Let me rest my case. What events happened that led me to that conclusion.
I was using Gadgetbridge to send notifications to my banglejs smartwatch.
Everything worked great.
But I don’t use the watch permanently.
So when I was not using it, android was showing that gadgetbridge app was open in the background all the time.
At first I didn’t care. Then, I started to open the app info and stopping it manually.
But it started again by itself. Even when it had that option unchecked inside the app.
I kept closing it manually.
One day I received a message that my credit card was used to buy some online thing. Not a lot of money, but it was not me.
I canceled it, but I wondered.
Then when I had Whatsapp opened, android (or WhatsApp) notified me that an app was showing on top of it.
Then 2+2, gadgetbridge wasn’t behaving normally and was showing over other apps. My conclusion: data gathering or spying, so uninstalled it.
I may be wrong, of course, but when one app starts by itself when you don’t want it to, it is, at least, suspicious.
I don’t know what’s the topic starter’s issue, but I haven’t had my phone number misused ever since I took away QKSMS’ permissions. As I stated, I don’t have the knowhow to examine Java binaries and it seems awfully convenient to just bully and gaslight those who don’t and therefore can’t prove things.
And stop pointing at the bloody source code. Any step of the process that produces the binary could be compromised, including F-Droid’s infrastucture or even compiler software. Can’t prove the binary is safe - didn’t prove anything.
No, you take a look, since you think you know what it does bad. Get a proof of all that you were saying. Setup your own fdroidserver, build, setup another one, say different distro, try again, see if you get the same binary, etc. This takes time, and expertise, yes we know, but this way your words can stand on something more than “i sink I thaw a puttycat”
I’ll tell you what I’ll do instead. I will delete F-Droid and everything installed through it, and from now on I’d rather take my chances with binaries uploaded by developers to their GitHub Releases, whenever those are available. At least that way I can know that removing the problematic app will resolve the issue and that it’s the developer signing the updated binaries with their own private key and not a shared centralized F-Droid key that can be used to sign any malware.
Thanks for nudging me in the right direction.
If you check the sha256sums of Gadgedbridge or QKSMS on www.virustotal.com (yes, it’s a service of Google) then all of the following hashes have the status:
“No security vendors and no sandboxes flagged this file as malicious”
Note: This post was prepared with vim in Termux, after uninstalling Farmer Editor, because it is dev’d on microsoft github. Termux is too, but one thing at a time, and weighing cost/benefit…
I have Gadgetbridge on a spare phone, used to install OS updates on a semi-smart watch. All the behaviors described above are consistent with permissions listed in F-Droid: starts on boot, runs in background, watches bluetooth status (and much, much more). I also didn’t enjoy it popping into action whenever bluetooth was started for other reasons, but it is clearly consistent with Gadgetbridge’s intended functions. Gadgetbridge also gets kudos for dev’ on Codeberg.
Aside on coincidences: One poster who says he is in Russia opens a new account at the time Ukraine invasion was launching, with fud on Qksms, a very popular app. Another poster using Z, a symbol of Russian armed forces, or supporters, opens a new account now, as the invasion isn’t going so great, with fud on Gadgetbridge, a very popular app…
installing apps outside F-Droid.
I’ve had my own doubts on F-Droid, and whether their reviews add enough value to justify the slowness…
But why now? Is it spreading discontent and keeping minds distracted from bigger world events? Why suggest installing apps straight from dev’s? Could it be to make it even easier to spread malware, outside review channels (such as they are)?
Which means that as long as you allow Notifications access (required to be able to forward notification to the connected bluetooth device), each notification will trigger (and start if not running) the Gadgetbridge notification listener.
Just a final response to a now hidden post. I don’t know how I am the one spreading FUD, when actual F-Droid contributors comment evidence about potential malware on their platform like this: “Oh yeah, we’re 10 times more qualified than you are to do the required analysis, but we ain’t gonna move a finger to prove our platform is safe”.
I think everything that needs to be known about F-Droid is in Licaon’s posts. Cheers.
Whatever makes you safe/happy, of course. We just don’t like to have accusations without proof.
If such proof appears we’ll tag the app, will fix the recipe, will disable the version or the whole app.
Until then? No… nothing.
Be sure to update regularly.
To be fair, since they use the same tools they’ll get the same malware mostly, but hey…
The problem with open source is that everything we do is… fully transparent. Actually I’m not qualified to do anything I do around here, I’m no dev, lol. Then again it was not about qualifications but about proofs. You could pay a qualified analyst to do the work for you. An independent one, maybe I’m biased or smth.
Which issue is this? Oh, you can post on Gitlab? Which forum thread is this? 1.15 (not yet recommended for stability reasons just in case, you’ve enabled “unstable apps”, right?) works fine for me, and the alphas worked too. What issue did you encounter?
Again, if you’ve enabled Expert settings - Unstable updates then behave like an Expert and don’t… lie.
Which older devices? Which Android version? Wtf?
I’m already testing on Android 10, 11 and 6, on a mix of stock and custom ROMs. Other contributors do too. This can’t cover all devices, true.
Where’s the stack trace posted?
Then take time off posting on the forum and do due diligence to report issues properly, instead.
/LE: Fun fact, 1.15-alpha1 didn’t offer the update to me because I had “unstable” toggled off. After you posted above I had to install 1.15 final manually.
I meant my activity around F-Droid and the apps. Somehow reiterating that “20%” feels like grasping for straws instead of you actually engaging in a discussion. Every other post of yours is an aggressive take like I’m here not because I want F-Droid to work better but to hurt your feelings/morals/cats.
TL;DR: a “commons” lib minor update in 1.15 makes it crash on app install/update on Android 6 and 7, latest changes didn’t have an alpha for us to test, but the release is not pushed as stable so most users were not autoupdated. Once fixed and further tested, 1.15 will be promoted to recommended.
So many comments were deleted from this thread, I no longer recognize or can follow the real discussion. Oddly, one person’s insults remain. Think about this too.