Is F Droid safe?

358    Asked by ranjan_6399 in Cyber Security , Asked on Apr 4, 2022

What's the auditing/vetting process like to get an Android app into the F-Droid repository? To ask it another way, what's to stop an evil developer from uploading a backdoored Android app to the F-Droid repos?

Answered by Ranjana Admin

You asked - Is F Droid safe? The answer is - The "Security Module" as per the link below clearly states the following: Their security precautions: additional security precautions are taken to make it as hard as possible to exploit this vector. included on the HSTS preload list, so major browsers will only ever use HTTPS for all connections to f-droid.org

  • a strong TLS/HTTPS configuration
  • a strong HTTP Content Security Policy
  • PGP-signature on the initial install download link
  • automated regular and random auditing that F-Droid.apk has not been tampered with
  • F-Droid Limited controls many potential phishing domains like f-droid.org, f-droid.com, and f-dro1d.org.
  • website is statically generated to greatly reduce the attack surface
  • website is fully functional when Javascript is disabled in the browser, eliminating all possibility of XSS attacks

And as for the in-app application:

  • Protecting against malicious contributor-generated data
  • The app descriptions are submitted by all sorts of people, and they can also be taken from the app’s source repository. This data is ultimately delivered to the Android client or the user’s browser via f-droid.org.
  • the Android client never runs CSS, Javascript, or dangerous HTML tags since it displays HTML via android.text.Html.fromHtml() with image loading disabled
  • The f-droid.org website protects against malicious and CSS/HTML/Javascript injection with a strict HTTP Content Security Policy.
  • Repo Maker filters the texts through Mozilla’s bleach and has a good HTTP Content Security Policy.
  • Answering your question: (Reddit Source)

As others have said, we don't audit every single app that makes it into the store. But we do make sure that everything is free software, and do test/investigate to a certain degree. There was recently a study made of the amount of malware apps in each app store for Android. I can't find it now, but IIRC it was a pdf and should have been published in the past year. Basically, what it said is that many alternative stores smaller than Google Play were close to having no malware, but only one had absolutely none: F-Droid. I guess what I'm trying to say is that we're not bulletproof, and we never said we were. Our only promise to the users is that the apks we distribute come from the source that is publicly available, and have been built and distributed by the F-Droid server tools which are also free software. So far, this policy seems to have worked well 

Link- https://www.reddit.com/r/privacy/comments/3cjj2e/how_secure_is_fdroid/ Reddit, Answering the OP's Question https://f-droid.org/en/docs/Security_Model/ Source https://f-droid.org/en/2018/09/04/second-security-audit-results.html Recommended



Your Answer

Interviews

Parent Categories