Newbie Question - Veracity of Apps

Hello all,

With recent shakedowns in social media, I’ve been leaning back towards less spy-heavy whatnot*. Moving over to Mastodon, I’ve learned about FOSS and here, F-Droid. I really like the concept!

My main question is this - Is there a way to tell if an app listed here is by the same organization that has it listed elsewhere? i.e. how can I tell that the DuckDuckGo Browser app here is published by DDG themselves?

I ask as I come from dealing with my Dad’s Kindle Fire that only has the Amazon App store on it and it is rife with apps published by third parties and not their host organization.

Thanks for all the help! I hope to be able to move more into this kind of a space.

*Mastodon, trying to Linux in a VM again, Protonmail, etc.

But it’s not, it’s published here by F-Droid, from the source code put by the DDG folks: https://f-droid.org/packages/com.duckduckgo.mobile.android → see build metadata → see Repo:

That being said, you can see DDG devs updating the app recipe for F-Droid: https://gitlab.com/fdroid/fdroiddata/-/commits/master?search=duckduckgo :wink:

Apps are built by F-Droid by taking source code from developers.
So, you have to trust F-Droid instead of developers.

F-Droid has an inclusion policy Inclusion Policy | F-Droid - Free and Open Source Android App Repository
Propietary apps or code is not allowed, sometimes apps differ between the Play store version and the F-Droid version, as developers may make a special version for F-Droid if needed.

For each app, there’s a “Links → Source code” option in the app which links you to the source code repository the app is built from.

While @Licaon_Kter is technically correct to say nothing on F-Droid is published by the developers (the developers publish the source code, F-Droid builds from that source code so you can be sure what you run matches the source code) it doesn’t really answer the underlying question: how can you be sure what’s on F-Droid is legitimate and not an existing app republished with hidden malware?

You can be sure everything on F-Droid is legitimate because every new app submission is reviewed by the app review team and people have to submit source code instead of pre-built APK files (apps). This should make it really difficult and thus quite unlikely to be able to sneak something like that in. Many developers will also link to F-Droid from their official domain to make it extra clear. For example, DuckDuckGo has a very small “F-Droid” link on the bottom of Privacy, simplified. — DuckDuckGo Browser Extension & Mobile App.

2 Likes

@TheLastProject

“Links → Source code”

IIUC, those links go to where the app source is, was, or has been developed, and where F-Droid initially got the source; however, the source actually used in F-Droid builds is the “this source tarball” links, which are found on the F-Droid website.

@Morgoth

So, you have to trust F-Droid instead of developers.

IMO, now you have to trust both developers and F-Droid.

@Tourma

Is there a way to tell if an app listed here is by the same organization that has it listed elsewhere?

Sometimes it is easy, sometimes more difficult. Due diligence effort is necessary if it is important to you. Case in point, OsmAnd is more difficult to confirm, because their website does not advertise the connection (and the F-Droid version is supposedly semi-independent, or something).

Edit+: FWIW, Of the ~3800 apps in F-Droid, a noticeable number (aha, currently 218) have " Anti-Feature: No Source Since" https://monitor.f-droid.org/anti-feature/NoSourceSince

And how many of those have that because the source exists but you can’t build the app from FOSS deps?

Do tell. (7,8,9,10 characters)

I ended up tweeting at the DDG page yesterday and asking. Their CEO replied! Told me that it was them uploading the f-droid version. Given the overnight DDG news, it’s not the best look for the CEO responding to random minor questions, but I guess I still appreciate it?

That is good to know about their being a review policy. It’s an extension of my lack of trust of Amazon in general, but the AAS seems hinky as all get out.

Link to that tweet? It’s not false, but as you read above, it’s also not…true. :person_shrugging:

Looking back, maybe it was intentionally vague?

I dunno.