davd1d ago
I wrote a blog post about migrating to #grapheneos as my daily driver including links to all the nice #foss apps I use now. What are your favorite open source apps on Android? @flowinho Since we talked about it the other day  https://www.davd.io/posts/2026-03-21-back-on-grapheneos-in-2026/ #didit #dutgemacht
Back on GrapheneOS in 2026 - davd.io

davd.io is a blog featuring various topics related to web development and server operation

davd.io
Show threada53bdb1d ago

@_davd @flowinho
Don’t use F-Droid and Aurora store for security, use Obtainium, Accrescent and AppVerifier.

https://privsec.dev/posts/android/f-droid-security-issues/

https://xcancel.com/search?f=tweets&q=from%3AGrapheneOS+Aurora+Store

F-Droid Security Issues

F-Droid is a popular alternative app repository for Android, especially known for its main repository dedicated to free and open-source software. F-Droid is often recommended among security and privacy enthusiasts, but how does it stack up against Play Store in practice? This write-up will attempt to emphasize major security issues with F-Droid that you should consider. Before we start, a few things to keep in mind: The main goal of this write-up was to inform users so they can make responsible choices, not to trash someone else’s work.

Show threaddavd22h ago
@a53bdb @flowinho Thx for your feedback! Accrescent has like 10 apps, so that unfortunately does not get me very far. For a profile without Play, the Play Store is also not an option, so Aurora it is, unless I want to manually download each apk manually (I don't want to make my main profile a secondary profile to install apps that way). For F-Droid, true, but many apps don't publish their decluttered F-Droid builds on GH or any build at all (like AntennaPod), so for now guess I'll live with it.
Show threada53bdb22h ago
@_davd @flowinho Obtainium can obtain apps from F-Droid repo too. Don’t sacrifice other apps dependencies security if you have to use it.
Show threaddavd22h ago
@a53bdb @flowinho Yeah that's what I do mostly 👍 But the fundamental sec issue (central build, signing infra) stays the same. On the other hand, assuming my biggest problem is the central signing, then the impact of F-Droid getting compromised is much higher. However, I feel in reality it's not that black and white. Devs with lax opsec have their accounts compromised and GH actions are super prone to supply-chain attacks (see https://www.theregister.com/2025/03/17/supply_chain_attack_github ). So it's a trade-off, unfortunately 😅
GitHub supply chain attack spills secrets from 23,000 projects

: Large organizations among those cleaning up the mess

The Register
Show threada53bdb
@_davd @flowinho Developers from F-Droid probably have the same possibility of getting hacked. Centralized building simply increase the risk.
Mar 22 at 7:17amWeb
Show threaddavd21h ago
@a53bdb @flowinho I agree with the sentiment and the fundamental risk. The problem is that it just doesn't work like "a upstream developer build is always more secure than the F-Droid build". If I look at the pipeline of an app build and the GH actions they use are not even pinned to reduce the risk of SCAs, I'll happily take the F-Droid build instead. As always, it depends on what you do.