In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
If you want to be as secure and private as possible, your best option is to set up your own build servers and automate builds, and validate the components used by each product conform to your needs and standards for security and privacy, and deployment to your own repository that your devices use for updates.
Beyond that, there are tradeoffs based on your needs with each app store out there. If you need total privacy on what you install and your devices are already not connected to the internet, then a VPN or Tor to obfuscate your identity might be all you need. If you’re more concerned about components of applications that contain spyware, then some stores like fdroid has a lot of data available to hep you decide if the app is OK for your needs, otherwise you’d need to build your own packages or verify them manually before installation. And there are various other tradeoffs between more accessibility vs. more security and/or privacy.