this post was submitted on 25 Jul 2023
250 points (97.7% liked)

Android

17822 readers
378 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

🔗Universal Link: !android@lemdro.id


💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.


Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More


founded 2 years ago
MODERATORS
 

The only app I can't live without. Except for gboard, all of my applications are Foss. There is no competition for gboard's swipe typing, not to mention its many capabilities like as searching for gifs, stickers, being able to paste copied images, translating, and so on. I'd like to know how I can use gboard while maintaining my privacy. According to what I've heard, it sends all typing data to Google's server. If you ask me, that's a massive no-no. Do you have any suggestions?

you are viewing a single comment's thread
view the rest of the comments
[–] Nr97JcmjjiXZud@infosec.pub 16 points 1 year ago* (last edited 1 year ago) (3 children)

F-Droid has a lot of security issues(if you care about security), use Neo Store if you want access to F-Droid apps with a more secure app.

EDIT: Even better to use Obtainium and add the links of the APP's own Github/GitLab repo to it.

[–] NENathaniel@lemmy.ca 8 points 1 year ago (2 children)

Any chance u can explain how Neo Store is more secure?

[–] notenoughbutter@lemmy.ml 3 points 1 year ago

iirc fdroid utilizes very old api which is problematic as newer api gets newer security features droidify and neostore both are more modern

[–] glacier@lemmy.blahaj.zone 1 points 1 year ago (1 children)

Neo Store can enable automatic updates for apps downloaded from F-Droid.

[–] clmbmb@lemmy.dbzer0.com 2 points 1 year ago (1 children)

And how does that make it more secure?

[–] glacier@lemmy.blahaj.zone 2 points 1 year ago

I don't think it would make F-Droid itself more secure, but it's best to get possible security updates for apps sooner with auto-updates.

[–] milicent_bystandr@lemm.ee 3 points 1 year ago (2 children)

I read through that article, and though I don't have the time or knowledge to properly critique it, I found quite a lot of it unconvincing.

It's one thing to agree there are potential issues, but the article seemed to jump a bit too easily, via rhetoric more than logic, to "therefore it's unsuitable" and similarly to "the other ones are better".

(Disclaimer: I only know mildly what I'm talking about!! If whoever reads this is interested, I hope you can follow the details to their source and get involved in the proper discussion for improving f-droid and/or encouraging another respiratory client.)

[–] argv_minus_one@beehaw.org 1 points 1 year ago

A tempting idea would be to compare F-Droid to the desktop Linux model where users trust their distribution maintainers out-of-the-box (this can be sane if you’re already trusting the OS anyway), but the desktop platform is intrinsically chaotic and heterogeneous for better and for worse. It really shouldn’t be compared to the Android platform in any way.

This is, quite frankly, borderline misinformation. Malicious packages in Linux distributions are unheard of. Malicious apps in the allegedly-more-secure Google Play, on the other hand, are a dime a dozen.

The downplaying of the importance of reproducible builds further diminishes my opinion of this piece.

I'm going to go ahead and continue using F-Droid, thanks.

[–] Nr97JcmjjiXZud@infosec.pub 1 points 1 year ago (1 children)

Here are a couple of videos that try to explain it a little easier.

Video 1

Video 2

[–] PipedLinkBot@feddit.rocks 1 points 1 year ago

Here is an alternative Piped link(s): https://piped.video/watch?v=IzpVI4zaso0

https://piped.video/watch?v=lAbgeJau3eE

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source, check me out at GitHub.

[–] argv_minus_one@beehaw.org 0 points 1 year ago (1 children)

A tempting idea would be to compare F-Droid to the desktop Linux model where users trust their distribution maintainers out-of-the-box (this can be sane if you’re already trusting the OS anyway), but the desktop platform is intrinsically chaotic and heterogeneous for better and for worse. It really shouldn’t be compared to the Android platform in any way.

This is, quite frankly, borderline misinformation. Malicious packages in Linux distributions are unheard of. Malicious apps in the allegedly-more-secure Google Play, on the other hand, are a dime a dozen.

