Whats the go to method for installing apps? Aurora? F-Droid? Wouldn't mind getting thoughts on this or even his preferred way of installing apps.
Conversation
Replying to
If the developer provides a self-updating mechanism for their app, it makes a lot of sense to get it directly from them.
F-Droid has serious issues with the security of their infrastructure and the app. Updates are often very delayed and they make undocumented changes to apps.
3
1
7
This means downloading an app APK from a developer's website/github is more secure than using F-Droid correct?
1
That's where F-Droid is obtaining the code to build after all. They're an additional trusted party and known to have poorly updated, insecure infrastructure and security practices. You don't avoid trusting the developers or their security by getting it through F-Droid.
1
If the developer was compromised and an attacker inserted a hidden backdoor into the repository disguised as coming from the developer, or they did something similar themselves, F-Droid doesn't do anything that would end up catching it or protecting you from it.
If GitHub was compromised, the code obtained by F-Droid could be modified by an attacker too.
Android pins signing key and version for apps after the initial install, so the developer would need their key compromised after the initial install or it would be detected as invalid.
1
1