• digger@lemmy.ca
    link
    fedilink
    arrow-up
    109
    ·
    1 year ago

    Something worth noting is that F-Droid is both an app to download other apps but they also maintains a repository of apps. You can use alternative store apps (like Droid-ify) with the F-Droid repository OR you could use the F-Droid app with a different repository (like IzzyOnDroid). You can mix and match to meet your needs.

    I use the Droid-ify app with the F-Droid, IzzyOnDroid, microG, NewPipe, and Collabora repositories.

    Once you start down this rabbit hole, give Obtanium a look.

      • itadakimasu@lemmy.world
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        I wanted to like this one.

        Neostore got stuck trying to sync repos or something and drained my battery from 80% to 20% within like an hour.

        Uninstalled it immediately. No app should be able to malfunction in such a way to cause such battery drain.

      • digger@lemmy.ca
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        On Android, we’re used the “Play Store” being both the app that facilitates downloads as well as the collection of apps available. With F-Droid, you can add additional collections of apps to make available for download.

        You might add an additional repository to gain access to apps not in the main F-Droid repository. You might add a developer’s repository to gain access to updates to their apps before those updates hit the main F-Droid repository.

        Divest is the developer repository for app maintained by Divest OS, a fork of Lineage OS.

        • 6daemonbag@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I have and use F-Droid but hadn’t caught on to repos and their function. Just seen it mentioned. Thanks for elaborating!

      • fulano@lemmy.eco.br
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Some software developers prefer to host their own repos and have more control over the release process and/or don’t want to fill all the criteria for being included on f-droid, so they create their own repos. Some of these apps can still be found on vanilla fdroid, but often aren’t updated so frequently.

        Izzyondroid, on the other hand, is a different project, aimed at hosting different apps that are usually from smaller devs and can’t be included on fdroid yet, for different reasons.

        The greatest thing about fdroid is that it allows anyone to create their own repos and you aren’t forced to depend on anyone.

    • Possibly linux@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      3
      ·
      1 year ago

      I would avoid adding other repositories because you are risking malware and anti features.

      F-droid is slow to get updates but it also verifies each app

      • digger@lemmy.ca
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        There is safety there, but you’re just as safe using the the developer’s own repository for their apps, like NewPipe, Collabora, or the Guardian Project.

    • Squizzy@lemmy.world
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      I just have the basic f droid app, the layout is awful and confusing. Is there one you suggest?

    • skybox@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Oh THAT’S what repos are for? I assumed they were all independently structured and incompatible with each other for different reasons lmao.

    • Hamartiogonic@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Many years ago I tried to go completely de-googled, and that involved using only F-droid. One of the many problems I faced was the tedious update process. I needed to tap each and every app individually every time there were updates. I wonder if droid-ify could have fixed that. Unfortunately I didn’t come across that app at the time, so I didn’t try it out.

      • digger@lemmy.ca
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        Oh for sure! Droid-ify offers a few different installation methods. The Legacy and Session install options are what you are used to. With those methods, you are prompted to download and install with each update.

        With the Root install method, updates can be downloaded and installed in the background using root privileges. Lastly, and I think most intriguing, is using Shizuku. Shizuku is a utility that will give you close to root access using ADB. See link for details. So, with the Shizuku install methods, Droid-ify can keep all your F-Droid apps up to date with little intervention from the user.

        Footnote: Because Shizuku leverages ADB, it needs to be started manually after each reboot.

        • Hamartiogonic@sopuli.xyz
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          That’s awesome! Looks like there’s been progress while I was not looking.

          What do you think, is it now a viable option do daily drive a completely de-googled phone?

          • digger@lemmy.ca
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            It’s a lot more feasible than it used to be. I also use Aurora Store to fill in the gaps.

  • qyron@sopuli.xyz
    link
    fedilink
    arrow-up
    45
    arrow-down
    1
    ·
    1 year ago

    Been using Fdroid to the point where my first boot into a new phone is:

    Open chrome > download fdroid > open settings > uninstall/disable every single application I can > open fdroid > install all the relevant apps I require for making my phone useful

    I’m just waiting for a small life upgrade in order to be able to support some app developers; it will be money better spent than using the standard google apps.

