this post was submitted on 21 Nov 2024
18 points (95.0% liked)

F-Droid

8266 readers
154 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
 

Sorry if it sounds a dumb question but I always thought using the official playstore that comes pre-installed is the safest so everything related to F-Droid is new to me. Did anyone had apprehension on installing F-Droid when you had bare to none knowledge how it works? I like to be cautious and on the page it has a Instructions to verify the download page and it only tells how to check from Linux but not from Android, what am I missing here?

all 14 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 1 month ago (1 children)

I will be totally honest, I've never verified the signature, primarily for the same reason as other people. It has HTTPS connection, and I would highly doubt that the website had been hacked while I was trying to download it. However, that really is a terrible excuse, and I really should do better in the future. But honestly, I don't know how to verify signatures myself.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago) (1 children)

How do you know the signature hasn't been compromised?

I think it is a big rabbit hole I don't have time to think about

[–] [email protected] 3 points 1 month ago

I dont. As I said, I actually don't really know how to verify signatures. And even if I did, I know that you have to get the signature from somewhere else that is not run by them so that if they were compromised, the signature would not be compromised as well.

[–] [email protected] 11 points 1 month ago

To be honest, I didn't verify the signature when I installed it. The download is over TLS (HTTPS) so you know you have a secure connection with the F-Droid server during the download. But because of the tiny chance the F-Droid website was hacked at the time you download it, you should verify the signature.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago)

They just didn't document how to do it on Android.

Using Play is probably the least safe way to install apps, which has been recently shown to have plenty of malicious apps.

Edit: They documented what it typically looks like on Linux. To document how to do it elsewhere would require recommending an app to do it with.

Would you trust that recommendation?

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago)

You don't need to verify it. Download it and then temporarily turn on install from unknown sources. Once F-droid is installed you can turn off the install from unknown sources setting. When you first install an app from F-droid you will need to grant F-droid permission to install apps.

I personally I think F-droid is far better than the Play store. I don't even use the Play store on my device as I don't use or install Google services. I run pure Lineage OS with only apps from F-droid. F-droid takes a strong stance on freedom, libre software and privacy. To be on F-droid you need to meet strict requirements.

[–] [email protected] 2 points 1 month ago
[–] [email protected] 2 points 1 month ago

Stock Android does not have tools to do that verification. Just verify it from the desktop and then send it to your Android device.

But I don't see how verifying the apk signature would help if your concern is that "you have bare to none knowledge how it works". The only thing that would fix that would be if you actually learn how it works.

Luckily, unlike other stores that are closed source and actively and purposefully hide from you what they do, F-Droid is open source, so anyone can go to the repo holding their source code and learn how it works, or build their own themselves, as long as they wanna spend that much effort.

[–] [email protected] 1 points 1 month ago

I would not know that you can do this on Android, not without downloading another potentially malicious app anyways...

[–] [email protected] 1 points 1 month ago (1 children)

Could you get away with using something like Termux?

[–] [email protected] 1 points 1 month ago (2 children)

I've never heard of it, is it safe to use? I'll see if I can find the .apk from F-Droid

[–] [email protected] 2 points 1 month ago

How are you going to verify that APK?

If you are concerned just verify it from your desktop and then transfer the file over.

[–] [email protected] 2 points 1 month ago

Asking "is it safe to use" is pointless. No one can say an app is "safe", just that they've never seen an issue.

I'd argue Termux isn't safe, because if you're rooted you can break the OS. And I use Termux every day.

"Safe" is determined by your use-case and what you do. I'd even argue there's no such thing as "safe", just a risk level which you are comfortable with.