The downplaying of the importance of reproducible builds further diminishes my opinion of this piece.

I'm going to go ahead and continue using F-Droid, thanks.

[–] Nr97JcmjjiXZud@infosec.pub 1 points 1 year ago* (last edited 1 year ago) (1 children)

What exactly are you trying to point out ?

From your quote: "It really shouldn’t be compared to the Android platform in any way."

And where exactly does it downplay reproducible builds ? "reproducible builds are not as common as we would have wanted."

"I'm going to go ahead and continue using F-Droid, thanks." Good friend, do whatever it is you want to do.

I'm just trying to spread security awareness.

EDIT: "Saying Play Store is filled with malicious apps is beyond the point: the false sense of security is a real issue. Users should not think of the F-Droid main repository as free of malicious apps, yet unfortunately many are inclined to believe this."

[–] argv_minus_one@beehaw.org 1 points 1 year ago* (last edited 1 year ago) (1 children)

From your quote: “It really shouldn’t be compared to the Android platform in any way.”

I quoted that because it's part of the borderline misinformation. Security is security. Malware is malware. Android isn't magical and neither is desktop Linux. They absolutely can be meaningfully compared.

And where exactly does it downplay reproducible builds ? “reproducible builds are not as common as we would have wanted.”

Ah, you're right. I misread that part, sorry.

I’m just trying to spread security awareness.

So am I. I'm an ornery old Linux nerd and security snob. I'd excise all proprietary software from my home and office if I could, precisely because it has such an appalling track record and the blatantly unnecessary attack surfaces of DRM and telemetry.

Can F-Droid be more secure than it is? Sure. Do the issues described in this paper mean F-Droid is so rampantly insecure that even Play is safer? Absolutely not.

By the way, I'm not sure I understand how Neo Store is supposed to be more secure, as it's supposedly just an alternative UI for F-Droid. As for Obtainium, it'll protect you from malfeasance or compromise on the part of the F-Droid repository, but it won't protect you from malicious app developers, and unless I'm mistaken, the latter is a much more common threat.

[–] Nr97JcmjjiXZud@infosec.pub 1 points 1 year ago* (last edited 1 year ago)

"I quoted that because it's part of the borderline misinformation. Security is security. Malware is malware. Android isn't magical and neither is desktop Linux. They absolutely can be meaningfully compared."

That's why the author said it's tempting. You cannot compare desktop Linux to Android. Android is light-years ahead in terms of security than desktop Linux will ever be.

If you install Debian on your machine then that means you trust the Debian developers. If you trust the Debian developers then that means that you trust their repositories. The same cannot be said about Android. If you, for example, install GrapheneOS you're trusting the graphene developers for the OS and the individual developers for their individual apps you install on your phone.

On Android a compromised user doesn't have root, on ordinary Linux desktops, a compromised non-root user with access to sudo is equal to a full root compromise. On a Linux desktop with Xorg you can easily keylog everything with one malicious app(that app automatically gets these permissions without prompting you), with modern Android that's not even an option(you'd need to accept all of these invasive permissions yourself, unless the app has a zero day that can bypass permissions).

The list goes on and on and on. You can read more here

"Ah, you're right. I misread that part, sorry."

No biggie :D

"By the way, I'm not sure I understand how Neo Store is supposed to be more secure, as it's supposedly just an alternative UI for F-Droid."

Neo store has the highest target SDK currently so it can use security and privacy APIs that Android provides with each new version. That alone is one of the biggest reasons to use neo store over native F-Droid. It shows you the target SDK, permissions (Way more understandable than whatever F-Droid does) & trackers for the apps you want to install. So you can make a more informed decision if you want that app installed.

"As for Obtainium, it'll protect you from malfeasance or compromise on the part of the F-Droid repository, but it won't protect you from malicious app developers, and unless I'm mistaken, the latter is a much more common threat."

You are adding more attack surface when using F-Droid, but when using Obtainium, you have one less attack surface. Instead of worrying about malicious F-Droid developers and malicious app developers, you only worry about the latter. Malicious app developers can still publish to F-Droid without F-Droid getting compromised.