      • ArtisinalBS@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        It’s insane that I can’t make any steps towards ungoogling myself w/o paying 2.5 times the price of a phone. I can’t buy an allready degoogled pixel here, I can’t buy fairphone here, I can only use a package forwarding service from the US, declare it to customs - and watch them add a monstrous fee to it.

        I wish I could have the courage to buy a pixel and try to replace the OS myself - but I fear I will just brick it…

        • bug@lemmy.one
          link
          fedilink
          English
          arrow-up
          9
          ·
          1 year ago

          Installing GrapheneOS is actually ludicrously easy if you’re expecting some kind of root exploit nonsense like you used to have to do with custom ROMs! Full instructions here, happy to answer any questions if you need!

        • Keith@lemm.ee
          link
          fedilink
          arrow-up
          6
          ·
          1 year ago

          You 99% won’t brick it, I guarantee you. Graphene’s install is really easy. You press a few buttons on a website and never touch a terminal, aside from if you’re on GNOME. As for price, I got a used Pixel 4a 5g for 100 and newer ones won’t be as expensive as the things you might’ve gone for. Try a used Pixel 6a? (Graphene doesn’t extend software support)

        • arc@lemm.ee
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Bricking is a possibility but for phones that can be unlocked, it should be a matter of following the instructions on Lineageos - unlock the bootloader, flash the recovery partition, flash lineageos + Google apps.

          The biggest pain in the ass for me was trying to get the adb & fastboot tools to talk to the device in the first place. For example OnePlus requires drivers for its devices but Windows doesn’t install them automatically so you have to go find them. Except the adb driver works but the fastboot one didn’t. Then after a bunch of searching it turns out OnePlus forgot to sign the fastboot driver so Windows refused to install it and I had to boot Windows in a convoluted way to disable signature verification to get the driver installed.

          After all that, the rest was relatively straightforward but it still took several hours of effort. IMO Lineageos is a pretty ugly dist but if you install Google Apps it’s not missing anything and it extends the phone’s life beyond what the manufacturer could be bothered to support.

        • MigratingtoLemmy@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          The first issue is that you’re in the US.

          As for installing Graphene, it’s very unlikely that you will brick your mobile, since with the new WebUSB installer, you don’t have to do anything. Just set it to install and have your favourite beverage whilst the Web installer deals with it

      • qyron@sopuli.xyz
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        I’ve used so called entry level phones my entire life; I can’t motivate myself to spend the amount a Fair Phone costs, although the concept is appealing and regardless the geek in me going nuts with the idea of tinkering with my phone as I do with my computer. I also prefer rugged phones, which is something most brands don’t cater to.

        My current phone is an Oukitel and has already passed the three year mark, still more than enough for my needs, in great part thanks to my option to run FOSS whenever possible.

        • Possibly linux@lemmy.zipOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I just run Lineage os. Sure its not as secure but it supports many phones and is clean and light.

          Combine it with F-droid and your golden

          • qyron@sopuli.xyz
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I doubt I can get that to run on my phone. Being a minor brand, it is as if it doesn’t exist.

            • Possibly linux@lemmy.zipOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              What device is it? There probably is an unofficial build.

              Also 3 years is not that old. My phone is from 2019 and runs Android 13 just fine (Motorola-ocean)

              • qyron@sopuli.xyz
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Oukitel WP8 Pro

                It has an MT6762D CPU, with 4GB RAM.

                And now I’m doubting for how long I’ve had it, has the last update for the Android 10 it runs is from 2020 and I can remember updating it, for sure.

    • selokichtli@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Does it have an update all button? That’s what prevented me to keep using it some months ago.

      • Psythik@lemm.ee
        link
        fedilink
        arrow-up
        3
        arrow-down
        5
        ·
        1 year ago

        Why would you ever want to do that? Sometimes the older version is better for about a third of the apps on my device.

        • thayer@lemmy.ca
          link
          fedilink
          English
          arrow-up
          10
          ·
          1 year ago

          Running outdated versions of software, whether on your phone or the desktop, will generally expose you to more vulnerabilities and is not best practice from a security perspective.

        • PraiseTheSoup@lemm.ee
          link
          fedilink
          arrow-up
          4
          arrow-down
          2
          ·
          1 year ago

          People that don’t have a solid grasp on computing tend to think any and all updates are inherently good.

        • selokichtli@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Huh, most of the time. I mean, people like you don’t have to use it at all, but I prefer to just press “Update all” once if I have >2 updates in a row.

