In the GrapheneOS forum, I encountered a claim that F-droid is insecure (and not good at privacy as well). These links (and more) were given as an evidence:
- https://privsec.dev/posts/android/f-droid-security-issues/
- https://xcancel.com/GrapheneOS/status/1883895255142932816#m
- https://github.com/obfusk/fdroid-fakesigner-poc
While there are some attitude against FOSS app, I think the arguments are generally sound and in good-faith. Which makes me confused, as I’ve been hearing good words about F-droid in lemmyverse.
I am not good at assessing arguments, so I want to ask you guys for more aspects and information.
Also, if not F-droid, what should I use? Is Aurora store, a frontend of play store, not fine to use as well?
Insecure might not be the right word. IMO they’ve made a number of different decisions that aren’t ideal, from security, to focusing so heavily on compatibility it causes problems for standard users, to some of their moderation decisions. But don’t let perfect be the enemy of good. I still trust it more than google who does many similar things like signing app code themselves, and regularly use F-droid to get most of my apps.