In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
The biggest problem with F-Droid is that they sign the apps themselves, so if they ever get compromised, an attacker would be able to send malicious updates to any app installed via F-Droid. So now you need yo trust 2 parties (app developer and F-Droid) instead of 1. This is fixed by reproducible builds, which F-Droid does support but which most developers don’t bother with (F-Droid needs to start pushing for this more aggressively imo).