With the whole XZ compromise, i am now rethinking the pros and cons of using f-droid

Google play: trust the developer, trust google’s vetting process and distribution

F-droid: trust the developer, trust f-droid build tools and distribution

So in both cases, the developer could be either knowingly or unknowingly including malicious code in their code or apk… We cant really do anything about that. Have to trust the developer, or build from source yourself.

Once the apk is produced and sent to google, it is unlikely to be altered before being downloaded on to your phone. (Assuming your threat model does NOT include google being coerced by state level actors to send you a bad .apk)

F-droid’s entire build chain and distribution seems like a relatively easy target for building and distributing bad .apks. We’re talking about the difference between attacking google, vs. attacking a small community supported website.

Dont get me wrong, i’m a long time f-droid user and donor. I’m just thinking out loud and seeing if anyone else has similar concerns.

  • evo
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    9 months ago

    Once the apk is produced and sent to google, it is unlikely to be altered before being downloaded on to your phone.

    This is potentially besides the point but APK’s aren’t even uploaded to the play store anymore. You upload an App Bundle (AAB) and Google actually generates all the different APK’s that would be needed for different devices.

    F-droid’s entire build chain and distribution seems like a relatively easy target for building and distributing bad .apks.

    Yes. And what happens to you if F-Droid discovers something bad happened? Not much. I believe Google has the power (as scary as it is) to remotely remove apps from your device.