Here's a little thing that may not be obvious to many people....
When you install an open-source app from Google Play or the Apple app store, there is no guarantee that what you install actually matches the public code.
@fdroidorg are doing a great service. They independently build the public source code for apps from scratch, review for common issues, and publish their builds. Thanks to "reproducible builds" it's possible to verify they do not tamper with the code.
F-Droid doesn't magically protect against any malicious apps. If an app is clearly malicious, it would be seen during review. If it is more subtle (e.g. hidden back door), F-Droid certainly won't catch that. In-depth software audits require time and effort.
The purpose of an open reproducible build chain is so anyone can inspect the code, even audit it, and have trust in the result.
An audit of an app without open source and build reproducibility is practically pointless.
@XxAlexXx @snikket_im @fdroidorg
The apps do sit on top of the Android permissions system, which, if used properly, reduces the scope for a backdoor, for example something claiming to be, say a blocks type game, but which asks for microphone access is suspicious, and the code can then be searched specifically to see what it does with that.
The greater the popularity of the app the greater the chance of someone wanting to understand how it really works
The point of our original post is to highlight that proprietary app stores do precisely nothing to help in this area (because they don't have a concept of requiring public code in the first place).
Backdoors and other security flaws in apps can be found far more easily with public code than without.
Hope this helps explain the ecosystem 🙂
Being open source doesn't make an app magically secure. Open source is about transparency and trust, the security of the app depends on how many people are looking for vulnerabilities in the source code.
But the initial post was not talking about this. How can you be sure that an open source app is really what they say it is ? How can you be sure that the source code they released is the actual true source code of the app ? This is where reproducible build comes
I was talking about reproducible builds. Reproducible builds ensure that an open source app is really what they say it is, read more about it to understand how it works. Also reproducible builds can be verified by anyone, the fdroid team just happen to do it on all their apps.
@XxAlexXx There are millions of closed-source apps and no one review those either.
What is your point? Why are you arguing?
@XxAlexXx So what? You only install apps on your phone that you compiled yourself?
Are you saying that apps from Google Play or the Apple AppStore are better?
If you are seriously worried about security, the trick is to not install 100s of apps! Have to figure out which you feel you can trust -
The strong sandboxing in #android & app permissions, means you have pretty good control over what data an app can access
Sadly it takes effort to learn what is trustworthy (also, confusingly, folks have conflicting opinions)
@snikket_im uhm doesn't reproducible build not guarantee anything since checksum will change after signing the app anyway?
@charlag @snikket_im Verifying #ReproducibleBuilds on #Android is a bit more complicated than just hashing files. We actually use those signatures you mentioned for verification. The trick we came up with is to transplant APK signatures. So when a dev builds an apk they can send us their signature for that specific build. We transplant it into an APK we've built. If it still works: voila, reproducible apps built by #FDroid signed by their original authors.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.