Hello,
I am the developer of DRØGR, a serverless, ephemeral P2P messenger. I am seeking a community maintainer to help package this application for the official F-Droid repository.
Submission Context: This project is being submitted via the F-Droid forum to maintain a strict OpSec perimeter. Due to the high-security nature of the Ghost Protocol and the requirement for developer anonymity, I am seeking a community contributor to facilitate the metadata submission and open the Merge Request on the fdroiddata repository on my behalf.
Project Details:
-
App Name: DRØGR
-
Application ID: com.drogr.app
-
Source Code: https://codeberg.org/drogrdev/drogr
-
License: GNU GPL v3.0
-
Monetization: Voluntary donations via Monero (XMR) and Bitcoin (BTC) as listed in the repository.
Technical Overview: DRØGR is designed for zero-persistence and metadata-shredding. Key features include:
-
Ghost Protocol: Oblivious HTTP signaling (RFC 9458) to prevent relay-level correlation.
-
Setsuna Lifecycle: RAM-only operation with zero disk persistence and auto-wiping logic.
-
Traffic Resistance: Integrated decoy engine and MTU-consistent padding to resist analysis.
-
Native Core: Cryptographic operations handled via a Rust FFI layer (Argon2id, X25519).
The repository is fully prepared with the required /metadata folder, including localized descriptions and store screenshots. All source code is transparently hosted on Codeberg to facilitate a third-party build audit.
Thank you for your time and for supporting decentralized, privacy-first tools.
Just took a very quick look at your app and it builds with –obfuscate and it also checks for root, developer mode, and USB debugging, what the hell? I only looked at a small bit but I don’t see much actual app code so it’s pretty suspicious combined with the AI generated text here.
Hello and thank you for taking a look at it,
The root/developer mode detection - this is documented in the code comment itself: “This is a speed bump - a determined attacker can bypass all of these.“ It is not enforcement. DRØGR stores all key material in volatile RAM and relies on SecureBytes zeroing on disposal. A rooted device can read arbitrary process memory, which directly undermines that guarantee. The check exists to wanr the user who may not realize their device weakens the RAM protection mode, not to DRM-lock the app. You can verify it does nothing more than return a boolean that triggers a UI warning - there is no network call, no kill switch, no telemetry.
Obfuscation - obfuscate is a standard Flutter release flag that applies to the compiled artifact, not the source. The source is fully open. The purpose is to raise the cost of reverse engineering the binary distributed to end users, which is separate from source transparency. F-Droid’s reproducible build verification will allow anyone to confirm the APK matches the source exactly.
The code - I understand a quick look won’t show much without context. The actual application logic is across ~5000 lines in lib/services/ and lib/crypto/. The crypto stack is in lib/crypto/double_ratchet.dart and rust/src if you want to audit the parts that matter most.
The AI generated text is there to help with readability and context of the application.
I can answer specific technical questions about any part of the implementation.