F-Droid: A free, open, privacy-oriented Android app store that corrects Android's "original sin"


#1

Originally published at: https://boingboing.net/2018/01/22/f-droid.html


#2

F-droid is great! Here’s a few very useful applications I depend on:


#3

Thanks for covering a great project and effort by the Yale Privacy Lab, but they didn’t create F-Droid. It has been around, doing the free and open source app store thing, since 2010.

See the quote you referenced - it says the created tools for automating the process of finding trackers, and that the F-Droid project, will incorporate those tools, and merge in their effort.

“Researchers at Exodus Privacy and Yale Privacy Lab are working on taking the next big step, by creating tools for automating the process of finding all the various forms of tracking that apps can include. F-Droid will work with them to merge efforts, increasing the effectiveness of volunteers, and exposing the inner workings of software in daily use worldwide.”

F-Droid is also one of the projects we actively support at Guardian Project, as it supports offline peer-to-peer sharing over Bluetooth and Wifi and allows anyone to host their own app repo, even on an internal WiFi network, both great for places like Cuba (https://f-droid.org/en/2017/07/03/cuba.html). It also supports routing through Tor quite well, and Onion hosted repositories, providing a metadata free way of getting apps, as well.

Otherwise, there was a great short video demo of the new UI on the “All About Android” show yesterday: https://www.youtube.com/watch?v=G-UYZ89ys0U

Cheers!


#4

Sigh. Why must we keep hearing this line of bullshit from open software advocates? Unless the number of man-hours put into ensuring that the apps in the store do not in fact contain spyware rises above zero per app, we can be certain that the store will become just as full of dodgy crapware as the official Android store. Advertising FOSS as more secure or private than non FOSS software is and will forever remain false and dishonest advertising.

That’s whether we’re talking FOSS projects like openSSL where security holes can linger for over a decade before anyone bothers to check and see if they exist, or stores for FOSS phone apps like F-Droid. Unless someone invests money and time into auditing the code, you are just as vulnerable to shitware in the FOSS ecosystem as you are in the non-FOSS ecosystem. Actually, more so, because of FOSS hucksters like @doctorow who go around peddling this line of security and privacy bullshit, which engenders a false feeling of security along with a smug sense of moral superiority for supporting FOSS.

As far as I know, the only mobile app store that spends any time and money whatsoever striving to weed out spyware and malware in order to protect the privacy and security of their customers is the Apple app store. Which doesn’t spend nearly enough time weeding out privacy invasive apps, but they win this contest by spending more than zero time per app. That’s how low the bar is, sadly. And sprinkling an alternative app store with FOSS pixie dust does nothing to fix the problem.


#5

Here’s what makes F-Droid unique, especially with the inclusion of the automated tools from the Yale Privacy Lab. First, all the apps on F-Droid are built from source by the F-Droid infrastructure itself. When you submit your app, you provide the git repo link. You cannot include any binary blobs in your app, like jar files, or include proprietary third-party dependencies, like Google’s Cloud Messaging. All of the code must be open-source, and shown as such through the build recipe provided for the repo.

Second, as the article states, the Yale Privacy Lab is building automated tools to detect trackers, which are defined quite broadly by them, in binaries. So if someone did someone include something surreptitiously, it is likely that Yale’s tools would find them.

Third, F-Droid has been pioneering the use of reproducible builds for mobile apps. You can read about it a bit more here: https://f-droid.org/en/docs/Reproducible_Builds/ but in short, there is a entire second server checking that the builds offered by F-Droid.org match the source code. Anyone can run a verification server, and the hope is that more in the community will, to look for any mismatch between source code and binary.

I do agree that just saying “It’s better because its open source!” isn’t the answer. Authoritarian app stores that encourage censorship and rely on a single operating system and platform ruling all, are also not the solution. What might be part of the answer is an app ecosystem that has transparency, can be audited, promotes best practices, and preserves as much privacy as possible for its users.


