Something worth noting is that F-Droid is both an app to download other apps but they also maintains a repository of apps. You can use alternative store apps (like Droid-ify) with the F-Droid repository OR you could use the F-Droid app with a different repository (like IzzyOnDroid). You can mix and match to meet your needs.
I use the Droid-ify app with the F-Droid, IzzyOnDroid, microG, NewPipe, and Collabora repositories.
Once you start down this rabbit hole, give Obtanium a look.
I just have the basic f droid app, the layout is awful and confusing. Is there one you suggest?
I think he did suggest droid-ify with fdroid repo: https://github.com/Droid-ify/client
Looks good, I will try it out. You have it in F-droid :)
I’m a big fan of Droid-ify.
I would avoid adding other repositories because you are risking malware and anti features.
F-droid is slow to get updates but it also verifies each app
There is safety there, but you’re just as safe using the the developer’s own repository for their apps, like NewPipe, Collabora, or the Guardian Project.
Been using Fdroid to the point where my first boot into a new phone is:
Open chrome > download fdroid > open settings > uninstall/disable every single application I can > open fdroid > install all the relevant apps I require for making my phone useful
I’m just waiting for a small life upgrade in order to be able to support some app developers; it will be money better spent than using the standard google apps.
You might want to consider your next phone to be a pixel+grapheneOS.
any lineage os supported device is enough, i think
LineageOS isnt degoogled by default
What kinda good stuff is on F Droid they the average User might want?
This list obviously isn’t everything, but there’s a lot available. I kept it pretty broad although there’s a ton of niche and specialized software available too.
OpenTracks - Keep track of how many steps you take throughout the day without a smart watch.
K9Mail - A privacy oriented mail client alternative to the Gmail app.
Diaguard - A diabetes diary app to track your blood sugar.
Drinkable - List a few ingredients and what liquor you have at home and it gives you a list of drinks you can make.
Newpipe - A YouTube client without ads.
Libretube - Another YouTube client without ads.
Blood Pressure Monitor - Same thing as the diabetes, but great if you have high blood pressure you need to track.
ChordReader 2 - Get guitar chords to learn how to play songs.
Fennic - A web browser based on Firefox that’s privacy oriented.
Red Moon - Makes looking at your phone easier on your eyes at night.
Newpipe - A YouTube client without ads.
Literally can’t say enough good stuff about Newpipe.
Everything YouTube SHOULD be, this is. LISTEN TO A VIDEO IN THE BACKGROUND!!!11. Playback speed infinitely adjustable- good for lectures, interviews, etc. No ads. No bullshit.
Love F-Droid but be aware of the risks and always try to use a developer repo when possible…
I actually would go for the main repo as all the software in the main repo is reviewed by the main Dev team
Did you even read the article? F-Droid signs all the apps in the main repo…
The author of this article completely misses the point of F-droid. They clearly are used to a world of proprietary software that takes “security” over freedom
So yes I did read the article and no it doesn’t change anything. If your going to make an argument you shouldn’t just link to someone else’s work. Part of the problem with the internet is no one thinks for tuemselves
Sure, I’ll spell it out for you since apparently the point went right over your head. Fdroid devs are a single point of failure by signing every application themselves. This introduces a potential for supply chain attack, not to mention Fdroid running on EOL servers.
When you use an individual dev repo, you can avoid any trojanized apps from Fdroid because the developers maintain their own infrastructure and sign their own apks.
That’s called… D I S T R I B U T E D T R U S T
The reason F-Droid builds from source is to ensure that they can enforce their inclusion criteria. If you go outside F-Droid you lose that guarantee. For example, self-published apks in github or google play may contain anti-features or proprietary code that are forbidden by the F-Droid standards.
From another point of view, what you call a single point of failure is a third party that represents the interests of the user community, independent from individual developers. This is the same model used in GNU/Linux distributions, and Drew DeVault explains here the role that software distributions play in the free software community.
Of course, this represents a trade-off, in that you are placing trust in the software distribution instead of or in addition to the upstream developer. The question is, how can you solve the problem without foregoing F-Droid’s inclusion standards? The answer is reproducible builds, where F-Droid builds from source and compares to the developer’s apk, and publishes the developer’s apk with their signature if the build reproduces successfully.
Until Reproducible builds are the norm in the Android free software world, I accept the trade-off because I value having software freedom in my computing, and I know I can’t trust upstream developers to care about that as much as F-Droid or I do.
Sure, atleast you admit there’s a trade off (security) for (FOSS) and maybe some additional privacy.
People should be made aware of the risks and choose according to their threat models, which is why I’ve highlighted some of these issues to begin with.
Those are some very strange objections to F-Droid. The outdated signing software on the backend doesn’t really affect the end user, for a start. The signing key problem is also present in Google Play, the only other app store people actually use, and it’s intentional.
F-Droid builds the sources developers make available, it doesn’t accept a developers 's build with the pinky promise that no malware was added when they compiled there code.
The loose requirements are a feature, not a bug; things like a low API target level are why Termux still works on F-Droid but not on GPlay. This does pose some privacy risks because of API compatibility stuff, but because of the requirements for an app to be even listed on there, the impact is minimal.
Should F-Droid improve their technical debt? Definitely. Does any of this pose an actual risk to users? Definitely not.
Doesn’t affect the end user… beyond diminished security. Are you implying I should trust Fdroid devs as much as I would trust Google devs?
What diminished security, though? “Apps you can install may be evil” is true of any software repository, whether it’s the Microsoft Store or Steam.
You should trust the devs of anything you install as much as the Google devs. Not just the devs of the app store itself, also the devs behind the apps these stores serve.
If you don’t trust them, don’t use their product. Not trusting a third party is one of the major reasons F-Droid is even a thing, because Google can’t exactly be trusted to have your best interests in mind with their app store.
The diminished security resulting from the increased likelihood of a (single point of failure) supply chain attack.
Yes its possible for malicious devs to trojan apps, but due to apk signing it is much more difficult for a third party entity to induce a supply chain attack, which is my real concern when it comes to phone security.
If you have a lower threat model, this post isn’t for you…
I don’t see how supply chain attacks on F-Droid are any different from other app stores. Supply chain attacks would also attack the APK compiled on a deb’s machine.
Also, APKs are signed on Google’s servers, devs don’t have control over those signatures anymore, unless they distribute their APKs through other means (which would impose similar if not worse risks compared to F-Droid, of course).
If you think Fdroid security is on par with Google security… then I got a bridge to sell you
