Here's a little thing that may not be obvious to many people....

When you install an open-source app from Google Play or the Apple app store, there is no guarantee that what you install actually matches the public code.

@fdroidorg are doing a great service. They independently build the public source code for apps from scratch, review for common issues, and publish their builds. Thanks to "reproducible builds" it's possible to verify they do not tamper with the code.

f-droid.org/en/docs/Security_M

@XxAlexXx @fdroidorg Hi! Could you clarify your question?

This link provided in the post is a great overview of all the security-related aspects of the pipeline that F-Droid considers: f-droid.org/en/docs/Security_M (it's quite comprehensive!)

@snikket_im @fdroidorg Except it doesn't explain a malicious app which was intended to be malicious by the user

@XxAlexXx @fdroidorg
F-Droid doesn't magically protect against any malicious apps. If an app is clearly malicious, it would be seen during review. If it is more subtle (e.g. hidden back door), F-Droid certainly won't catch that. In-depth software audits require time and effort.

The purpose of an open reproducible build chain is so anyone can inspect the code, even audit it, and have trust in the result.

An audit of an app without open source and build reproducibility is practically pointless.

@snikket_im @fdroidorg So it is gonna be like, because my app is open source out of a thousand apps, I have complete power to do a subtle backdoor. Dame that is a hole to use

@XxAlexXx @snikket_im @fdroidorg
The apps do sit on top of the Android permissions system, which, if used properly, reduces the scope for a backdoor, for example something claiming to be, say a blocks type game, but which asks for microphone access is suspicious, and the code can then be searched specifically to see what it does with that.
The greater the popularity of the app the greater the chance of someone wanting to understand how it really works

@XxAlexXx @fdroidorg In summary: F-Droid is not an entire solution to a device free of malware, but it is a criticial part of the solution.

The point of our original post is to highlight that proprietary app stores do precisely nothing to help in this area (because they don't have a concept of requiring public code in the first place).

Backdoors and other security flaws in apps can be found far more easily with public code than without.

Hope this helps explain the ecosystem 🙂

@snikket_im @fdroidorg Well things is there are 100s if not 1000s of app which are open source. Who do you think has the time to check each and every app for malware check.

@XxAlexXx
Being open source doesn't make an app magically secure. Open source is about transparency and trust, the security of the app depends on how many people are looking for vulnerabilities in the source code.

But the initial post was not talking about this. How can you be sure that an open source app is really what they say it is ? How can you be sure that the source code they released is the actual true source code of the app ? This is where reproducible build comes
@snikket_im @fdroidorg

@futureisfoss @snikket_im @fdroidorg Well what is the benefit of their review if viruses could get in by malicious parties

@XxAlexXx
I was talking about reproducible builds. Reproducible builds ensure that an open source app is really what they say it is, read more about it to understand how it works. Also reproducible builds can be verified by anyone, the fdroid team just happen to do it on all their apps.

About the review they do, its not perfect but I would say its better than nothing.
@snikket_im @fdroidorg

@XxAlexXx @snikket_im @fdroidorg well, this is a problem no matter if the app is open source or not. There are countless of malicious apps on play store and app store that run for weeks or even months before Google or Apple pull the plug.

@xian
@XxAlexXx @snikket_im @fdroidorg

I like to use Joplin, which is an open source note app. however, it only available on gstore and not in fdroid. I wonder why it is that it considered open source and can only get it in gstore. weird

@XxAlexXx There are millions of closed-source apps and no one review those either.

What is your point? Why are you arguing?

@narF Open source doesn't make it secure or make trustworthy

@XxAlexXx So what? You only install apps on your phone that you compiled yourself?
Are you saying that apps from Google Play or the Apple AppStore are better?

@XxAlexXx
If you are seriously worried about security, the trick is to not install 100s of apps! Have to figure out which you feel you can trust -
hub.libranet.de/wiki/and-priv-
The strong sandboxing in #android & app permissions, means you have pretty good control over what data an app can access

Sadly it takes effort to learn what is trustworthy (also, confusingly, folks have conflicting opinions)

Also have a look at other pages in that wiki 🤳🛡️🔒
#security #privacy
@snikket_im @fdroidorg

@XxAlexXx
F-Droid does flag any known anti-features in the apps it includes in its repo. If anyone wants to offer a repo that tries to offer only trustworthy apps, a user could choose to use that with the F-Droid app, instead of the default repos. But then the question becomes can we trust the people running that repo? 🤔

@snikket_im

@strypey @XxAlexXx @snikket_im it's turtles all the way down.

I think this is a tough questions all repos deal with? Currently just hoping there are enough eyes on code and not be too greedy installing things?

Although automated approaches might be good. Like saw malicious python libraries using `eval` and base64 encoding? Presumably some people were already scanning for dubious stuff and `eval` wasn't on the list. (don't use `eval` when you don't have to!)

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.