Note: I assume many people here are aware of F-Droid. For those like me who are fairly new to discovering it (one of today's lucky 10,000! https://xkcd.com/1053/), I decided to share the site.
I think it looks pretty awesome, personally. I look forward to learning more about it as I de-walled-garden my life.
It's a great resource. With my minimal needs, I don't use any other Android store these days. (I only wish they had enough donations to fund faster builds of new app releases.) A few gems that I have found useful:
Aard 2: Offline dictionary
andOTP, Aegis: 2FA code generation (including Steam, if you have your secrets)
DAVx5, ICSx5: Sync calendar & contacts with standards-supporting servers
Element: End-to-end encrypted chat on the Matrix network
FBReader, Librera PRO: Books
K-9 Mail, FairEmail: Mail
KDE Connect: Phone notifications, SMS, files, remote control, etc. on the linux desktop (not just for KDE Plasma users)
Metrodroid: Read NFC transit card balances
NewPipe: YouTube
Organic Maps, OsmAnd~: Offline navigation (maybe online as well?)
Privacy Browser: Lightweight web browser with a simple dark mode, using the OS WebView for rendering
It's an absolute delight of an app in every way possible. A large number of features for hiking including a clever use of the barometer to run in the background and provide weather warnings, the standard compass/GPS, a TON of tools like flashlight, whistle, bubble level, triangulation without GPS... unfortunately I'm not a hiker so I don't know what to do with half of these, but it's amazing.
The UI of the app is amazing too - simple and material UI, but unobtrusive. The best part? It's 3.14MB (!!!!) in size. (And it's last update was 6 days back, so active development. And of course it's open source.)
Oh btw, the Play Store listing (186 reviews) has an average of 5 stars and no review below 4 stars. Go figure.
In that category, I really have been impressed with osmand+, which uses open streetmap maps and allows you download entire state-wide regions in advance while still providing navigation and waypoint tracking. Very fun and useful for offline GPS needs.
I have used the waypoints feature on numerous occasions when trekking and have found it incredibly helpful for determining my location relative to various points of interest. It really is a fantastic app. The barometer has actually notified me of a rain storm about 30 minutes before some of the first drops fell- i was prepared for rain in the forecast that day, but it was still remarkable to see the app in action.
Fennec: Firefox (allows custom add-on collections so I can use Vimium)
KeyMapper: HW key and button remapping
Open Link With: open links with alternative apps
RedReader: Reddit client
mupdf: PDF viewer
Shattered Pixel Dungeon: roguelike
Something I am still looking for: folder-based music player with a seek UI that works well for long audio files (for example fine-seeking in a 4 hour long mp3)
> Something I am still looking for: folder-based music player with a seek UI that works well for long audio files (for example fine-seeking in a 4 hour long mp3)
I've been using "Smart AudioBook Player" by Alex Software (available via the play store). I particularly like the sleep timer, ability to change playback speed and the fact it seems to cope with extremely long audio files without having any problems.
I use Termux more, but it would be 2nd most used F-Droid app. It's a painless why to make files on your device available to anything with a Web Browser.
Currently using it with the built-in keyboard of the Unihertz Titan Pocket. Also used it with the regular Titan, the Fxtec Pro1 and the Blackberry Key2. All of these devices have proper hardware keyboards.
On the Vimium side most functionality works the same as on desktop. Tab switching using Vomnibar.activateTabSelection and Vimium's search are the exceptions. You can of course still switch tabs and search the normal Firefox way.
KDE Connect is a killer app. I am able to use my phone as a mouse and keyboard wirelessly over wifi when my laptop is plugged into the TV and the latency is low!
OsmAnd~ is spectacularly good. If you spend a lot of time hiking, biking or just traveling outside, i also recommend Trail Sense (compass and a bunch of other things), Forecastie (weather, including wind speed) and BRouter (offline routing if you need a route but don't have signal).
QuickDic is also very useful if you are traveling to areas where you don't speak the language. Offline dictionaries with very quick lookup. It's worth installing AnkiDroid too, if you do spaced repetition for language learning.
I use KOReader for PDFs, but it's not great. Are FBReader or Librera any better?