        • rbits@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Droidify has an ignore all new versions button. And you can of course downgrade whenever you want.

        • PraiseTheSoup@lemm.ee
          link
          fedilink
          arrow-up
          3
          arrow-down
          4
          ·
          1 year ago

          People that don’t have a solid grasp on computing tend to think any and all updates are inherently good.

  • limeaide@lemmy.ml
    link
    fedilink
    arrow-up
    23
    ·
    1 year ago

    I know this thread is already a little old, but here is the list of my favorite apps from F-Droid/Izzy. I use a lot of these almost daily and just thought I would share these in case someone might find a new app they find useful

    • Eternity (Infinity for Lemmy)
    • Buckwheat (Budgeting)
    • Aegis (Authentication)
    • Lawnchair (Pixel-like launcher)
    • Quillnotes (Markdown notes app)
    • Forkyz (Crosswords)
    • Geometric Weather
    • Imagepipe (Removes exif data and reduces pics)
    • AntennaPod (Podcast app)
    • Olauncher (Beautiful and minimal text based launcher)
    • nutlink@beehaw.org
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      This list obviously isn’t everything, but there’s a lot available. I kept it pretty broad although there’s a ton of niche and specialized software available too.

      OpenTracks - Keep track of how many steps you take throughout the day without a smart watch.

      K9Mail - A privacy oriented mail client alternative to the Gmail app.

      Diaguard - A diabetes diary app to track your blood sugar.

      Drinkable - List a few ingredients and what liquor you have at home and it gives you a list of drinks you can make.

      Newpipe - A YouTube client without ads.

      Libretube - Another YouTube client without ads.

      Blood Pressure Monitor - Same thing as the diabetes, but great if you have high blood pressure you need to track.

      ChordReader 2 - Get guitar chords to learn how to play songs.

      Fennic - A web browser based on Firefox that’s privacy oriented.

      Red Moon - Makes looking at your phone easier on your eyes at night.

      • SirEDCaLot@lemmy.fmhy.net
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        Newpipe - A YouTube client without ads.

        Literally can’t say enough good stuff about Newpipe.
        Everything YouTube SHOULD be, this is. LISTEN TO A VIDEO IN THE BACKGROUND!!!11. Playback speed infinitely adjustable- good for lectures, interviews, etc. No ads. No bullshit.

    • polle@feddit.de
      link
      fedilink
      arrow-up
      12
      ·
      1 year ago

      Most of the apps of tibor kaputa. I really like the simple gallery. The simple dialer and simple contacts are also really good. Just clean default apps that do what they should.(adfree)

    • Dave@lemmy.nz
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      Endless Sky and Mindustry are some good, fun, deep games.

      • Cethin@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        The UX for Mindustry sucks compared to something like Factorio, because it’s really tough to do those controls on touch screen, but it’s good enough. I’ve enjoyed it for the little I tried.

    • keepcarrot [she/her]@hexbear.net
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      NewPipe lets you listen to youtube videos without the screen on (and also download them or just the audio).

      Probably the main thing I use

    • peanutdust@lemm.ee
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      redreader, newpipe, session messenger(needs repo thing from website), aurora store, simple gallery pro

    • 1984@lemmy.today
      link
      fedilink
      arrow-up
      8
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Newpipe in particular is super important. It’s a better YouTube app with more features and no ads.

      Sorry for not supporting Google, I know they need more money… /s

      • Fisch@lemmy.ml
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        I prefer LibreTube because it doesn’t look outdated and it uses Piped, so you never actually connect to the YouTube servers and you can synchronize your subscriptions and playlists

        • 1984@lemmy.today
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          It’s a fantastic app. Remember to set your default YouTube links to open with it also, you can do that with android in app settings.

    • temptest [any]@hexbear.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      A lot of the utility is it having apps with similar capabilities but without the same kind of privacy invasions, and with better description of what anti-features an app has. So as far as ‘the average user’, I’d just say alternative apps (or even the same ones, if you’re already using FOSS apps) to the same ones they’d use on Play Store, and a few of the games.

