| ▲ | xigoi 2 days ago |
| I’ve never found a malicious app on F-Droid. |
|
| ▲ | SkiFire13 2 days ago | parent | next [-] |
| To be honest the limited popularity of F-Droid also helps it be less targetted by bad actors. If it was more popular I would bet the situation would surely be different |
| |
| ▲ | fsflover 2 days ago | parent [-] | | This argument can be refuted by considering Debian repositories. No malware exists there despite it being a good target. It's the FLOSS that solves the malware problem, with a bit of moderation. | | |
| ▲ | fc417fc802 2 days ago | parent | next [-] | | I'd argue OSS isn't sufficient on its own and that I suspect moderation only plays a small role. I think it's primarily the separation of roles. For a complete outsider whose only interest is exploiting users publishing a sufficiently popular piece of software and also gaining the ability to add things to the debian repos is a huge barrier. You'd have to invest years of work to do both of those things and then hope that no one happened to notice anything before it was too late. Of course the FLOSS aspect adds an additional hurdle that this popular piece of software will have to somehow avoid having much of a contributor community around it since that would greatly increase the risks of your malicious changeset being reviewed. I guess what happened with XZ was about the best case scenario that an attacker could realistically hope for. | |
| ▲ | duckmysick 2 days ago | parent | prev [-] | | There were a few mishaps with PyPI and npm - including in the past week and even today. Not sure if those meet your criteria of FLOSS, but if it does I wouldn't call it solved. | | |
| ▲ | fc417fc802 2 days ago | parent [-] | | Yeah but supply chain attacks like that can hit literally anything. Debian repos, Play store, an individual publishing on his own website, it's all vulnerable. |
|
|
|
|
| ▲ | UncleMeat 2 days ago | parent | prev | next [-] |
| F-Droid is a teeny store and requires extra steps like open sourcing such that it is not an appealing vector for malware authors. Either you want to target the Play store so that you can get a wider install base but need to deal with tighter controls or you want to distribute flagrantly malicious stuff to people for banking trojans or whatever via social engineering to get them to sideload. F-Droid doesn't help with either of these things. |
| |
| ▲ | fsflover 2 days ago | parent [-] | | > requires extra steps like open sourcing such that it is not an appealing vector for malware authors So choosing FLOSS protects you from malware. | | |
|
|
| ▲ | izacus 2 days ago | parent | prev [-] |
| Are you really unable to comprehend just how small of a userbase F-droid represents for Android ecosystem? |
| |
| ▲ | xigoi 2 days ago | parent | next [-] | | If it’s that small, how does killing it help anything? | | |
| ▲ | IshKebab 2 days ago | parent [-] | | Nobody said it did. Google is not doing this to kill F-Droid. | | |
| ▲ | kuschku 2 days ago | parent | next [-] | | Google already knows whether an app is being installed from an app store, such as fdroid, or not. Just like they allow installing apps from the Play Store without the 24h verification, they should allow installing apps from F-Droid or the Epic Games Store without verification. | |
| ▲ | xigoi 2 days ago | parent | prev [-] | | Why do you think they are doing it? | | |
| ▲ | jeroenhd 2 days ago | parent | next [-] | | To stop scammer-guided malware installation, and probably those "download whatsappupdate.apk for free new emoji" ads that pop up all the time. Google doesn't care about F-Droid one way or the other. It's a niche project that barely registers on the scale of all Android users. | | |
| ▲ | fc417fc802 2 days ago | parent [-] | | They don't care about F-Droid but they do care to choke out any potential competitors to their ecosystem before they can get a foothold. See their behavior surrounding device certification for example. They want to abuse the network effects of their ecosystem to prevent consumers from leaving. This is just more of that - vendor lock-in masquerading as an unfortunate necessity. |
| |
| ▲ | lern_too_spel 2 days ago | parent | prev | next [-] | | F-Droid still works the same as it did before. This just means that McDonald's can distribute its apps on its website without showing a scary warning on install on Google's Android builds. | | |
| ▲ | xigoi 2 days ago | parent [-] | | No it doesn’t. You will now have to follow a lengthy process before being allowed to install apps from F-Droid. |
| |
| ▲ | IshKebab 2 days ago | parent | prev [-] | | To defeat scammers. Not everything is a conspiracy. |
|
|
| |
| ▲ | dr_hooo 2 days ago | parent | prev [-] | | Likely true, but also many technically oriented people (myself included) would turn away from Android if f-droid stopped working. And I would actively start recommending friends and family against it. What is the benefit of Android at this point? an extended Ads platform, controlled by Google. |
|