Simon Tatham's Puzzles are a fun little distraction.
I want to love OsmAnd~ but the ux and search features are spectacularly terrible.
I was recently in Pomona, and searched for a Walgreens. The first result was for Livermore, with the next couple results being 100-200 miles away. 4th or 5th on the list was a store in Ontario, and the rest were 30+ miles away. I discovered there was a store in Pomona while driving to the store in Ontario.
For UX, several months ago my phone decided to display pot leaf icons for all the pot stores in Seattle. This only happens in Seattle, and I've spent at least 30 minutes searching through the app trying to figure out how to toggle off the pot stores. Mind you the pot stores stay up even along side the results for more recent searches.
OSMAnd search is awful. For everything else it's pretty good! However, in years past it failed spectacularly: instead of navigating straight through an intersection, it requested I turn right, immediately u-turn, then turn right again. Laughable glitch.
I use it all the time for bicycle route planning with elevation considerations.
The fun part of OSM is that if you find a glitch like that (likely in the map itself), you can fix it yourself. There was an intersection near me where you could physically not turn left, but it wasn't recorded in the map. It was like a few minutes to fix that once for all.
> OSMAnd search is awful. For everything else it's pretty good!
I stopped using Open Street Maps because it won't turn off! I close the app, I close the notifications, but the damn thing keeps playing loud audio telling me directions when I've long since left the car and the phone is in my pocket.
Of course the inability to exit an app without restarting the phone is a failure of the OS itself, but OSM is the only app that this happens with. What am I doing wrong? How does one exit OSM?
Fun story, driving through Croatia toward Split Google Maps kept telling me the main freeway was closed and to take each and every exit. Someone is maliciously reporting roads closed. Obviously the same could happen to OSM, but there isn't the same 'no way to fix it until Google decides to fix it'.
Similarly when I was in Bangkok wandering around, Google wanted to cross the train tracks at a road that tripled the walking distance to the destination. In reality it was possible to cross the train tracks (i.e an actual crossing, not just anywhere). Worse it was much more dangerous to walk the Google route.
Fixing it on OSM was easy. Fixing it on Google was a pain because it had to be submitted and checked and approved (which it eventually was).
There are definitely places where OSM is far outstripping Google maps. Especially when it comes to non-roads.
As far as I know, Waze has their own map data, and is a subsidiary of Google.
Their Wikipedia page mentions that
> Waze continuously insisted to crowdsource data without using external sources or projects like OpenStreetMap that would restrict commercialization of the Waze map data.
> I use KOReader for PDFs, but it's not great. Are FBReader or Librera any better?
I think I've only tried PDFs once on each of these apps, and that was so long ago that the PDF experience could easily have changed since then. (I mainly use them for ePUB books.) Perhaps someone else can answer?
+1 for Document Viewer. I use it to read books, it's the only FOSS reader I've found that comes close to my favorite (proprietary) app, Moon+. It checks the boxes for the features I need.
It's worth noting that Aurora is basically just anonymized wrapper around the Google Play store, it's not actually a separate app store. F-Droid is a wholly separate thing.
+1 for the Aurora store. In spite of being tied to the Google Play Store, Aurora is the only option I was able to find, via which to obtain latest versions of apps in a different country than the Google account, and maintain them via seamless updating process. While traveling, this is a must have option, as Google does not allow changing the "country of origin" of account more than once a year.
> apps in a different country than the Google account
I dont think thats true. I just searched Aurora Store with "ITV Hub", as its only available in GB, and I got no results, I am in US. Even if I manually go to the app page in Aurora Store, if I try to install, it says "Download Failed App not supported".
Using the anonymized login function, you're limited to free ones only. You have to login with your Google account to be able to download apps you've bought.
Although I think that doesn't work for all apps, since apparently some require the genuine thing to register / activate and won't work with microG. No personal experience, just read that somewhere once.
Personally, I only use a single paid app through Aurora Store (Sun Locator Pro for my photography needs) and have only done that for two days now. Google hasn't banned my mint fresh account. Yet. ;)
I've been running Lineage OS without any Google Play Services and it's been pretty rough. A lot of apps from various APK mirrors just straight up don't work, even when they seem like they shouldn't be affected at alll.
F-Droid has been a great source for apps, especially when I'm seeking a particular need without a specific app in mind. Most recently that's been wanting a file browser and a PDF reader. The open-source focus is a nice bonus, but more importantly I consider its stability to be the best of all Play Store alternatives I've tried.
CalyxOS with MicroG is great - it all basically works, except for NFC payments and most Chromecasting. But MicroG does still provide some exposure to the Google ecosystem, so if your goal is to wholly sever then it won't be what people want. For people like me who just want a "best effort" reduction in tracking and telemetry, it's been great.
neither of the two are great. MicroG stands in conflict with Android's security model by spoofing Google app signatures and being a deeply privileged app compromising the whole system's security.
CalyX has is constantly harassing and bullying other privacy-focused projects, causing incredible harm to the privacy and security community. It also has been missing updates for 4 months recently, making it a terrible choice for anyone.
> Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?
> No. LineageOS' developers decided not to include this patch for various reasons.
The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps.
Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.
Security is an afterthought for most Android distributions and most software built around them. I went from years of self building AOSP and LineageOS, and after a long hard look at why I was doing it, I stopped and installed GrapheneOS.
While it's an extremely opinionated project and borderline hostile, I trust the developers to do things correctly and will continue to use and recommend for security-conscious individuals.
I wish Pixel devices were easy to acquire in my country or I would have considered this. I was actually looking at it yesterday for my girlfriend's new phone.
> CalyX has is constantly harassing and bullying other privacy-focused projects, causing incredible harm to the privacy and security community. It also has been missing updates for 4 months recently, making it a terrible choice for anyone.
You actively harass and bully by not providing any sources for your claims. That's bad for an open, fact-based discussion and is opposed to how I percept the community. What are your claims based on? Can you provide any sources?
As far as I know, CalyxOS tries to maintain a quite neutral temper:
https://www.reddit.com/r/CalyxOS/comments/pmguwi/grapheneos_...
> Made the permission signature|privileged so only system apps signed with the right key, or privileged system apps with an explicit allowlist for this permission can use it.
> Hardcoded the signature to be spoofed instead of letting the application specify it.
> Only allowed the microG packages, GmsCore and Store to spoof signature. Both of these are included as system apps on CalyxOS so simply checking against the package name is enough.
That doesn't sound like that much of a risk to me. Esentially, it's a tradeoff between privacy and usability that microG tries to solve/soften. For example, it came in handy, when standalone Open-Source implementations of Google's contact tracing approach weren't available yet. microG quickly implemented it so official apps worked.
Check out GrapheneOS.org. You can optionally install a sandboxed Google Play services. I want CalyxOS to survive, but they are falling behind security updates.
Stock OS ships security updates on the latest major version. It means that you can only get a given patch level on the same version for a given device. CalyxOS wasn't rebased on Android 12 until fairly recently. As of January 2022 (prior to the Android 12 release), their vendor patch level was 2021-10-01 which means that at the time the OS was roughly behind 3 months in updates.
They were also shipping an outdated version of Chromium (v94) during the same period (this is important since Chromium distributions for both CalyxOS/GrapheneOS are updated through OS updates - and Chromium is whitelisted by the OS to provide the WebView, even if you happen to use another browser). Considering their userbase is privacy/security-conscious, I think they should've been aware they were more vulnerable than stock OS for a while.
Looking at their source code it's also evident CalyxOS is increasingly relying on the LineageOS codebase. Not that it's a bad thing (LineageOS has its own goals but they're not necessarily aligned with security-focused projects), but it's worth noting.
I'm on it as well. A trick I found for getting around casting devices not showing up, at least in the cast of spotify casting devices a couple weeks back for me, was to install the app ControlDLNA from f-droid. Opened it once on the network and magically the casting options appeared and worked perfectly.
as another poster mentioned, microg is the way to go on lineage. add in the aurora play store client (package available in fdroid), and you're able to install/run the majority of apps found on the play store
the biggest issue with this setup is that you need to manually install a location provider (like mozilla location service) for microg from f-droid, and importantly, adjust app permissions to allow the location provider to always run in the background. if you don't have the location provider installed and allowed to run in the background, a lot of apps like lyft, lime, uber, gig, etc will misbehave
agreed. most people dont know, but you can install Signal as an APK from their website (although they throw in a healthy dose of fear mongering with it.)
