In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
I’ve seen posts by the GrapheneOS team about recommendations against using both F-Droid and Aurora. F-Droid had a decent sized list of issues they raised. One of the key ones they raised against both was that it added an extra person to trust. You always need to trust the code of the developer of the app. No way to avoid that. With F-droid you need to trust that their build system/infrastructure is serving you the app as per the developers code. With Aurora you need to trust the Aurora devs are giving you the app unmodified from Google.
There were other criticisms on F-Droid that they sign almost all apps with their own key rather than the developers. They do offer to serve apps with the developer keys, but it’s difficult to setup and not many apps implement it. Google Play also does the same thing though, so I feel this risk isn’t that big. Generally they seem to recommend getting apps directly from developers rather than via a 3rd party. They offer Accrescent in the GrapheneOS app store which is designed for this, just pulls files from Github AFAIK.
All that said. I prefer to get all my apps from F-Droid (NeoStore technically) and Aurora for anything without a F-Droid repo.