#6

Typically of a Cory Doctorow post, the lede about the Yale Privacy Lab tools got buried in favour of ranting about the evils of closed source. Scanning all apps for analytics, trackers, and home-phoning behaviour is a good first step, but it’s only a first step and it doesn’t guarantee that the apps in the store are respecting your privacy or are free of shitware. Inspecting the app for dodgy code is easier with open source projects, but there’s only so much automated tools can do.

It’s a sad state of affairs when the app store with the best track record of protecting user’s privacy and security is the one run by a benevolent dictator as a walled garden.


#7

Not really new guys. I’ve had fdroid since the first time I got a smartphone


#8

F-Droid contributor here. We are definitely spending more than zero time when including a new app into F-Droid. Sometimes the process takes many cycles together with the upstream developer and completes after weeks of back and forth.

But even for simple apps we’ll at least check the requested permissions and required dependencies. A lot of fishy things would come up there.

And of course there are quite strict checks that prevent inclusion of non-free software.

What’s actually not manually reviewed for most apps are version updates. These are added and built automatically when upstream publishes the source-code for them.

So far no crap/malware was added to F-Droid this way, I guess there are a couple of things that work as a deterrend here:

  • the code is public, so all malware that get’s added to F-Droid this way would be made publicly available.
  • you’d first have to get a useful app through a manual inclusion and review process before being able to introduce malware later on in a version upgrade. That’s quite a high barrier.

#9

Maybe you ought to go somewhere else to spew your bullshit.


#10

I have F-Droid on my phone, and I highly recommend it. Actually I didn’t even link my phone to Google account.
Some of apps worth looking at:
Spydroid - turns the phone into IP camera with sound, I use it for remotely monitoring CNC milling machine on longer jobs, especially in the winter.
VX ConnectBot - SSH client.
Hackers Keyboard - full keyboard for Android, way better than original one.
VIM Touch - text editor, not recommended for EMACS users :wink:


#11

If you install Termux (in F-Droid), you can use both Emacs and Vi in the terminal on your phone. (Further, you could run Evil in Emacs to have a Vi-environment inside of Emacs).


#12

Thanks!
Can you install Vim on non-rooted phone?

By the way, another project worth looking at is LineageOS - open source Android that doesn’t use Google Apps or account at all if you doesn’t want it to (but you still can install them of course). It is way faster that stock firmware provided with most phones (mostly because of lack of bloatware) and provides updates even tho phones obsoleted long ago by manufacturers. For example Samsung Galaxy Note II (I personally tested it, and it works perfectly) gets Android 7.1 instead of 4.4 - last version released by manufacturer. There’s also wonderful community around it. Sadly there isn’t a version for my Samsung GT-i8200 :frowning:


#13

Yes, you don’t need root to install vi in Termux. (edit: Termux has vim and neovim in its repos, it looks like)

LineageOS is great - that’s what I have on my phone. (Samsung S5 [codename: klte] is a great phone for this, and can be picked up used for about US$100; microsd card slot, removable battery, waterproof, irblaster - lots of nice features; and has a 96% CVE patch rate - https://cve.lineageos.org/devices .)

If you do want some apps from the Play store without having Google Play Services, check out microG ( https://microg.org/ ) - they even have their own set of lineageos builds with microg baked in ( https://lineage.microg.org/ ).


#14

Sadly it requires Android 5 or newer, and last release for GT-i8200 was android 4.2 :frowning:


#15

I think that the reminder that free software does not automatically protect us from malware was useful, together with the answers about what specific steps were taken by the Yale privacy lab and F-droid.


#16

No, I don’t think so. Not the way it was presented (e.g. “sprinkling with FOSS pixie dust” &c.). And it misses the essential point: there can be no security with proprietary software. No matter how Microsoft, Apple, and their surrogates try to spin things.


#17

I am wondering Is that app available on chines app stores like Tutuapp? because the provide premium versions for free of many apps.


#18

(emphasis added)

Actually, I think that there can be no security with software. All software… :innocent:


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.