Anyone can create their own F-Droid repo. I added Bromite's[0], for example. I strongly support this type of federation because it gives users control over these sorts of issues.
Fascism isn't politics, it's violence, and gab is a violent platform that supports and encourages as much violence as plausible deniability let's them get away with.
I can't imagine hate speech that's not nasty, but not every nasty text is hate speech. Circling back to the topic at hand, Reddit and image boards, for examples, can be quite nasty. Yet F-Droid hosts apps that's sole purpose is to access these platforms. So, and I'm referring my original parent comment, being nasty is not a problem. Hate speech is the problem.
But how would we know what is hate speech and what is just nasty? Do we just ask you every time? This issue comes up? Surely everyone has his own defintion of what should be banned and what shouldn't be? What makes your definition more important than other people's definition?
That's a good question! Hate speech as such is also a legal issue[0]. So if you host a platform, you need to comply with the different laws. I think that takes precedence over the different people's definitions. Other than that, I think hosts are entitled to vet their guests for non-protected characteristics, and for one, a group of your users speaking out against another group of your users might not be something you'd like to host. But that's entirely up to the platform's providers, some mind it more than others.
These kind of statements push moderate people towards real fascism. I don't know if that's your goal or if you're exceptionally naive but I don't think it's what people want on this site.
This is only the default repo that they run. Anyone can make a repo and anyone can add it.
My peertube client android app[1] has a default peertube instance that I run. My peertube instance which is the default in the app follows very few other servers because I don't want my app to be kicked out of the play store although also available on f-droid. So in essence I am censoring that instance, however you can easily switch to any other peertube server.
FLOSS is only political in the sense that it's not. For example, given freedom 0, you may use the software at an abortion clinic. No matter what the author thinks of abortion.
It's weird and arbitrary to ban Gab, but not TorServices and related Tor apps.
It's kept termux alive, and therefore android has stayed relevant for me. If I can't have jupyter notebooks on my phone then I don't really need a smartphone.
Although I'd like to applaud any alternative to Google Play the approach F-Droid pursues does not fit a serious security model. F-Droid builds are custom signed and can be made by random parties without proper auditing after initial review.
Also, it is stuck on old APIs and won't allow the use of Android's new unattended update feature (UPDATE_PACKAGES_WITHOUT_USER_ACTION) and requires intrusive privileged system access to do that.
A more serious flaw opposing the Android security model is the fact that an app store is supposed to feed from a single repository which F-Droid does not adhere to.
Also, often these repos are poorly maintained, rarely updated and often conflict with Play Store packages because they use identical app ids.
All they care about is to be free from "evil proprietary components" which comes at a great cost of security and inescapably privacy.
It's just not a good choice for these and additional reasons such as building a ton of their apps unattendedly on a potentially malicious server.
> F-Droid builds are custom signed and can be made by random parties without proper auditing after initial review.
F-Droid follows a similar model to traditional linux package managers which has shown time anda gain the they are both trustworthy and secure (or at least, they offer the user the freedom to choose the level of trust they have in the package signers).
When installing from a Debian repo, I'm typically installing a package that is not build/signed by the upstream developer. I am implicitly (in the case of a default install) trusting the Debian developers signing practices or explicitly (if you add a third party repo). This means you trust both those in charge of the building/packaging/signing as well as the upstream developers. The same is true of F-Droid.
Of course, the notable exception is that F-Droid also supports upstream packages signed by the developer if the builds are verifiably reproducible.
There is a difference in your Linux desktop workstation and your most private device. Desktop systems are not nearly as secure and should not be seen as such, and Linux surely at the tail end.
People using F-Droid might not be aware that they are trusting a third party as they think it is a trusted distribution channel, relying on the information stated on the client app or website.
What? A smart phone is just a computer—they are the same thing. Everything from private chats to TOTP tokens are on both my phone and my laptop. The only difference is my bank cries if I’m rooted on my phone and says nothing about it on my laptop.
A smartphone is a computer that is more involved in your private activities. For example, a phone is likely to be on your body when you move around the city and talk to other people so it is exposed to more private information about you than a stationary desktop will be.
So don't keep location services on and don't give microphone/camera permissions to apps you don't trust?
You'll very likely have much more personal data (personal emails, tax returns, banking data, etc) on your PC than on a phone that's just got a few social media apps on it.
Right, it's in your pocket while you are having private conversations, it's on the bedside table while you're... well, in bed. Surely this gets the point across. You probably don't ever want to be running some malicious actor's software on it.
You haven’t met me but my laptop basically goes everywhere with me and has for the last dozen years. It also has cameras and mics I have to deal with. And with 5G coming to laptops and how to get those speeds the signals have to target your device, we will always be tracked as long as we touch cell networks... just as you can being on WiFi or having an IP address. I don't feel my phone is closer to me in any way.
not to disagree, but imo the main point here is that almost everybody has a smartphone but only a minority has a desktop computer, so it makes sense to care mostly about the phone thingy.
Surely a desktop running a well respected Linux distribution is much more secure than any smartphone. It will be locked for much of the day, possibly with disk encryption. There are few services (any?) exposed to the network. The software can be all open source, both OS and applications. The only weakness would be the web browser, and there are web browsers used on smartphones.
I wish this were true but the reality is that with the exceptions of QubesOS and ChromiumOS, desktop linux distros grant any process trivial access to elevate to root as there is no sandboxing model. Any process can alias your sudo command to steal your password, or run privileged docker commands, etc. It gets worse when you introduce snaps, appimages, and flatpaks usually uploaded, usually unsigned, by randos. This download-random-exes style model is becoming default and encouraged by distros like Ubuntu.
Windows is still a joke security wise but MacOS at least has some mediocre sandboxing nor offering defense suitable for casual visual media focused end users though you need Brew to do anything useful as a developer which throws supply chain security out the window. Personally though no one could ever pay me enough to MacOS even if they did have a useful secure package manager and good sandboxing as I value freedom and privacy in addition to security.
AOSP on the other hand substantial hardening and sandboxing isolating apps from each other somewhat like running every app in a docker container. Combine this with the admittedly small collection of dual signed reproducibly built apps on F-Droid and this is as good as it gets in open source end user friendly secure computing.
Well... almost. Trouble is you can not find an Android device hat does not ship with nasty highly privileged spyware and proprietary kernel modules allowing cell carriers, chipset makers, and the governments they obey to track you and have varying levels of access to your device if they really want it.
IMO QubesOS is the only halfway decent general purpose OS in terms of security and privacy you can use today and in the end there is just no good mobile solution that meets my privacy, security, and freedom needs so I just opt to not have a phone at all for now.
>desktop linux distros grant any process trivial access to elevate to root as there is no sandboxing model.
That "trivial" access would have to be an actual exploit. The software in a typical Linux system is not actively attacking the user as the proprietary software in a typical smartphone is. The need for sandboxing is much less.
Last I heard Android mostly depended on the Unix security model as implemented by Linux for isolation where each program was run as a separate user. The same sort of local privilege escalation exploits would work on Android as well. Things like Docker containers are susceptible to those sorts of exploits as well. You need actual virtualisation to have any sort of defence against that sort of exploit. That what Qubes does.
Theres a lot more to the android app sandbox than just running processes as seperate users. Theoretically something similar could be implemented in some other 'typical linux system'. It would be a huge undertaking.
If you are thinking about security need to consider not only malicious apps, but possible attack vectors opened up by any application.
This paper is a couple of years old, it explains how it all works on Android https://arxiv.org/abs/1904.05572
Most modern flatpaks under wayland are quite well sandboxed. They'll only have access to manually selected folder, can't access other windows (not even the way accessibility services on android can) and their process and network namespaces are limited as well.
