What are HN's thoughts about the security of F-Droid? I always see neat app ideas like the one in the parent comment, but I've been afraid of what I don't know security wise.
Everything being built centrally and transparently by an established group puts it leagues ahead of any other app store in my mind. Installing other people's software will always be a potential security problem, but that is unavoidable now.
As trustworthy as any Linux distro repository. Which is to say, everything built from public sources, and much of it patched and audited. I'm very grateful for F-Droid.
It's a poor idea to blindly assume anything you're capable of installing must be fine. That's been true for thirty years, whether you're talking about F-Droid, the Play Store, or Windows 98 and a downloaded executable. I had no problem taking a few minutes to think about what I was doing back then and I still don't.
One of the important Android security features is the signature enforcement model. All Android apps must be signed, and the OS will refuse to install updates to an app if the signature doesn't match the currently installed version. [1] On the Play Store, apps are signed by each individual developer. Consequently, as long as the APK file distributed by the Play Store was not compromised at the time of initial install, this security feature guarantees that any updates distributed through the Play Store are coming directly from the app developer and have not been modified by Google or any other party. (Play Store, Play Services and the other system-level Google apps have a wide array of scary permissions, so you should assume it's still possible through some convoluted "backdoor" method. That's a separate discussion, though.) You can also check the signature of any app on your phone manually using a tool like Checkey [2], or by extracting the APK file and using apksigner from the Android SDK.
F-Droid sort of breaks the signature enforcement model because apps on F-Droid are signed by the F-Droid server, rather than the individual app developers.
If you trust the app developer (as you should, especially with proprietary software, but also with complex/harder-to-audit open source software like web browsers), the "developers sign their own apps" model is probably ideal. Android's strict sandbox and permission model reduces the amount of trust you need to place in individual developers anyway.
On the other hand, if you trust F-Droid, you can be reasonably confident that the APK file you receive from F-Droid corresponds to the source tarball from F-Droid, and you can inspect the source to verify that the APK doesn't contain malware. Additionally, the F-Droid team manually reviews the source code for each app before approving it. But keep in mind that if F-Droid were compromised, it would be easy to sneak malware into any app on the store.
Overall, I would trust F-Droid for most purposes and think it's probably a better place to install apps than the Play Store. I still prefer APK files signed directly by the original developer for critical apps like Signal. In fact, one of the reasons Signal isn't on F-Droid is because the developer doesn't believe it provides enough security. [3] You can download the Signal APK from their website rather than from the Play Store, and it even has an auto-updater built in.
