In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
In case of f-droid, it’s follow more the Linux distro phylosopy, where the binaries are build and offered to you not by the developer but by distro/repository maintainers people.
You can add your own repository or use your friend repository or use f-droid ones.
In case od f-droid repository, to get app published your app need to adhere to rules one of them is that the code need to be public so the repo maintainers can build the app from it.
Comparing it to play store where the app is build and sign by the developer without making the code public, in turn making it almost impossible to know and follow what the app is doing.
So its a matter of trust.
For some apps I would rather install them from f-droid as I have higher confidence that someone looked at it if the app is not harmful or leaking my private data. For other apps like Banking apps I would rather install them from Aurora store where I dont know what the app is doing but I trust more to protect my money than some random dude on internet. And if bank does something bad I will sue them or just stop using their service.