In practice, not really IMO. Both Android & iOS also supports disk encryption and are also locked for most of the day. I don't know why you say "few services exposed to the network" for Linux when virtually every installed package has unfettered access to the internet (unless you're wrapping it with something like Docker or manually setting up your own network namespaces). Android and its apps can be run 100% open source as well.
On the other hand, there are two big security advances prevalent on mobile but rare on Linux and other desktop operating systems:
- device integrity attestation (ie. the system can tell if you've modified your device in non-standard ways)
Linux does actually have nascent and partial efforts on both fronts (eg. Flatpak, Snap, Secure Boot support) but even then they're usually not popular or easy to use.
>Both Android & iOS also supports disk encryption and are also locked for most of the day.
That lock does not delete the secret key material from the phone. That is how things like the Cellebrite forensics box can still crack phones. An encrypted desktop stores the secret key material in the user's head. Such a system is for all practical purposes unbreakable when it is shut off. The security comes from usage. It is impossible to create a system that is easily available to a user that is not also somewhat available to an attacker.
An open source program maintained in the open by the users of that program is going to be safer than a hostile proprietary program kept in the sandbox of Flatpak, Snap or whatever.
While its likely Cellebrite make use of some known (and possibly some unknown) exploits to bypass the screen lock on some phone models and get at user data, sometimes they require the device to be unlocked and doubtlessly make use of adb to pull out user data.
Encryption on Android devices has changed over the last few years, introducing the possibility for File Based Encryption FBE, later making in mandatory.
File based encryption enables apps to use keys to encrypt their data that are flushed when the screen is locked. Many security concerned apps like password managers and OTP apps make use of this.
If you feel the need you can use 'multiple users' to create an extra user or use a work profile (Island, Shelter, Insular) to keep sensitive apps and data. These have seperate encryption keys that are flushed upon switching off the work profile or restarting the phone (for multi user). You can still use the main user on the phone with the work profile/multi user encryption keys not held in memory.
Disappointing to hear that mobile disk encryption is subpar, I have heard of stuff like Cellebrite but didn't know much about it.
> An open source program maintained in the open by the users of that program is going to be safer than a hostile proprietary program kept in the sandbox of Flatpak, Snap or whatever.
The number of users who have the motivation (let alone skill) to maintain their programs is approximately zero. This is how you get vulnerabilities like the log4j ones that have almost unlimited exposure to the whole machine. This is how you get malware from npm packages. OSS works as long as lots of people are constantly paying close attention, but that's a tall order for the majority of OSS. "Just use a massive OSS project" isn't even feasible in many real use cases. So no, I don't think it's safer.
I think iOS devices are much more secure than a Linux desktop.
Any iOS device that has not been registered with Apple for use on a dev team or rooted can run only built-in apps and ones instslled from the iOS Store.
That means it can only run apps explicitly approved by Apple.
Sure, Safari has had some zero days, as has iOS generally, but as Heartbleed, Shellshock, and Log4Shell have shown, open source is not magical fairy dust that makes things secure.
Overall, my bet's on the team at Apple being better at securing their systems than the random collection of individuals and overworked maintainers that have assembled the parts in a modern Linux desktop.
> Any iOS device that has not been registered with Apple for use on a dev team or rooted can run only built-in apps and ones instslled from the iOS Store.
Can't you run any app you want if you install it through XCode for up to 7 days, even without registering as developer?
I thought that's how several of the unofficial iOS AppStores for apps that break the rules of the regular sandbox work
I've never heard of this ability. Do you have a link describing it?
I've been maintaining an iOS app generation framework at $DAYJOB, and I've never found a way to run Xcode builds on physical devices short of actually registering the device with Apple for that purpose.
If there's a way to work around it, I'd be shocked and delighted.
I believe I was thinking of https://github.com/rileytestut/AltStore, but I’m not sure if that’s the exact project (I don’t use iOS, so I don’t keep all of the details in mind)
Quoting their FAQ:
Why do you need my Apple ID?
Apple allows anyone with an Apple ID to install apps they’ve built themselves onto their devices for testing. AltStore uses your Apple ID to communicate with Apple's servers on your behalf and perform the necessary steps to prepare your account for installing apps onto your device.