    • gaael@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Pretty much all the basics are covered, here are some examples:

      • Newpipe for videos and music
      • FairEmail for email
      • Organic Maps for maps and routes
      • Aves Libre for gallery
      • lots of privacy-oriented instant messaging apps (I use DeltaChat)
      • Jerboa for lemmy
      • plethora of calendars, todo apps, calculators, keyboards…
      • some games

      And then of course all you power-ish user stuff (alternate launchers, clients for self-hosted clouds and stuff, terminal emulators…)

      • PersonalDevKit@aussie.zone
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Worth noting while checking out Aves libre it seems the developer has renamed it to just Aves and continued updating.

        New to f-droid so if I have this wrong let me know

      • Cethin@lemmy.zip
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Thanks to US infrastructure I don’t need yet another map just for public transport! Thanks US government for looking out for us little people! (I really don’t think this is needed, but /s just in case.)

  • Illecors@lemmy.cafe
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    1
    ·
    1 year ago

    Fdroid basic allows automatic updates!

    The guadian project repos are also preset, albeit not enabled by default.

  • lejsh@lemmy.ml
    link
    fedilink
    arrow-up
    22
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Are they planning on modernizing the app for Material You? It feels out of place in my phone in 2023.

    edit: all the people who suggested Droid-ify know what’s up. Thanks, guys!

  • shortly2139@lemmy.world
    link
    fedilink
    arrow-up
    20
    arrow-down
    2
    ·
    1 year ago

    Even better obtanium installs direct from the Devs host. You could use fdroid to find the homepage/where they host and add it to obtanium

    • Fisch@lemmy.ml
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      Installing through F-Droid is way easier tho and the IzzyOnDroid repo actually uses the binaries from the developer

      • L3ft_F13ld!@links.hackliberty.org
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        Though, last I checked, IzzyOnDroid does warn that they usually only host things not found on F-droid. Once something they host gets included in F-droid it’s often removed from IzzyOnDroid without warning.

            • Schlemmy@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Droid-ify offers apps from different repositories so you can have Izzyondroid and F-droid at the same time. It also scans for updates and does auto-updates if possible.

              • newIdentity@sh.itjust.works
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                Yeah I know about that but what has that to do with IzziOnDroid apps which pulls the apps from GitHub being removed after they’ve been added to the official Fdroid repo

                • Schlemmy@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  Apparently it seems that I don’t get it indeed.

                  I said Droid-ify is a 'best of both worlds because it offers the easy of use of F-droid but also pulls from IzzyOnDroid/GitHub.

    • Possibly linux@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      I prefer F-droid as it adds a layer of checks to hopefully keep the devs from doing something malious

        • Possibly linux@lemmy.zipOP
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          1 year ago

          Its not security I’m looking for. If I wanted security I would be running stock with all of the apps from large corporations.

          What’s good about F-droid is the freedom you get when you use it. All of its apps are libre. You have the ability to tweak them anyway you want and the source code it yours to study, learn, modify and distribute.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      48
      arrow-down
      3
      ·
      1 year ago

      Those are some very strange objections to F-Droid. The outdated signing software on the backend doesn’t really affect the end user, for a start. The signing key problem is also present in Google Play, the only other app store people actually use, and it’s intentional.

      F-Droid builds the sources developers make available, it doesn’t accept a developers 's build with the pinky promise that no malware was added when they compiled there code.

      The loose requirements are a feature, not a bug; things like a low API target level are why Termux still works on F-Droid but not on GPlay. This does pose some privacy risks because of API compatibility stuff, but because of the requirements for an app to be even listed on there, the impact is minimal.

      Should F-Droid improve their technical debt? Definitely. Does any of this pose an actual risk to users? Definitely not.

      • c0mmando@links.hackliberty.org
        link
        fedilink
        arrow-up
        9
        arrow-down
        20
        ·
        1 year ago

        Doesn’t affect the end user… beyond diminished security. Are you implying I should trust Fdroid devs as much as I would trust Google devs?

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          arrow-up
          27
          arrow-down
          3
          ·
          1 year ago

          What diminished security, though? “Apps you can install may be evil” is true of any software repository, whether it’s the Microsoft Store or Steam.

          You should trust the devs of anything you install as much as the Google devs. Not just the devs of the app store itself, also the devs behind the apps these stores serve.

          If you don’t trust them, don’t use their product. Not trusting a third party is one of the major reasons F-Droid is even a thing, because Google can’t exactly be trusted to have your best interests in mind with their app store.

    • Possibly linux@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      I actually would go for the main repo as all the software in the main repo is reviewed by the main Dev team

        • Possibly linux@lemmy.zipOP
          link
          fedilink
          English
          arrow-up
          20
          arrow-down
          1
          ·
          1 year ago

          The author of this article completely misses the point of F-droid. They clearly are used to a world of proprietary software that takes “security” over freedom

          So yes I did read the article and no it doesn’t change anything. If your going to make an argument you shouldn’t just link to someone else’s work. Part of the problem with the internet is no one thinks for tuemselves

          • c0mmando@links.hackliberty.org
            link
            fedilink
            arrow-up
            5
            arrow-down
            10
            ·
            edit-2
            1 year ago

            Sure, I’ll spell it out for you since apparently the point went right over your head. Fdroid devs are a single point of failure by signing every application themselves. This introduces a potential for supply chain attack, not to mention Fdroid running on EOL servers.

            When you use an individual dev repo, you can avoid any trojanized apps from Fdroid because the developers maintain their own infrastructure and sign their own apks.

            That’s called… D I S T R I B U T E D T R U S T

            • Captain Beyond@linkage.ds8.zone
              link
              fedilink
              arrow-up
              22
              ·
              edit-2
              1 year ago

              The reason F-Droid builds from source is to ensure that they can enforce their inclusion criteria. If you go outside F-Droid you lose that guarantee. For example, self-published apks in github or google play may contain anti-features or proprietary code that are forbidden by the F-Droid standards.

              From another point of view, what you call a single point of failure is a third party that represents the interests of the user community, independent from individual developers. This is the same model used in GNU/Linux distributions, and Drew DeVault explains here the role that software distributions play in the free software community.

              Of course, this represents a trade-off, in that you are placing trust in the software distribution instead of or in addition to the upstream developer. The question is, how can you solve the problem without foregoing F-Droid’s inclusion standards? The answer is reproducible builds, where F-Droid builds from source and compares to the developer’s apk, and publishes the developer’s apk with their signature if the build reproduces successfully.

              Until Reproducible builds are the norm in the Android free software world, I accept the trade-off because I value having software freedom in my computing, and I know I can’t trust upstream developers to care about that as much as F-Droid or I do.

              • c0mmando@links.hackliberty.org
                link
                fedilink
                arrow-up
                2
                arrow-down
                3
                ·
                1 year ago

                Sure, atleast you admit there’s a trade off (security) for (FOSS) and maybe some additional privacy.

                People should be made aware of the risks and choose according to their threat models, which is why I’ve highlighted some of these issues to begin with.

            • Possibly linux@lemmy.zipOP
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Everything the F-droid team does is out in the open. Your welcome to audit it once in a while and suggest changes to make it better. I’m sure they wouldn’t mind the help.

              F-droid is the best tool we got. Its not a silver bullet but it is better than anything else I’ve seen

  • elbowgrease@lemm.ee
    link
    fedilink
    arrow-up
    17
    arrow-down
    2
    ·
    1 year ago

    I’ve always had a niggling worry that downloading apps from 3rd party app stores came with a higher risk of getting apps with viruses and spyware.

    any truth to this?

    • qyron@sopuli.xyz
      link
      fedilink
      arrow-up
      18
      arrow-down
      2
      ·
      1 year ago

      Not really.

      Fdroid is a secure repositorie and the applications are reviewed before being made available for end users.

      The repository is also highly focused on privacy and security and will warn if applications have security flaws or depend on non free services.

      As an example, I use NewPipe instead of the standard YT app and it has a warning it depends on non-free services.

      One other example I can give is Librera. It’s a very feature rich ebook/pdf/etc reader. At some point, a security flaw was discovered and the app was instantly flagged has having such problems and users were advised to not install it.

      • karlthemailman@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        Fdroid is a secure repositorie and the applications are reviewed before being made available for end users.

        Reviewed by who though? Malicious apps even get through apple and Google’s screening. I can’t see how fdroid can match the capabilities of those guys.

        • Malicious apps can make it onto F-Droid as they can onto any app store. The biggest difference is that F-Droid compiles apps from the published source code rather than accent uploads from the developer directly. That means only apps with source available are installable by default, built from the source everyone else can read.

          If there’s any malware in these apps, the malicious code can be found in the public source code.

