Neil BrownIf you use Android, do you use the @fdroidorg app store?
If not, I'd love to hear why not, whatever the reason(s) might be.
| Yes, I do | |
| No, I do not |
Poll ends at .
Charlie@neil @fdroidorg no, had not heard of it before. Why would a non-programmer need to use a different app store other than Google's? Can we not get the same apps there?
David Chisnall (*Now with 50% more sarcasm!*)@35millimetre @neil @fdroidorg
F-Droid includes only F/OSS apps, and has a policy of removing user-hostile things. Sometimes this can break features of apps that they (somewhat arbitrarily) decide are anti-features, but more usually it ends up with a version that has any Google-App-Store-policy-mandated spyware removed.
Given a choice between the version of an app in the Play Store and F-Droid, I'll almost always favour the F-Droid one.
It's also fairly easy to set up your own F-Droid repository. Organisations such as Mozilla or Signal could (though don't) host their apps themselves and remove Google entirely from the distribution chain and, more importantly, from the code-signing chain, for users that didn't want to use Google.
@david_chisnall @neil @fdroidorg oh that is good to know! I often think about the mammoth task of de-Googling my life, maybe this is a good first step.
@david_chisnall @neil @fdroidorg question: can anyone upload apps to that store? Wondering about viruses etc, malicious apps - are they less or more likely to be there than in the Google Play store?
jandi@35millimetre @david_chisnall @neil @fdroidorg Less likely. Here's the docs: https://f-droid.org/docs/Inclusion_How-To/
@35millimetre @neil @fdroidorg
The 'store' is really a front end for multiple repositories, which are just collections of apps. By default, it's configured for the one that they run.
Only members of the F-Droid project can upload apps there (technically, they don't upload them directly, but that's largely irrelevant to the security, except it makes it harder for malware on a developer's device to break things for you). Their policy does this only for things for which the source code is visible. This means that:
- In theory, they could audit the code to prevent malware, but in practice that's really hard and so they don't.
- There is an audit trail, so if there is malware in an app you can find where it was introduced. This is a bit less opaque than the Play Store.
In general, there's a lot of malware in the Play Store, so being less full of malware than that is a pretty low bar. This is partly why Android and iOS have a permission model for apps: so that you don't have to rely on that and can instead choose to not give apps permissions that they shouldn't need. Apps in F-Droid are much less likely to requires ludicrous permissions than those in the Play Store.
Other repositories change the threat model slightly. Google Play now requires Google to do the code signing. This means that malware can be inserted by:
- The original author of the app.
- Whoever manages to compromise their Google API keys.
- Google.
- Anyone who compromises the Play Store's keys.
With a per-project F-Droid repository, you remove the second two of those. Is that better? Well, maybe. It's complicated.
Jernej Simončič �@35millimetre @neil @fdroidorg Some open source apps that need to be paid on Play Store are available on F-Droid for free.