APK downloads are a less secure way to download?

App pages on the website say,

“Although APK downloads are available below to give you the choice, you should be aware that by installing that way you will not receive update notifications and it’s a less secure way to download. We recommend that you install the F-Droid client and use that.”

After looking at the security model,

what makes downloads less secure? Is there an assumption downloaders will not use Tor and check signatures, or is there more to it?

In some way, this is a benefit but doesn’t affect your security.

I think the point they are trying to make here isn’t that simple. Usually you don’t use Tor and check signatures, do you? Of course, I am talking about people ingeneral. The point is that you don’t know what’s in the apk. While F-Droid builds it from source you know it’s safe and checked. Everyone can build an apk but the risks behind it is the question.

Things like your personal data, conversations or even your browsing history may be exposed if hacked. In my understanding, “less secure” is only mentioning the drawbacks of downloading from unknown sites that may be malicious. At the end of the day, do you really check every single app you download? It’s safe for me to say no. Only download from only trusted sources because your phone is very precious.

Thanks for your response. My question is not general. It is specific to f-droid site. Sorry if I wasn’t clear enough on context. I’m talking about APK downloads only from f-droid website. For example, randomly picked from Last Updated list at f-droid.org just now, says the same thing:

So I’m asking what the f-droid app itself does to make using it more secure than downloading, checking, and installing the same APK from f-droid website, if anything?

It’s not the download itself. Say the app has a security issue which is detected after the release. The author would fix it and release an update. How do you know the update is available? Having the F-Droid app installed, you’d receive a notification and could update it right away. Having just downloaded the APK and installed it manually, you might never notice until you get hit by that bug.

So you gain on security by always running the latest version.

Or maybe you run a script to periodically check for updates for your favorite apps, scraping the apps page on f-droid website, and downloading updates when available.

You’re assuming F-Droid will alert users to updates. So F-Droid settings should give a warning if users change “Automatic update interval” to “No automatic app updates”. Or remove that option.

The problem is downloading the full update jar is becoming large, several MB, and processing all that is taking much time/battery. Maybe client options should be added for “only check for updates to installed apps” or “shop for new apps you might want to install” to reduce data and processing requirements or increase only when looking for new apps.

Sure. And the average user will certainly do so, right? :rofl: You could also use fdroidcl for that, yes. Still, for most users it’s much easier to simply install the client.

1 Like

Thanks, but the question is what, if anything, makes it more secure? Other than automatic update notification, if you do not set that to never.

Assuming you verified the GPG signature of F-Droid, you can assure that all apps installed from F-Droid have not been tampered with since they were built and signed.
ie. not tampered with on the web server, mirror, or in transit.

Since you specifically mentioned “transit”, does that mean when an apk is downloaded via the app it is encrypted from the server to said device? No one (except for maybe F-Droid) will know what app was downloaded or one does not have to worry about said apk being intercepted during transit?

@billybobfrank

The official F-Droid repo is served over HTTPS, so only F-Droid will know what app you are downloading.
However the repo has a few mirrors, so it is possible that they might be informed of whatever apps you are downloading.
However any third parties, such as your ISP or government, in theory should not be able to learn what apps you are downloading.

Please see the originally linked:

@hans (or anyone else)
Is malware scanning of the apps no longer performed?
I thought they were passed to VirusTotal at some point.
I know Fedora scans all packages with ClamAV when built in Koji.
(edit: hmm maybe not anymore? https://bugzilla.redhat.com/show_bug.cgi?id=1564915)
Ignoring the obvious short comings of it.