          There is a manual vetting process before an app is accepted into the repo which should detect shady behaviour but updates aren’t subject to this strict process, so it’s not a full fix.

    • transientDCer@lemdro.id
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      The benefit of open source apps is anyone can view the code to see if there is malware or other installed.

      • temptest [any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        2
        ·
        1 year ago

        This is a bit of a fallacious point in this context - it suggests:

        • apps will be investigated by its users (not guaranteed, nor even likely for unpopular apps)
        • an app will even have users capable of detecting malware (I don’t know squat about phone malware patterns, so I wouldn’t be effective at it even if I did scan through thousands of lines of code)
    • dmrzl@programming.dev
      link
      fedilink
      arrow-up
      7
      arrow-down
      2
      ·
      1 year ago

      What I can tell you is that Google was extremely detailed in their monitoring of my apps - even looking up e.g. rate limits of the steam api to check if I properly deal with those. And I pick that example since I don’t want to talk about the ways I mishandled user data out of negligence or ignorance.

      Back then I perceived it as harassment. Today I will certainly not install any apps that didn’t pass their testing.

      And we’re not even talking about deliberate malware but simple incompetence. I would consider the average hobby app project to be borderline malware and a proper QA needs qualified personnel. I don’t see how F-Droid can ever reach those standards.

      • argv_minus_one@beehaw.org
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        1 year ago

        Play’s reputation for being full of malware stands directly at odds with your assessment.

        Hobbyists are rarely incompetent. They actually take pride in their work, and aren’t just trying to quickly slap something together for a quick buck.

        Not sure what gave you the impression that most phone apps have gone through professional QA, but I very seriously doubt that they have.

        As for mishandling user data, it’s a lot easier to avoid doing that when user data never leaves the user’s device in the first place. Proprietary apps collect user data for profit; free and open source apps often don’t.

      • temptest [any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        What is your justification for this claim?

        I use F-Droid as my main app store, and while I trust most of the apps on there and haven’t found any asking for permissions they don’t need, I wouldn’t claim any Android app store is more secure than the Play Store. This post goes into technical detail comparing the two: https://privsec.dev/posts/android/f-droid-security-issues/ - Note: emphasis in the conclusion mentioning that these criticisms may or may not really matter, depending on your threat model. (as an aside - if anyone here doesn’t know what a threat model is, determine yours before participating in any privacy community or you’ll just end up with useless paranoia)

        That said, I would guess that Play Store may have a higher risk of malicious apps only due to the fact that there are far, far, far, far more potential victims, and being the default app store, victims less likely to be technically experienced enough to notice false apps. So, almost all attackers will probably aim for the most targets and only bother targeting the Play Store, despite the extra challenges.

        [tagging @elbowgrease@lemm.ee ]

          • temptest [any]@hexbear.net
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            I did make up my mind, and both I and the article both explicitly emphasise people to apply the facts it presents to their own circumstances. What you just wrote is very condescending and insulting.

            • Possibly linux@lemmy.zipOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Well my intention was not to offend you. However, I still firmly believe that using a proprietary app store run by google is not as good as a app store that takes libre software as a priority.

              Sorry if you interpreted as a insult. I just don’t like when people blindly follow others. I am not sure if that’s some you are doing but its something I see a lot of. I’m not perfect either and I probably should work on my wording to make it less harsh.

              • temptest [any]@hexbear.net
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                It’s alright, and just to be clear, I do use and support F-Droid because I personally think it is better and suits my privacy goals. I didn’t mean to sound as if I wasn’t supporting it, just that it’s a bit more nuanced when talking about the security side: like almost everything in security, it’s more complex than one took being universally better than another.

    • MrSqueezles@lemm.ee
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      Even small companies have to deal with, “supply chain”, attacks, criminals putting code into open source repositories to steal data and get access to servers. App stores are major targets too.

      There have been weather apps that need your location to show you weather and oops we also send your location history to our data center in China and sell that data.

      There have been, “document scanner”, apps that help you take pictures of things like credit card statements and did we not mention we send those images to Russian servers?

      Do use a major brand phone like Samsung, keep your OS up to date, and don’t expose private info to these apps or give them special privileges, especially, “accessibility”, or, “screen reader”, and you should be okay.

  • victron@programming.dev
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    2
    ·
    1 year ago

    I have never found anything useful in it. And god I have tried. I end up uninstalling it every time.