Haven’t watched it yet fully, but from what I have seen it sounds very interesting. One of our core developer @pserwylo held a talk at LinuxConfAu 2018 with the title “F-Droid: The private, secure, free and open app store for Android”. From the abstract:
While smartphones have been heralded as the coming of the next generation of communication and collaboration, they are a step backwards when it comes to personal security, anonymity and privacy.
Most app stores encroach on users freedoms by closely monitoring and profiling how people use their devices. They reject apps which do not align with their terms of service. They are also unavailable in some of the worlds biggest markets, such as China, due to being blocked by the Government.
F-Droid is the open source app store for Android focusing on freedom, privacy, and security.
It doesn’t track what you search for, what you install install, or what apps you use. It warns you about apps which track you or show you ads. The main F-Droid repository gives you access to over 2000 open source apps, and there are other 3rd party repositories which expand this even further. In addition, it is essentially unblock-able, making it a vital piece of infrastructure for activists and journalists who need access to apps to facilitate secure communication.
Over the last year, the F-Droid project has completely revamped its UI to make it more friendly to non-tech users, adding support for screenshots, feature graphics, and localized metadata about apps. We have also added several new tools to make it easier for anybody to setup and run their own curated app store. This talk will cover the various aspects of the project, focussing on the client, its security model, and how it is being used to ensure everyone is able to access high quality open source apps as the smart phone revolution continues.
So, watching this right now, very nice presentation @pserwylo!
One thing don’t agree with though (and quite vehemently!) is that the android app signing system is a good thing. It adds some nice security properties but the way it is implemented it always locks users into one distribution channel.
That means if I install an app from gplay I can’t switch to the fdroid built version later. Or if I want to test a developer built version because I reported a bug I can’t do that either. At least not without re-installing the app which always means I’ll lose all my data for that app. For some apps (like Telegram for example) this means losing all conversation history from secret chats.
Of course there are ways to backup and restore app data. But all those require either cooperation from the app or root access to your phone. And even then it’s quite a fiddly thing to do and easy to screw up the restore procedure.
What in my opinion would solve this problem is the behaviour that ssh shows when dealing with changed server keys. It presents a big fat warning and then goes on to tell you what you’d need to do to get this working again anyway if you are sure the new key is the correct one.
Much better for user freedom and still nobody would end up doing this by accident. (Going deep into the settings after a scary warning to get new version to install)
(continuing to watch the talk… )
(right, you talk about this a bit later. Reproducible builds don’t necessarily solve the problems outlined above.)
I think you’re correct. Giving advanced users the ability to manage this situation makes sense. However one thing I’d disagree with is that “nobody would end up doing this by accident”. In several work places, I’ve seen people who don’t understand what the server warning is, and as such go into autopilot and remove the relevant entry from known_hosts without thinking about what it actually means (or thinking about it, deciding they don’t understand, but still wanting to access their server).
Really appreciate the feedback though, as I plan on continuing to talk about F-Droid at conferences/events/meetups, and always want to be as factual and helpful as possible. Feedback from the team and the community is very valuable in this regard.
@pserwylo You said in the video we make sure we can’t trace a user’s language and therefore the client downloads the complete index which contains all the descriptions in all languages.
So recently I’ve been wondering how this works for localized screenshots. Does this not end up opening the same tracking problem? Because you are only going to download the screenshot in the language you are interested in, right?
Oh, you are absolutely correct. Good pickup! @hans - this might be one for you to ponder with regards to your latest efforts to further remove tracking from the client?
Yeah, I was thinking about that in the past. If using Tor/Orbot, it would be possible to change circuits between downloading per app. Then the server would see which app and which language, but that would be the only traffic before the Tor circuit changed.
)