I am on GrapheneOS, but this concerns Android as a whole. From the options of Fdroid and GitHub (Obtainium) which is the safest way to install an app?
From the GrapheneOS forums, I see many people recommending GitHub over Fdroid as it is straight from the source. I know its true, but if a developer adds a ‘not-so-safe’ piece of code or introduces tracking, Obtainium would automatically update my app without letting me know about the changes. But from what I have seen from Fdroid they usually pause or cancel the update or app if these changes were to take place (Example, Simple Gallery or Mull for Android).
So I am confused. Whom should I trust more, Fdroid with their own app builds or the Developers on GitHub?
Also I have seen that Obtainium when used with a VPN to fetch app updates, will get rate limited by GitHub. Also I don’t really like GitHub as a code repository, with their tracking and rate limiting. I don’t know if Fdroid tracks user.
I think accrescent’s security model is probably the best.
I use obtainium for when I want to ensure I get updates as fast as possible
Fdroid for the rest that I don’t want to have to manually update in obtainium
You don’t have to trust F-Droid, you can verify that it’s the same build as the one from the original developer assuming they have done things right. I believe a good entry point is https://f-droid.org/en/2025/05/21/making-reproducible-builds-visible.html
I personally trust F-Droid and I believe their verification process with steps like https://f-droid.org/en/docs/Anti-Features/ is matching my needs. It’s not for everyone but I like it.
Also remember that fdroid is working on getting applications to use reproducible builds so that they are not the ones responsible for building the application. They just have to build it and check to see if it matches what the developer issued as the actual application.
They want you to not have to trust them.
If you want F-droid’s moderation, you can still ensure the code is original to the developers by verifiying signatures with something like AppVerifier.
Most of them unfortunately don’t have a listing on AppVerifier. But from what I have seen, fdroid builds pass the appverifier for the listed ones.
Whatever the app developer recommends. Obtainium directly from the developer repo or F-Droid when they officially support it. Depends if you want the latest version sooner, then the former.
You can turn off auto-update from both.
If you are questioning if the developer is malicious, why are you using their app?
Obtainium is more so if you don’t want any middle man and know the app you are downloading. If you want more checks, I suppose F-droid will provide some.
If you are questioning if the developer is malicious, why are you using their app?
Why would you blindly trust any developer?
No one said blindly. But why would you use the app if you don’t have trust.
Because if I only used apps from trusted developers, I wouldn’t use any apps at all. What reason do you have to trust them? Are they all made by your personal friends?
So then you trust the app enough that it provides the function you need from it? Trust doesn’t have to be an all or nothing ordeal.
It doesn’t have to be, but it should be.
I can trust an app to provide the needed functions, that doesn’t mean it doesn’t also perform other functions that I don’t need or want, and may potentially be malicious. And that can be literally any app that you haven’t personally reviewed the code and compiled.
When it comes to the developer recommendations, usually they would have a github page where they hosts their code. So most of the time they would recommend either fdroid or github releases equally.
Also, we cannot be sure of what happens in the future. The thing that is we cannot predict an enshitification.
What you see in the source code on GitHub is not necessarily what you get when you download the “release”. The only way to do that is to compile the code yourself or, alternatively, someone like the fine folks at FDroid review and compile it for you. So essentially you’re trusting FDroid instead of the developer.
If you’re a savvy person you can review and compile the code yourself, and that would be the most secure way, but who has time for that?
So yes, I would recommend FDroid when both options are available.
