F-Droid, intransparent and insecure

While F-Droid project leader claim to be an ethical correct platform and an good alternative to Google Play Store, I would say, not so much but let us quickly go trough all claims and media hype to check if F-Droid is really a good and secure alternative or not.

Decentralization

Decentralization is not the answer. In fact it can cause additional problems to our climate, see here, here and here. Overall decentralization can speedup the climate change, it depends on various factors and if we are able to adopt renewables fast enough or not. Claiming that this is a good thing is not what shows the entire picture. If you run your own inefficient system vs. professionals who have more experience, money, research and hardware that are overall more efficient then there is no point in creating your own infrastructure. F-Droid simply wants to cherry pick one argument, because it was recently in the media again, use that to advertise their own platform without showing any drawbacks at all. Every system has drawbacks. Another problem is that creating other repositories and blindly adding them without reviewing them creates lots of security concerns. The normal user usually does not review repositories, the background and is able to review the code.

No mention about an possible F-Droid hacked developer account

F-Droid got recently hacked with an Endgame message. There was absolute no clear communication about what happened, the whole thing got no media attention and there is no mention on the Blog.

This is not only intransparent it is ethical incorrect to hide such important information from the public, remember they are the ones who claim to be ethical.

Addressed or not, people had a right to know if F-Droid or one of their developer accounts who has direct access was compromised or not. I checked the whole thing and I saw the same spam so it was legitimate concern that needed to be shown in public. 4 days later the message then finally went away, yet no announce, nothing, like nothing ever happend. Ethics, not so much, more like hiding to avoid reputation damages.

Update, possible not a Hack but still weird anyway

Someone finally gave me a statement via Mastodon. This basically links to the F-Droid repo saying that the app developer wiped all his apps but left the message. However, I still find it shady that such things are possible, it was and still is confusing and there was no Blog post about this, lets call it incident and you cannot expect that I monitor every single commit or discussion on GitLab.

F-Droid could handled it much better here, also it is unclear what consequences they do to avoid this in the future to be happening again.

Update 2

Dead links, dead accounts and no explanation. Impossible to get what really happened or if he got banned, compromised or not. It is questionable why you go trough all the hustle and then delete your app instead of archiving it.

I inspected the entire thing further and there is no evidence that the developer account was not compromised, F-Droid does not enforce 2FA and you can use GitLab without 2FA, as of today, if you want. The above linked repository does not conclude that an hacker took over the account and deleted or manipulated something on that specific developer account. Malware was not delivered but I never implied or said that, it is and was about possible account takeover and there is no clear mention how F-Droid handled it or what they will do in the future to prevent it.

F-Droid is insecure and no real competition to Play Store

The claim and clickbait on behalf of Googles back is weird, Google has millions of apps, millions of updates each day vs a handful of F-Droid apps in direct comparison. Claiming this is an alternative is nonsense. It is a small platform for advance users. Not the average Joe.

The security factor was covered by someone else in-depth over here. It pretty much covers what I said years ago and nothing really changed here, no improvements at all and no progression.

Not to mentioned that F-Droid never got an independent audit or professional code review, same like pretty much all apps, except a view and rare exceptions, that they promote. They simply compare millions of millions of users vs maybe 1 percent, of all others to each other and claim it is more secure. This is what I call the GrapheneOS echo chamber effect. You apply best practices for 1 percent of all existing users, claim something without any actual proof at all and mass market it as secure. Claims without anything, baseless and unprofessional. Microsoft does the same, please use our products, it is more secure. Source, Microsoft – or in other words, because we say so. I say the moment you become a target your security argumentation comes down to how fast you address things like feedback and the interaction with your community and not about best practices, because even they can fail. We had bunch of scenarios like supply chain attacks etc.

No Review system and the lie about no account

With Google you have one account and that is it, you can connect that one account to several services and platforms. This is easy and secure because Google provides a security dashboard among lots of other useful account features. F-Droid claims that you do not need an account, in fact you need multiple on multiple platforms in order to interact with others. Their forum which needs an account if you want to write something, as well as the coding platform, in case you want to contribute. They basically hide that this, and pretend you do not depend on accounts, which is not entirely correct, in only applies to downloading apps and using the F-Droid client itself. This brings us to the next problem.

There is no review system and there might never will be one. You actually need to go to the forum, create your own threads to give your feedback. This causes a clutter problem because there is no filter-system to show about which version the person is referring too. In the Play Store you have an system with a filter function that shows you current, latest version and if the review affects your device or not. This is not a perfect system but overall a good solution to see and write reviews, which helps others quickly showing problems with the current version, warn about malware, give useful feedback and it allows the developer to quickly respond to given feedback. This is more transparent than a going to just another forum, creating just another account and then trying to figure out what the user that gave feedback is referring too. The Play Store here is simply more efficient and transparent because you quickly can review apps, up- and downvote feedback by labeling it as useful or not useful, report things etc. The argumentation that the reviews are influenced can also apply to forum entries, this all goes vice versa but people usually quickly report fake reviewers if this is clearly visible.

I expect from people who come with ethics and such stuff to allow reviews directly visible on the apps page so that beginners can directly see what is going on without the need to use coding platforms or forums. The ethical right way to handle things is giving people the opportunity to allow feedback on apps, revisions and about the system itself without forcing them to register yet another account.

