F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
What diminished security, though? “Apps you can install may be evil” is true of any software repository, whether it’s the Microsoft Store or Steam.
You should trust the devs of anything you install as much as the Google devs. Not just the devs of the app store itself, also the devs behind the apps these stores serve.
If you don’t trust them, don’t use their product. Not trusting a third party is one of the major reasons F-Droid is even a thing, because Google can’t exactly be trusted to have your best interests in mind with their app store.
The diminished security resulting from the increased likelihood of a (single point of failure) supply chain attack.
Yes its possible for malicious devs to trojan apps, but due to apk signing it is much more difficult for a third party entity to induce a supply chain attack, which is my real concern when it comes to phone security.
If you have a lower threat model, this post isn’t for you…
I don’t see how supply chain attacks on F-Droid are any different from other app stores. Supply chain attacks would also attack the APK compiled on a deb’s machine.
Also, APKs are signed on Google’s servers, devs don’t have control over those signatures anymore, unless they distribute their APKs through other means (which would impose similar if not worse risks compared to F-Droid, of course).
Doesn’t affect the end user… beyond diminished security. Are you implying I should trust Fdroid devs as much as I would trust Google devs?
What diminished security, though? “Apps you can install may be evil” is true of any software repository, whether it’s the Microsoft Store or Steam.
You should trust the devs of anything you install as much as the Google devs. Not just the devs of the app store itself, also the devs behind the apps these stores serve.
If you don’t trust them, don’t use their product. Not trusting a third party is one of the major reasons F-Droid is even a thing, because Google can’t exactly be trusted to have your best interests in mind with their app store.
The diminished security resulting from the increased likelihood of a (single point of failure) supply chain attack.
Yes its possible for malicious devs to trojan apps, but due to apk signing it is much more difficult for a third party entity to induce a supply chain attack, which is my real concern when it comes to phone security.
If you have a lower threat model, this post isn’t for you…
I don’t see how supply chain attacks on F-Droid are any different from other app stores. Supply chain attacks would also attack the APK compiled on a deb’s machine.
Also, APKs are signed on Google’s servers, devs don’t have control over those signatures anymore, unless they distribute their APKs through other means (which would impose similar if not worse risks compared to F-Droid, of course).
If you think Fdroid security is on par with Google security… then I got a bridge to sell you
How does a supply chain attack work?
An upstream compromise that affects downstream hosts. A good example is the NPM supply chain attack -> https://hackaday.com/2021/10/22/supply-chain-attack-npm-library-used-by-facebook-and-others-was-compromised/