Privacy

38448 readers

640 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

[email protected]

Is F-droid insecure? (sh.itjust.works)

submitted 3 days ago* (last edited 3 days ago) by [email protected] to c/[email protected]

31 comments fedilink hide all child comments

In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:

While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I've been hearing good words about F-droid in lemmyverse.

I am not good at assessing arguments, so I want to ask you guys for more aspects and information.

Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 16 points 3 days ago* (last edited 2 days ago) (2 children)

To answer your top level question:

If it's not Linux from Scratch, then we don't know exactly what is running, and we need to consider that.

We made rocks think. There's some trust decisions involved.

Should I blindly trust every app I find on F-Droid? No. The article correctly lays out reasons why.

Most of them also apply to Google Play and to Aurora.

Your decision which to trust depends which threat protections you need the most:

Google Play provides stronger protections against people who are trying to run up your credit card through Google Play purchases. Many of the protections cited in the article were developed for this reason. Google Play store apps can fraudulently charge your credit card. But Google works hard to prevent this, with mixed results.
Aurora serves the same apps as Google Play and effectively benefits from the same protections.
In addition, Aurora adds additional context about malicious corporate behavior. Google has slowly added some, but not all, of these to Google Play. But at the end of the day, Google is being payed to look the other way by some corporations.
Like Aurora, F-Droid includes details meant to protect you from abuses by corporations. I would argue that F-Droid's protections are stronger than even Auroras.
F-Droid does not include a method to charge your credit card. This makes a number of security differences in the article much less important, to most people. Of course, there's more harm that an app can do than credit card charges.

Because I am aware of many harms caused by individual bad actors and corporations, my preference order goes:

F-Droid - Preferred. I find the arguments in the article weak, and a bit out of date. I also feel that F-Droid had dramatically less need for the protections discussed, because there's no mechanism available to F-Droid apps to run up my debit card.
Aurora Store - Acceptable. Some useful apps aren't on F-Droid.
Google Play Store - Unacceptable to me. Aurora provides the same apps, but gives me better insights into the privacy impact of each app. Google Play is getting better over time, but the Google team has financial incentives to present trading my privacy for convenience as a good idea.

[–] [email protected] 4 points 2 days ago

I like fdroid hard stance against non foss software. Not interested in getting strangled by my own infrastructure. If fdroid people don't allow it, I don't want it.

To me that makes aurora more potentially compromised by commercial interests. More tracking, less privacy, less secure.

[–] [email protected] 5 points 2 days ago (1 children)

If it’s not Linux from Scratch, then we don’t know exactly what is running, and we need to consider that.

What about Precursor? It's "just" RISC-V System-on-Chip (SoC) yet that's the entire premise, trying to know all the way to the processing unit instructions.

[–] [email protected] 4 points 2 days ago

Yeah, that's going beyond the software and making the physical supply chain possible to validate by a sufficiently equipped and educated consumer

The trade off here is that it's very difficult to produce verifiable circuitry that is also fast