too much work for open source developers 
PS: I donât know why I got downvoted by @phnx 