you need to define your threat model
you need to define your threat model
you need to define your threat model
you need to define your threat model

every security man that tells me something is "insecure" without actually defining a threat model automatically owes me $20
cash accepted

why would you put your wallet in your pocket when i can just pickpocket you and steal your cash :3 clearly you are insecure

actually wait shit this still defines a threat model

your wallet in your pocket is insecure
because i said so :)

fun fact that security people don't seem to get that is kind of foundational to the entire field

everything is insecure

there's a way to hack anything you like

"security" is always relative to a specific threat model

>It’s up to your threat model, and of course your personal preferences. Most likely, your phone won’t turn into a nuclear weapon if you install F-Droid on it - and this is far from the point that this article is trying to make. Still, I believe the information presented will be valuable for anyone who values a practical approach to privacy (rather than an ideological one).

you listed a bunch of literal non-issues so idk what exactly is "practical" about this -- in fact it seems rather ideological


f-droid's de facto complete lack of any sort of malware is literally more important than any theoretical concern imo

is it possible to sneak malware in if you really tried? yes

is there malware? no absolutely not

you go on google play and download a flashlight app and the top 20 results are all malware lol
sure f-droid has some pretty shit apps but none of them will infect your phone, and to be fair f-droid also has a handful of extremely high quality apps that you would have trouble finding otherwise
so idk, for the average user f-droid is just de facto higher quality apps, and confers more security just by being a little more tightly controlled by forcing apps to be open source (malware people will typically not want to make their shit open source. that's usually how it works)

@haskal One of my favorite things about f-droid is that it has apps for free that you'd need to pay for on the play store

My favorite example is OSMAnd+

@haskal Trusting signed binaries instead of signed source code is a conspiracy by Google, Apple, and Microsoft to sell proprietary software.

@haskal Security Man says forced obsolescence is about Security. Who cares that it means people need to buy way more hardware? I mean, those lazy application developers need to upgrade their shit. Nonono, don't blame Google for forking the shit out of Linux and encouraging rampant GPL violation by their hardware partners. Google's boots taste too good for Security Man!

@be @haskal Yeah I agree that failing to meet min SDK version reqs shouldn't result in being booted off the store. I do think that the store should allow users to filter apps below a given API level somehow. This could promote good security practices for those with the appropriate threat model *without* shafting people with older devices.

The main culprit wrt planned obsolescence is the device vendors who don't support devices longer than a given number of years, and don't upstream anything or have a community support program to allow development to continue after the end of an official support period.

Basically right now I have to choose between a malware fest (Google Play) where I have to be vigilant and check each app, or F-Droid where I check each app's SDK version and up-to-date-ness myself. It should be possible to combine the benefits of both without the drawbacks; I linked Accrescent as a possible example.

@Seirdy @haskal Google could pressure hardware vendors to get their shit together if they wanted.

@be @haskal Google should pressure *more*. They've pressured a little by using the carrot; it's time for the stick.
@be @haskal in which Seirdy says "selfish investor-backed company should please be selfless for a minute kthx" and expects literally anything to happen.

@Seirdy @haskal I don't think cleaning up the mess of Android wouldn't benefit Google. But apparently it isn't a big enough benefit to upset their business partners.

@Seirdy @haskal If Google denied Android certification to vendors that didn't upstream their drivers, I think this shitshow would clean up real fast.

@be @haskal Agreed. They could even do one of those roll-out plans they're such a fan of: by one quarter, the devices would lose support from Google Pay; by another, the Play Store; etc.

@Seirdy @haskal Though that may require Google getting their shit together and not giving vendors a starting point of a giant outdated fork of Linux.

@be @haskal > a starting point of a giant outdated fork of Linux.

Outdated forks of Linux are a problem in the Android vendor ecosystem. I think I get what you're saying but I'm not sure I agree with this particular phrasing.

Lots of Linux security improvements actually start in Android; the upstream AOSP is not exactly "behind" on security compared to upstream Linux. There are lots of other reasons to hate Google.

The problem isn't the AOSP kernel, it's the GPL-loopholing that encourages unmaintained forks.

@Seirdy @haskal IIUC by the time AOSP gets to vendors, the vendors are already starting with a Linux fork that is a few years outdated. That's a bad way to start working on a driver if you want to upstream the driver.

@haskal "open-source apps aren’t necessarily more private or secure. Instead, you should rely on the strong security and privacy guarantees provided by a modern operating system with a robust sandboxing/permission model, namely modern Android, GrapheneOS and iOS."

