Risk assessment for f-droid vs. google play store (self.android)

submitted 3 months ago* (last edited 3 months ago) by 9488fcea02a9 to c/[email protected]

1 comments fedilink hide all child comments

With the whole XZ compromise, i am now rethinking the pros and cons of using f-droid

Google play: trust the developer, trust google's vetting process and distribution

F-droid: trust the developer, trust f-droid build tools and distribution

So in both cases, the developer could be either knowingly or unknowingly including malicious code in their code or apk... We cant really do anything about that. Have to trust the developer, or build from source yourself.

Once the apk is produced and sent to google, it is unlikely to be altered before being downloaded on to your phone. (Assuming your threat model does NOT include google being coerced by state level actors to send you a bad .apk)

F-droid's entire build chain and distribution seems like a relatively easy target for building and distributing bad .apks. We're talking about the difference between attacking google, vs. attacking a small community supported website.

Dont get me wrong, i'm a long time f-droid user and donor. I'm just thinking out loud and seeing if anyone else has similar concerns.

top 1 comments

sorted by: hot top controversial new old

[-] evo 3 points 3 months ago* (last edited 3 months ago)

Once the apk is produced and sent to google, it is unlikely to be altered before being downloaded on to your phone.

This is potentially besides the point but APK's aren't even uploaded to the play store anymore. You upload an App Bundle (AAB) and Google actually generates all the different APK's that would be needed for different devices.

F-droid's entire build chain and distribution seems like a relatively easy target for building and distributing bad .apks.

Yes. And what happens to you if F-Droid discovers something bad happened? Not much. I believe Google has the power (as scary as it is) to remotely remove apps from your device.

this post was submitted on 02 Apr 2024

2 points (100.0% liked)

Android

26906 readers

247 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules

1. All posts must be relevant to Android devices/operating system.

2. Posts cannot be illegal or NSFW material.

3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.

4. Non-whitelisted bots will be banned.

5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.

6. Memes are not allowed to be posts, but are allowed in the comments.

7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.

8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.

Community Resources:

We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.

Our Partner Communities:

[email protected]

founded 1 year ago

MODERATORS

[email protected]