Why does it say my apps will expire in 7 days?
Unfortunately, apps that have been installed using non-developer Apple IDs (in other words, Apple IDs not tied to a $99/year Apple developer account) are only valid for 7 days, at which point they will no longer open. To compensate for this, AltStore will periodically attempt to refresh your apps in the background, and you can always manually refresh your apps from within AltStore.
In order to get started with F-Droid you have to jump through several hoops with strong warnings from Android about allowing third party apps to install applications.
Here's the exact text of the warning:
> Your phone and personal data are more vulnerable to attack by unknown apps. By installing apps from this source, you agree that you are responsible for any damage to your phone or loss of data that may result from their use.
Do you have a citation for your claims about the Android security model?
The only things I can find about app stores in the paper by Google[0] run directly counter to your idea:
> Android explicitly supports installation of apps from arbitrary sources, which led to the development
of different app stores and the existence of apps outside of Google Play.
And this:
> Both users and developers are part of an open ecosystem that is not
limited to a single application store. Central vetting of developers or registration of users is not
required.
And as far as signing goes:
> In order to ensure that it is the app developer and not another party that is consenting, applications
are signed by the developer. This prevents third parties — including the app store — from replacing
or removing code or resources in order to change the app’s intended behavior
You misunderstood what they said. Indeed, Android can have multiple app repositories and this is an integral part of its security model design.
However, for the security model to be respected, each app repository should represent a single source. The device and user management APIs expect that in Android. F-Droid fundamentally bypasses the trust boundaries in that regard by allowing multiple repositories to coexist within a single client.
Not to mention it also results in a terrible UX given that the application IDs are often reused but signed by another party.
> However, for the security model to be respected, each app repository should represent a single source. The device and user management APIs expect that in Android.
This is exactly the point that I was questioning, so it sounds like I understood their point just fine. Do you have a citation for this assertion?
The paper from Google doesn't even mention a repository as a concept.
Here's what it does say:
> Untrusted code is executed on the device. One fundamental difference to other mobile operating
systems is that Android intentionally allows (with explicit consent by end users) installation of
application (A) code from arbitrary sources, and does not enforce vetting of apps by a central
instance.
The Android security model is based on the idea that you can install arbitrary APKs from literally anywhere. If I download an APK through Chrome and install it, I might turn around and download another APK from a different website. If anything, Chrome is more arbitrary in its sourcing of APKs. How does F-Droid break the security model but Chrome doesn't? Alternatively, how does Google allow Chrome to break its own security model?
And again, what is your source for your claim? I'm reading the actual document from Google, and it appears to say exactly the opposite of what you're saying.
This paper is not exhaustive and there is further documentation on the APIs in question on the Android official website. You can easily guess the problem involved with the security model when the OS expects an app repository to represent a source of trust, but the app in question decides otherwise.
Chromium is a particular case, but is still equally considered an untrusted source unless explicitly allowed. Of course, the security model takes into account that apps can be installed from anywhere. That's why they're signed and they're running in their own restricted sandbox.
> You can easily guess the problem involved with the security model when the OS expects an app repository to represent a source of trust, but the app in question decides otherwise.
No, I can't, because as far as I can tell there is no OS-level concept of an app repository. Where are you getting this from? Can you link to the APIs that have this concept documented?
> Of course, the security model takes into account that apps can be installed from anywhere. That's why they're signed and they're running in their own restricted sandbox.
Right. They planned that in. They spelled it out explicitly. Untrusted code from arbitrary sources is allowed if the user opts in. It's not a violation of the security model, it's a particular case that was specifically planned for.
Any regular app can be considered an installer. Such APIs like the one controlled by requireUserAction which allows seamless app updates since Android 12 are declared in the app in question, and can even allow apps to update seamlessly.
The management features, again, expect the app to represent a single source. F-Droid deliberately chooses to manage multiple sources that can also be added by the user within the same app, thus bypassing these features. That's the way they work and again, this paper is not exhaustive and is not in contradiction to anything that has been said (quite the opposite).
