Appstores and Trust

If you don’t use Play Store, you’re using F-Droid, right? Play Store at least guarantees the binaries you receive from it are what the developer claims they are. Not sure if F-Droid does that nowadays.

This “guarantee” doesn’t actually make me feel comfortable. I prefer open source software with a chance to let people actually see the code and compile it themselves if they like. AFAIK at least the latter is what F-Droid staff does. Neither procedure guarantees 100% but I trust more the open source way.

4 Likes

Correct. Mainly F-Droid or Raccoon@Windows with an Google-Fake-Account

I am already an extensive OSMAnd-user and I am loving it! But: for special things (opening times, realtime traffic+navigation, public transport in foreign countries,…) I want to have google maps as a relieable backup (the browser usage is very ugly).

So back to the main question: it seems I will need at least Open GApps Pico to install and use GoogleMaps APK. Other opinions / options?

The point is that adversaries who own the network between client and Google and uploader and Google don’t stand a chance. That’s the government, the ISPs, the NSA, etc. Google can only MITM with a malicious Play Store software on the client computer, or the uploader can. But that’s why you should trust the uploader first (for example, if you decide to use Signal). Google’s servers cannot interfere with the GPG signed packages.

With F-Droid, the staff can MITM, or the people who have root on their servers (including potential state actor). Although it appears that F-Droid now uses GPG, I think that’s only the repositories themselves, signed by F-Droid. I rather know that the package I get is exactly the package as it was created. This creates accountability, with the “app store” being just a mere middle man.

F-Droid.org is hosted in France, Germany, and USA.

I checked some whois info:

[quote]$ whois 107.150.51.2

[…]

CustName: […] , Ciaran

[…][/quote]Is an address in the US.

[quote]$ whois f-droid.org

[…]

Registrant Name: Ciaran […]

[…]

[/quote]Is an address in the UK.

What’s up with that?

(You can verify it yourself. I’m not gonna post the addresses here in public, creates a headache for Fairphone when GDPR becomes active.)

To trust the uploader first and using Google Play Store only cannot prevent your phone from getting Viruses and other malware, battery drainers, undesired upload of private data, and the like.

Finally, if you don’t trust F-Droid, no worries: You can just build your own apks from the software source you like and upload them to your own F-Droid repository and have your F-Droid client look up there. With Google, you can’t.

3 Likes

No of course you can’t avoid that (even though there’s an anti malware in Play Store nowadays). You need to be very careful, but the same is true on iOS and Windows and Linux and macOS.

As for building your own, you can’t be serious. That’s not feasible. It is too much work. Are the builds deterministic?

How do you explain those whois queries btw?

Hi @JeroenH I think the conversation you start here goes way beyond the topic “Using LineageOS on the FP2”, so I don’t want to continue our discussion in this thread.

3 Likes

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.