Power-Users, the killer argument

I read a lot about – I do not need this or power-users do not do that – the killer argument itself. Well, this might be all correct but a power user also does not need F-Droid, we, the power-users, can compile it for ourselves because the source code is stored on another platform anyway, GitLab, GitHub, you name them. It is not hard to sideload yourself and the learning effect to compile apps once a week yourself gives you an advantage, you learn something and you quickly can verify stuff yourself.

The real problem is incompetence from Coding Platforms

Most coding platforms, as of today, do not provide an integrated system to provide developers with the opportunity to provide reproducible builds or checksums on the release page altogether. You ether work with some Bots, Actions, CI or manual scripts. As time of writing this every single platform miserably fails to provide simple things like that, there are no template systems or review options to verify quickly for beginners as well as advance users the given code and APK. If GitHub is compromised or people abusing platform weaknesses, there are some then the APK could be replaced, checksums – assuming you provided some – forged or replaced and there would be no way or indication. This all happened and nothing prevents that this cannot happen with some coding platforms you fully need to rely on. I am not going to say it is easy or very much likely but the possibility is there.

Assuming coding platforms would be better in this regard, you could quickly deliver apks as well as updates trough the system and then just create an side-loading app which adds repository links. This would be enough for pretty much most average users, the rest surrounding it could be added later. They key issue remains that platforms like GitHub do not provide an system for developers that allows them to quickly distribute reproducible builds with indicators about several other important metadata things such as platform support, last updated etc. You often need to workaround those things which is not optimal and I expect a lot of more from such platforms because their decisions or failures affect millions of developers and users, that are at the end need to rely on yet another unknown identity to get apps, updates, background information and so on.

Conclusion – F-Droid hides a lot of important things from the public

Transparency and ethics, if you boldly advertise that this a concern for you and your users, then you should clearly show all positive as well as all negative events, hacks, drawbacks and that you address legitimate user feedback. This never happened and we are still sitting here, talking a lot without going any step forward. Blog post are often used or abused to promote instead of using it to guide developers, new users or show roadmaps, new directions and addressing current concerns, and there are plenty.

I cannot come to the conclusion that F-Droid is currently a better system. It has weaknesses, same like Play Store and you should clearly show them and indicate on a roadmap what you are working on and if you plan to address it or not.

F-Droid is not the ideal platform for most developers who struggle advertising their apps to get some support, reviews are also support and F-Droid also does not provide any way to promote paid apps, claiming this is an alternative for Google Play Store is therefore wrong. It works entirely different and is run by idealistic people, not people who want to promote their apps to continue to do this for a living. This is also one of the reasons why most apps promoted on F-Droid quickly die, people realize that the donation idea often does not work and the lack of support often results in closing interesting app ideas, or worse, people just switch back to Google Play Store.

For me F-Droid makes clicks on behalf of Google, this is nowadays an entire business model for various platforms, services, apps, developers etc. and people are in general unthankful. F-Droid also never tried to work things out, wrote a Petition or did other things to help improve the Play Store eco-system. They just created, what they call alternative platform to lure people on it with GNU based phrases ala ethic, everyone but us is evil etc. This is not professional and F-Droid cannot hold such standards, as shown, because they tend to claim a lot without showing all variables that are necessarily to show to come to an entire picture about how the platform works, operates and distribute their apps, ideas, feedback etc.

F-Droid is no competition to Google Play Store and never will be one, it is not well funded, lacks maintainers, lacks manpower and lacks a lot of clear direction. While Google Play Store slowly addresses some things and criticism F-Droid developers going into a defensive position or even hide, this is far away from being transparent. Play Store is also not perfect but as indicated, it gets better and you also find apps without any tracking code in it, the review system is considerable good, reliable and and integrated mini review system shows you quickly bunch of app infos BEFORE you actually install any app. F-Droid provides here half of the mentioned things and this is absolutely not what I expect from an open platform.

What to do

If you really are a power-user, you do it yourself, compile, verify and sideload, it is not that hard and you actually can automate certain steps in the process here, which I might cover in another Blog post.

The average user also can sideload, there are plenty of trustworthy platforms like APKMirror and others to get pre-compiled binaries from. Since such users typically never review code or check the checksums they also can stay with Google Play Store. The tracking argumentation becomes less relevant with each new Android version and the fact that the EU maybe kills tracking advertisement altogether, one day. Even an average user can disable quickly trough the Android OS permissions or block that the App goes online, without depending on others with just a view clicks. But it would be better to learn how to work with Store systems so that you quickly can get apps that contain no trackers at all. Google works on improving their systems and filters to make that easier.

I for myself cannot recommend F-Droid, the original app is simply terrible and there exist some better alternative F-Droid apps, but the system as such is weak flawed with outdated apps, verification issues, no review mechanism, no repository checks or integrated lists that adding all trustworthy repositories, are things that need to be addressed otherwise the user might add some shady repos or run into other problems like installing something that is not maintained or there is no source code available anymore. Those things I mentioned are all not new, I talked about that on Twitter, Mastodon and bunch of other platforms in public very often and years later none of it is fixed.

They key I see to solving lots of issues is when you learn to install less apps, that the coding platforms finally getting a better system and that people get better review system to make it easier to work directly together with the developer, without going technical or registering themselves on other platforms.


%d bloggers like this: