undefined | Better HN

0 pointsjlokier7mo ago0 comments

> In most cases, F-Droid couldn't know either.

F-Droid is quite restrictive about what kinds of app they accept, they build the app from source code themselves, and the source code must be published under a FLOSS license. They have some checks that have to pass for each new version of an app.

Although it's possible for a developer to transfer their accounts and private keys to someone shady, F-Droid's checks and open source requirements limit the damage the new developer can do.

https://f-droid.org/docs/Inclusion_Policy/

https://f-droid.org/docs/Anti-Features/

0 comments

5 comments · 2 top-level

Hizonner7mo ago· 2 in thread

You know what? That's bullshit.

Anybody slightly competent can put horrendous back doors into any code, in such a way that they will pass F-Droid's "checks", Apple's "checks", and Google's "checks". Source code is barely a speed bump. Behavioral tests are a joke.

johnnyanmac7mo ago

Anyone determined enough can break into any house. If not through ingenuitiy, then by a brick to your window. Doesn't mean we shouldn't lock our doors, turn off our lights, and close our curtains anyway.

The fortunate thing is that 99% of people won't bother trying to break your app if it's not dead simple. Advanved security mechanisms to check for backdoors is probably something only billionaire tech companies need to worry about.

Hizonner7mo ago

You totally misunderstand the threat model. It's not about anybody breaking your app. It's about people making their own apps do things they're not supposed to do.

... and there's always a tradeoff in terms of how much of a deterrent anything is. The app store checks are barely measurable.

1 more reply

Sophira7mo ago· 1 in thread

One thing worth noting, these checks and restrictions only apply if you're using the original F-Droid repository.

Many times I've seen the IzzyOnDroid repository recommended, but that repo explicitly gives you the APKs from the original developers, so you don't get these benefits.

Zak7mo ago

That's true. The whole point of an open ecosystem is that you get to decide who you get your software from. You can decide on the official F-Droid repository and get the benefits and drawbacks of a strict open source rule with the F-Droid organization's curation if that's your preference. You can add other repositories with different curation if you prefer that.

j / k navigate · click thread line to collapse