So, trust your proprietary operating system (bad idea) to deal with your lack of trust in the developers of the applications you use... instead of, you know, just trusting the application developers?? 🙃

@haskal Don't get me wrong, sandboxing applications is generally good. But relying on that in lieu of trusting application developers is a technological solution to a social problem.

@haskal Come to think of it, aren't all technological security measures technological solutions to social problems?

@be @haskal like 2FA is a technical measure for the social problem of some asshat trying to get access to your account.

@be @haskal iOS is proprietary; AOSP and GrapheneOS aren’t.

That being said, you shouldn’t have to trust either way. Tools including something like a packet sniffer should ideally be simple enough for everyone to use to know when an app requests network permission, and where it connects. Users worried about telemetry should be able to just deny network access instead of trusting anyone. That’s honestly a lot easier than looking at the repo for each app.

I thing FLOSS is essential for many reasons; at the same time, the best way to verify what a program does when you run it is to…run it.

The black-box and white-box approaches to securing a device are not mutually exclusive; they complement each other.

@be @haskal
"Backward compatibility is often the enemy of security, and while there’s a middle-ground for convenience and obsolescence, it shouldn’t be exaggerated. (...) the main repository of F-Droid is filled with obsolete apps from another era (...). Let’s not make the same mistake as the desktop platforms: instead, complain to your vendors for selling devices with no decent OS/firmware support."

"instead, complain to your vendors"

WTF. How naive can a person be?

@haskal My takeaway wasn’t “don’t use F-Droid”, but “F-Droid lacks some security features present in Google Play”. I’d use it while acknowledging the fact that has problems, some of which could be solved. I do agree with your point that we shouldn’t recommend the Play Store unless you really vet each app carefully.

I think it’s reasonable to want both the apps and the platform to offer some security. Accrescent could be a way to get something from both worlds.

Getting updates quickly and incentivising good security practices (like a minimum target API level) are reasonable things to want in addition to the ecosystem that F-Droid provides.

@haskal also "incentivising != mandating". maybe a badge or something idk
@haskal I wish iOS had an F-droid equivalent because their app store also has a lot of malware.

@Sandra @haskal There's Cydia/Sileo/Zebra/etc but you need to be jailbroken and many tweaks/apps are closed source.

@haskal @easrng Oh, I was specifically looking for open source apps! I've got a friend with Xcode who compiles some stuff for me but it's difficult to find good open source apps. Maybe there is an "awesome" list out there.

@Sandra @haskal Yeah, the apps I mentioned are iOS equivalents of F-Droid-the-app, not F-Droid-the-repo. It's been a while since I've done iOS things so I'm not sure if there are any good open source only repos.

@Sandra @easrng @haskal That's because Apple is actively hostile to it. You can't publish GPL licensed applications on the iOS App Store without every contributor to the code agreeing to a special exception to the GPL. Apple's terms explicitly say you can't distribute the application outside of their app store among other ridiculous restrictions which are incompatible with the GPL.

@Sandra @easrng @haskal Developers also have to pay a $100 per year ransom to distribute iOS applications. So yeah, most open source developers don't bother.

"Apple's terms explicitly say you can't distribute the application outside of their app store" But there are some apps that do have git repos up.

@Sandra It's questionable whether that's legal.

@haskal would be cool if Aurora had a filter for "no malware plz"

@Shredd_Tone @haskal the Aurora Store is an alternative access to the Google Play store

(There's also Aurora Droid — and alternative access to the F-Droid itself!)

@meena @haskal I see. I know the Aurora Store informs the user with what trackers can be found on "their" apps. I guess I never considered the malware on them. It was still better than downloading an apk from a random website and installing, I think. Good thing I switched to Ubuntu Touch.

@haskal But how will people make money off call of spider hero Fortnite royale then

Do you make a distinction between malware and adware?

@haskal (Having not yet read the entire thread)

"Unintentional" malware is still a possibility though, is it not? I mean, look at the number of attacks that have happened on dependency chains: by getting something, somewhere, to use your (malicious) package, whatever depends on it...

Though realistically, there's no stopping that, unless you have a manual review that checks every line of every dependency, recursively, which nobody will ever do.

> is there malware?

Well, I've found one spyware or another, so that's not quite true. But after opening a ticket the folks from the f-droid team reacted reasonably quickly. So, yes, it's much better than google play.


Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!