I think F-droid is woefully misunderstood especially in privacy circles.

The main benefit of F-Droid is that it works (as best it can) to guarantee software freedom. This means, for each app, you can be assured it is under a free software license, built from corresponding source code, and contains no proprietary components. F-droid has an inclusion policy that forbids proprietary blobs and they have to build everything from source in order to ensure that - however, if the app is reproducible, F-droid can actually verify that the already built app from the developer satisfies the inclusion policy without needing to sign its own builds, which is ideal. It’s important to note that without building from source, there is no way to guarantee that the source corresponds to the binary, which is important for exercising the four freedoms.

I don’t agree with everything F-droid does and I don’t think F-droid is perfect. The security folks have a few valid points, I think, but they fail to offer a solution that solves the same problem that F-droid does, either because they misunderstand what problem that is, or simply do not care about it. F-droid is not an app store, it’s a community-maintained distribution like a GNU/Linux distribution. App stores are not alternatives to F-droid and serve different problems. There is, as far as I know, no other project that attempts to serve the same purpose as F-droid.

Everything is insecure for the user. Google, Apple, Windows, knowingly includes apps with features that is ignoring your privacy. So “insecure” is a wide topic, we’ve accepted to debate only in certain narrow areas. F-Droid makes people a little more aware.

Insecure might not be the right word. IMO they’ve made a number of different decisions that aren’t ideal, from security, to focusing so heavily on compatibility it causes problems for standard users, to some of their moderation decisions. But don’t let perfect be the enemy of good. I still trust it more than google who does many similar things like signing app code themselves, and regularly use F-droid to get most of my apps.

Check out obtainium:

https://github.com/ImranR98/Obtainium

It get updates straight from the source.

Your options are building from source, downloading dev apks, or using an app store. If you can’t trust anyone, then you need to build from source

Fdroid is the best of the app stores, they are always trying to stay ahead of the curve when it comes to privacy, security, and trust

Reproducible builds are the standard for FOSS trust, see this article for an overview. They close the gap between app stores and dev apks

Fdroid are constantly working to increase the prevalence of reproducible builds, and to enable you to verify more so you have to rely less on trust

To answer your top level question:

If it’s not Linux from Scratch, then we don’t know exactly what is running, and we need to consider that.

We made rocks think. There’s some trust decisions involved.

Should I blindly trust every app I find on F-Droid? No. The article correctly lays out reasons why.

Most of them also apply to Google Play and to Aurora.

Your decision which to trust depends which threat protections you need the most:

• Google Play provides stronger protections against people who are trying to run up your credit card through Google Play purchases. Many of the protections cited in the article were developed for this reason. Google Play store apps can fraudulently charge your credit card. But Google works hard to prevent this, with mixed results.

• Aurora serves the same apps as Google Play and effectively benefits from the same protections.

• In addition, Aurora adds additional context about malicious corporate behavior. Google has slowly added some, but not all, of these to Google Play. But at the end of the day, Google is being payed to look the other way by some corporations.

• Like Aurora, F-Droid includes details meant to protect you from abuses by corporations. I would argue that F-Droid’s protections are stronger than even Auroras.

• F-Droid does not include a method to charge your credit card. This makes a number of security differences in the article much less important, to most people. Of course, there’s more harm that an app can do than credit card charges.

Because I am aware of many harms caused by individual bad actors and corporations, my preference order goes:

• F-Droid - Preferred. I find the arguments in the article weak, and a bit out of date. I also feel that F-Droid had dramatically less need for the protections discussed, because there’s no mechanism available to F-Droid apps to run up my debit card.
• Aurora Store - Acceptable. Some useful apps aren’t on F-Droid.
• Google Play Store - Unacceptable to me. Aurora provides the same apps, but gives me better insights into the privacy impact of each app. Google Play is getting better over time, but the Google team has financial incentives to present trading my privacy for convenience as a good idea.

There seem to be two main arguments put forth here:

1. F-Droid does not thoroughly audit the apps it distributes, so they might include bad behavior that is not initially obvious.
2. It is theoretically possible to provide a package to F-Droid that does not match the source code it claims to be based on.

To which I respond:

1. No app store thoroughly audits the apps they distribute. You must ultimately decide if you trust the developer enough to run their app, or audit the code and build it yourself.
2. This creates a theoretical opportunity for a developer or maintainer to upload a package that doesn’t match its purported source code, but it’s possible to check for this manually, and to automate that process. It’s likely anyone exploiting this would be caught and their reputation tarnished. It comes back to the first point: do you trust the developer or maintainer enough to run their app?

