this post was submitted on 04 Dec 2023
262 points (97.8% liked)

Android

28034 readers
208 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

[email protected]


founded 1 year ago
MODERATORS
262
submitted 11 months ago* (last edited 11 months ago) by GutsBerserk to c/android
 

Since simple mobile tools will soon become a spyware and I use 3 of their apps regularly, yesterday I installed F-Droid after reading many Lemmy recommendations.

Wow, I'm pleasantly surprised.

A new app I've tested is Spotube (Spotify open source alternative; edit: apparently it uses Spotify metadata but it streams from YouTube. My bad.).

Any other underrated app y'all recommend?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 11 months ago (3 children)

I moved a lot of my foss apps over to f-droid. But i'm a little worried about security.

The odds of a bad actor being able to takeover f-droid and update my keepass app with a malicious version seems a lot higher than someone being able to do the same google play, right?

[–] [email protected] 6 points 11 months ago

https://f-droid.org/docs/Reproducible_Builds/

Why not have both developer signed builds and repository verified source matches the binary?

[–] [email protected] 3 points 11 months ago (1 children)

This F-Droid-like model (also popularly implemented by Linux distributions) is usually considered an improvement in security.

The thing with FOSS is that ideally you don't have to trust the developer at all.
In theory, you could read the entire source code and compile it yourself. Then you'd know for sure that no malware is included.

Obviously, in practice, you can only hope that some nerds dig into the source code and notify journalists of malware-like behaviour.
It is no perfect protection. But it is the only tangible protection that FOSS actually delivers.

What does not protect you, is to trust each individual developer. They could publish innocous source code and then build the release binaries from a version with the malware-like behaviour patched in.

But because you likely don't want to compile each app yourself, you might still feel compelled to entrust that work to a third party. This is where the F-Droid team comes in. Rather than trusting each developer, you just have to trust a single team.

Well, and if an app is built in a reproducible build, then even the work from the F-Droid team can be verified.

[–] [email protected] 2 points 11 months ago (1 children)

I trust the debian repo because fortune 500 companies run debian and rely on it

F-droid repo doesnt have the same level of scrutiny

[–] [email protected] 1 points 11 months ago

Yeah, that is a valid opinion to hold. I am saying that trust is garbage.

You could consider compiling the KeePass app yourself, if you're worried about that one in particular.
A guy I used to study with, decided that he just wouldn't have a password manager on his phone.
I've certainly considered switching to a Linux phone for that, among many other reasons...

[–] [email protected] 1 points 11 months ago

You consider using Obtainium instead? It installs (and updates) directly from source release (Github repo, etc). That puts you directly in control of everything then.