You still haven't explained where it is specified that the OS cares about number of "sources". I have cited the original document explaining the Android security model. I have given you the specific paragraphs that show why I think the way that I do.
In return, you suggest that the documentation is out there, but you give no specific pages that I can read. My attempts to find them on my own or through your blog post have been fruitless. Given that the idea that you're putting forward runs directly contrary to the paper that Google published and is contradicted by the behavior of Google's web browser, the burden of proof is now on you. I need your source. Please provide a link to where you arrived at your idea.
You're welcome to search for mentions of sources and app stores, and to browse the references.
Again, the paper is not in contradiction, you misread it. Not to mention, as explained in the original comment you were responding to, F-Droid weakens the security model for various other reasons.
The links you provide say nothing except something I already knew: there is a setting that tells Android to allow installing apps from unknown sources. Which proves... nothing at all.
It's obvious you're convinced you're right, but since you're unable to produce evidence it seems we are at an impasse. I'm done here.
Once again, these management features don't expect an app to bypass the trust boundaries by allowing the user to arbitrarily add repositories. There is a to-be-exposed toggle that allows user profiles to install apps from trusted sources. It wouldn't work with the way F-Droid works. I can't explain more than that.
You have been provided with evidences, but you've been arguing in bad faith since your first comment by misinterpreting the paper. The security model also expects you to download apps from trusted sources because the signature verification is only enforced for app updates, that's a trust-on-first-use model. That notion exists within Android, and you have been given examples.
> In order to ensure that it is the app developer and not another party that is consenting, applications
are signed by the developer.
Back to the original question; it is clearly explained why.
This sounds like the traditional Linux packaging model: one repo with software built by distro maintainers, additional repos added by the user with software built by whoever. I don't see any problems with it
The Android security model strictly forbids it. This should be enough of a problem as it is the very foundation to establish security for the system's user.
I don't know enough about the Android security model to evaluate what you're saying. What parts of the Android security model does F-Droid violate? Is there a spec or description of the Android security model anywhere that I can read?
There's a paper by several Google employees describing it. I haven't read it, just skimmed and searched keywords, but near as I can tell it doesn't mention anything like what the OP thinks it does:
I don't understand the definition of 'repository' here:
> A more serious flaw opposing the Android security model is the fact that an app store is supposed to feed from a single repository which F-Droid does not adhere to.
Also, where is this documented? I read through several security pages (e.g. https://source.android.com/security/overview) and can't find any reference to a 'repository' or the idea that F-Droid is not secure because it aggregates apps from many sources. I think I'm misunderstanding your point entirely...any links to more detail would be very interesting to me.
That may be true if you are sideloading F-Droid. Our security model focus is based on integrating F-Droid into the ROM, like with CalyxOS. This method is proven to provide better security than Google Play devices, since by default, all apps are open source and reviewed by humans. For example https://f-droid.org/2020/03/04/f-droid-is-a-key-source-for-a...
I've had F-droid for a while. There are pros and cons.
Pros: looking for a simple app? you'll find it ad-free and functional, no need to search long and hard and deal with signups, ads, and premium trial like apps from Play Store.
Cons: lack of updates. many things like signal (for whatever reason) are just not updated. I ended up downloading signal on Aurora (Minimal Play store) because it kept, rightfully, complaining about being on an old version, despite being the most up-to-date version on f-droid.
A couple other pros and cons but those stuck with me. In the end a good companion to a play store install, in my case.
Well, I tried to install 'yalp' using F-Droid, but the 'install' button just doesn't do anything. No warning or error reported either. Somewhat underwhelming experience.
What do you even use your phone for nowadays? I barely have any apps in them. I just use Twitch, Youtube, browsers (for Hackernews) and Reddit. All of which is big enough that they are prolly the overlords in said walled-garden. Are there any niche apps that is _very_ useful and yet _very_ obscure?
The UX is good enough that my five year old can use it (with a little help to read the rarer, worried quests).
Seriously, check it out. It took contributing to OSM from "painful thing I do occasionally from a sense of duty" to "fun hobby I look forward to doing and sharing with my kids."
I think it looks pretty awesome, personally. I look forward to learning more about it as I de-walled-garden my life.