If you have average security needs, you probably don’t need to worry about this. If you have reason to believe someone well-resourced and dangerous wants to compromise your phone, you should probably be extremely selective about what apps you install and where you get them.

Lol I just read the first line and thought “oh no why?! It is so nice and pretty why should it be insecure?”

In case of f-droid, it’s follow more the Linux distro phylosopy, where the binaries are build and offered to you not by the developer but by distro/repository maintainers people.

You can add your own repository or use your friend repository or use f-droid ones.

In case od f-droid repository, to get app published your app need to adhere to rules one of them is that the code need to be public so the repo maintainers can build the app from it.

Comparing it to play store where the app is build and sign by the developer without making the code public, in turn making it almost impossible to know and follow what the app is doing.

So its a matter of trust.

For some apps I would rather install them from f-droid as I have higher confidence that someone looked at it if the app is not harmful or leaking my private data. For other apps like Banking apps I would rather install them from Aurora store where I dont know what the app is doing but I trust more to protect my money than some random dude on internet. And if bank does something bad I will sue them or just stop using their service.

I’ve seen posts by the GrapheneOS team about recommendations against using both F-Droid and Aurora. F-Droid had a decent sized list of issues they raised. One of the key ones they raised against both was that it added an extra person to trust. You always need to trust the code of the developer of the app. No way to avoid that. With F-droid you need to trust that their build system/infrastructure is serving you the app as per the developers code. With Aurora you need to trust the Aurora devs are giving you the app unmodified from Google.

There were other criticisms on F-Droid that they sign almost all apps with their own key rather than the developers. They do offer to serve apps with the developer keys, but it’s difficult to setup and not many apps implement it. Google Play also does the same thing though, so I feel this risk isn’t that big. Generally they seem to recommend getting apps directly from developers rather than via a 3rd party. They offer Accrescent in the GrapheneOS app store which is designed for this, just pulls files from Github AFAIK.

All that said. I prefer to get all my apps from F-Droid (NeoStore technically) and Aurora for anything without a F-Droid repo.

The biggest problem with F-Droid is that they sign the apps themselves, so if they ever get compromised, an attacker would be able to send malicious updates to any app installed via F-Droid. So now you need yo trust 2 parties (app developer and F-Droid) instead of 1. This is fixed by reproducible builds, which F-Droid does support but which most developers don’t bother with (F-Droid needs to start pushing for this more aggressively imo).

If you want to be as secure and private as possible, your best option is to set up your own build servers and automate builds, and validate the components used by each product conform to your needs and standards for security and privacy, and deployment to your own repository that your devices use for updates.

Beyond that, there are tradeoffs based on your needs with each app store out there. If you need total privacy on what you install and your devices are already not connected to the internet, then a VPN or Tor to obfuscate your identity might be all you need. If you’re more concerned about components of applications that contain spyware, then some stores like fdroid has a lot of data available to hep you decide if the app is OK for your needs, otherwise you’d need to build your own packages or verify them manually before installation. And there are various other tradeoffs between more accessibility vs. more security and/or privacy.

All that seems to predate https://f-droid.org/en/2025/05/21/making-reproducible-builds-visible.html

Some of the technical info flew right over my head in the first article. What I took from the piece is that he has valid points so far as I can see and understand it. I would say nevertheless the author was a bit biased as well. And it’s 3 years old. It may still be accurate, IDK.

I use F-Droid and have been for a while and I’m not aware of any issues this could’ve caused me. But I’m also not using it for essential systems. Not for browsers, VPN, etc. I have downloaded games, a couple of notes apps, that sort of thing. I would never recommend you get all your apps from there. It’s an addition to Google or your usual poison.

Security experts will never be happy; that’s their job. The author is also talking about your threat model. Are you okay with certain risks? The truth is also that somebody could screw you over on Google Play. It may be less likely comparatively but not impossible. So you try to jump from rock to rock hoping no alligator catches you. So far no alligator got me.

Wrong, F-Droid is and has libre software. We control it.

Meanwhile, GrapheneOS has Accrescent spreading software which fails to include a libre software license text file, software we do not control, dangerous!

Tech talk is a confusion strategy to derail us and ‘open source’ is another. With it, their scam cannot get more blatant.

Warning, Accresent from the GrapheneOS Store does this and Privacy Guides does this too, smuggling it mixed in with good information, so always think for yourself. This is one of the few ways to trick us that sometimes actually works, so watch out for it.

Can we use GrapheneOS with F-Droid and without Accrescent? Yes.

Aurora Store (libre) replaces the Google Store app (anti-libre) but spreads other anti-libre software, less harm but not harmless.

Obtainium does nothing to check apps are libre software.