And let’s not forget OsmAnd~ and Maps.

Thanks a lot, Hans! Considering the “average Joe”: couldn’t that installed_apps.csv file be imported by the client again, which would (maybe after a confirmation) result in those apps being “queued for install”? Joe is afraid of CLI tools.

Security check: thanks, that’s a good starter. Though I’m not sure I’ll understand the technical details. For the article (addressing our Joe) I’ve got to compress that into a single paragraph or two – optimally convincing the reader the best measures are taken. I vaguely remember we had that process checked and got “certified” it’s secure? Or was that just the infrastructure in general?

Thanks for listing prominent apps, Hans & Coffee! Some of those I hadn’t on mine (which was rather short: DAVDroid, K-9, Öffi/Transportr and OSMand~ where the ones coming to my mind. Maybe that’s because I use most of them).

If someone wants to add some names, please do. Also, if some “sections” are missing others might feel important: AFAIK we e.g. have no banking apps (they shouldn’t be on a smartphone anyway IMHO), very few games (not that I miss them, but others certainly do), no photo editors and quite few gallery apps (those we have are not even in the Graphics category? Got to fix that, TL ).

@Izzy: About prominent apps… There should be some from Simple Mobile Tools (Simple Contacts and Simple Gallery) and Lawnchair.

Unfortunately, those concentrate on the F-Droid system itself (client, server etc) – but there’s no document describing the “Release Process” for apps other than fdroidclient. What steps does e.g. your bot perform (to identify “unwanted content”)? What other steps do we follow to make sure a new app (or an update to an existing app) is “kosher”? There’s no document about that (or I missed it). If we could collect those details, such a page could (and should) be created.

Further, apart from lint/pylint (which are rather syntactical than security/content related), I have no idea what the others do (and eg. “bandit” is a quite generic term to search for). Some links would be welcome

@HenriDellal Thanks!

Regarding app list I find “My App List” (now in archive) the best in class.

About webserver logs, I would like to switch f-droid.org to using privacy-preserving logging as proven by Tor and Guardian Project. So many projects, so little time…

about the security review process, the most important thing is that we require all apps to be 100% built from source for every build. Plus we release a source tarball that we generate for each APK that we build. With that there is the implied threat that the code can be audited by anyone at anytime. In practice, that rarely happens, but that threat is enough to keep malware away. Look at Debian, Ubuntu, FreeBSD, Gentoo, Fedora, RHEL, etc. Technically, it would be easy to add malware to those distros without getting caught. And yet there are no documented cases of malware getting into those distros.

There are a couple of technical checks that the RFP issuebot does:

• binary libraries with no source available
• binary APKs flagged by Virustotal
• bad security practice with gradle repos (e.g. using plain HTTP for repos)

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.