Lemmy seems like the right place to ask this. Personally I’ve really enjoyed Gurgle, which is a FOSS Wordle clone app.

  • Genghis
    link
    fedilink
    arrow-up
    1
    arrow-down
    4
    ·
    1 year ago

    F-Droid has many security vulnerabilities and has many issues such as:

    1. Hosting an outdated APK client.
    2. Utilizes an obsolete installation method.
    3. Does not take advantage of modern appstore features.
    4. Has no moderation.
    5. Has no old app deletion.
    6. Has an arbitrary FOSS only rule.
    7. Does all building and signing themselves.

    If you want more details about these issues read this:

    https://privsec.dev/posts/android/f-droid-security-issues/

    • ChaoticNeutralCzech@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      #2 can be solved by using one of several alternative clients with root permissions. Yes, manual APK install is tedious but not inherently insecure, and the only option for nonroot devices without an ADB host.

      #4 is not really true. They are just very lenient, mostly just flagging apps with problems (known vulnerabilities, telemetry, non-FOSS services/assets/libs, ads).

      #5, #6 and #7 are actually advantages. It’s nice to know that all apps are FOSS and correspond to source, and I can install old apps / earlier versions on old phones – as opposed to Google Play, which denies an app’s existence if your device is incompatible, resulting in shady alternatives and adware typosquatters topping search results.

      • Genghis
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        2 - Manual installation methods can be insecure because a lot of people don’t update their apps all the time. Obviously rooting a phone is insecure, but having no auto updates in 2023 is crazy.

        4 - It is very true, having zero quality control on new apps. The flagging of apps with problems is just following the FOSS philosophy. Any FOSS app can be added to F-Droid.

        5 - Not sure why you would want to install abandoned apps on F-Droid, let alone use an EOL device. A lot of people don’t check if apps are maintained because they trust their app store.

        6 - FOSS doesn’t automatically mean its secure or private. Also, why is it that I have to install proprietary apps only on the Google Play Store?

        7 - FDroid signing keys isn’t an advantage because it requires an extra layer of trust. I’m already trusting the developer by installing their app, so the developer should be signing the keys. This is a reason why Signal is not on F-Droid.

        • ChaoticNeutralCzech@feddit.de
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          2 - You cannot really fix this unless an alternative F-Droid client is installed as a system app by the manufacturer, or they allow relocking the bootloader. Good luck convincing them.

          5 - I can run anything of any age on my devices, accepting the security risk. I want to be able to factory reset and use one of my Android 4.4 phones with an unmatched speaker as an Internet radio receiver instead of throwing it out. F-Droid explicitly tells you how long it’s been since the last update and ranks old apps low in lists and searches.

          • Genghis
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            This is why Accrescent is amazing. It has automatic updates for Android 12+. Also leaving the bootloader unlocked is a security risk. Using stock or GrapheneOS (better option) on Android is best because you can lock the bootloader.

            I don’t mind Fdroid being around. If you’re okay with the security risk, I have no problem. I’ve explained to you the security issues and the misinformation that people give that FDroid is secure. I was just explaining their security vulnerabilities and explaining why Accrescent is a much better option for installing apps.

        • Captain Beyond@linkage.ds8.zone
          link
          fedilink
          arrow-up
          3
          arrow-down
          2
          ·
          1 year ago

          The point of free software isn’t security, but freedom. For people who want control of their computing, this is not an “arbitrary restriction” but rather a basic requirement. Just because you don’t particularly care about a concern doesn’t make it “arbitrary.” I’m not a vegan or vegetarian but I don’t complain about the “arbitrary restriction” of a plant-based diet.

          • Genghis
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            I think your thinking im against FOSS but you’re not understanding. Many people in the FOSS community only care about privacy and ignore security. A developer can implement security benefits to FOSS but many people don’t care to do it.

            Accrescent is FOSS and it has much higher security benefits than F-Droid. Accrescent allows both open and closed sourced apps because there’s no benefit being exclusive to having FOSS apps in their catalog.

            If the user chooses to not use proprietary apps on Accrescent, they don’t have to install them.

            • Captain Beyond@linkage.ds8.zone
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              It’s a misconception to say that free software is “about privacy.” Many people in the free software community care about having the four freedoms (the freedom to use, share, modify, and share modified copies). We don’t like free software because we think it’s more secure, we like it because it’s free software. Freedom doesn’t need a justification other than freedom itself.

              For us, a catalogue offering only free software isn’t an “arbitrary rule” that’s the whole point. If F-Droid carries an app I know I have the four freedoms with that app, because they put in the work to verify that, by building the app according to their (relatively strict, not strict enough IMO) standards. Accrescent and Obtainium fans have different priorities, which is okay, but I don’t understand why they spend so much time shitting on F-Droid and the free software movement.

              Security is important in free software, but security in proprietary software is often user-hostile (for example, DRM and WEI). Often times the only way to regain freedom in a proprietary environment is to exploit a security hole, so sometimes we prefer that proprietary software actually not be very secure.

              As for F-Droid’s and the free software’s community towards “old” apps, we understand that software does not lose value simply by being unmaintained. Of course, if something is particularly security-critical and/or has a large attack surface (for example an operating system or a web browser). I would stay away from anything unmaintained. That doesn’t apply to all software, though.