F-Droid or Github download

Short question, is it safer (no matter which application) to download from F-Droid or is it safer to download from a developer on GitHub than Releases?

Its safer to download from F-Droid IMHO


What does “safer” mean here? What’s the “threat model”? :slight_smile:

If you download from GitHub, you need to trust that developer, same as if you downloaded the app from Google Play.

If you download from F-Droid, you need to trust the developer less but you need to trust F-Droid. Also of course, you get automatic updates, which is an important feature, also in context of software security.

A better comparison would be Google Play vs F-Droid for open source apps.

Regarding why you need to trust anyone. Consider this attack vector: I am the author of an open source app you want to download. You check the source code whether it contains malware, can’t find anything fishy, so you download and install the binary from GitHub. Gotcha! Who guarantees that the app you just downloaded was built from the exact same source as was publicly visible in the repository on GitHub? I could have added some malware code before I built it.
This is why you need to trust the developer, open source app or not.

F-Droid uses a different approach than Google Play, all apps are built and signed by F-Droid themselves. This way, they guarantee that the actual APK is generated 100% from the publicly available source code. Of course, now you need to trust F-Droid developers / system architecture. The downside with this approach on the other hand is that the build bot in particular is a particularly juicy target for attackers, because if someone with malicious intent would ever get access to that system or leak the private key, he could infect any smartphone that uses any app from F-Droid. In that way, F-Droid is somewhat of a centralized approach with all the downsides that come with it.
F-Droid contributors could tell you more how well the build system is protected and if the current setup even allows that it can be detected whether a build has been tempered with.


@westnordost Thank you very much.
I think you understood me completely and answered the details, things are clearer to me now.

It’s more safer on F-Droid because the packages are created from the source codes of the developers.
(of course if the developers are safe) :smile:

Be vigilant with some sites which repackage the codes.
I see several crashes coming from other sites than Google in Google Analystics.
So some of these sites, could add their libraries…
Always check the permissions.

Oh, regarding F-Droid security, here is another good info from another thread:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.