While fdroid is great for discovery or if you’re running without Play Services, I’m using the Play Store anyway so I’ll use that if they’re on there or if not then Obtanium to get them from the source repo.
Isn’t there some weirdness with signing apps on fdroid? A bit beyond my security knowledge when I last saw it discussed.
F-Droid compiles apps from source by itself, without blindly trusting that the APK provided by the developer actually came from the source code. After independent compilation, one of two things happen:
If the app uses reproducible builds, then F-Droid verifies that its own compiled APK matches byte-for-byte with the APK provided by the developer. If they match, F-Droid distributes the APK signed with the developer’s signing key, same as Play Store does (except Play Store doesn’t verify anything).
Otherwise, F-Droid distributes its own compiled APK signed with F-Droid’s signing key.
In either case, F-Droid guarantees that you get an app that matches the source code exactly.
None of this process should matter to you as a user, and it’s all fairly transparent from a user’s perspective. F-Droid gives you certain guarantees and internally enforces these guarantees, while Play Store does not.
Plus, if the app supports reproducible build, fdorid will just delivers the app to you via the developer’s signature. So it is just a additional verification without adding any trusted party. App signing section https://f-droid.org/docs/Security_Model/
fdroid also manually inspect the source to make sure nothing funky is going on. But of course that cannot be absolutely through, because the time and workforce constraint.
Finally, fdroid has updated to index v2 which improves the security of index v1, specifically:
As of index-v2, files from the repo are verified based on SHA-256, including icons, screenshots, etc.
index-v2 uses any algorithm supported by apksigner and android-23 and newer, and relies on OpenJDK’s and Google’s maintenance of the currently valid signing algorithms. When index-v2 was launched, the signature algorithm in use was SHA256withRSA and the digest algorithm was SHA-256. index-v1 is signed by SHA1withRSA. As of this writing, SHA1 are still considered strong against second pre-image attacks, which is what is relevant for index JARs.
Yeah. Basically it builds and then sign the app with their own keys, not the developer’s. The problem people has with this approach is that if F-Droid suffers an hacking attempt, the attackers could mess with the apps.
The team behind F-Droid is already trying to fix that with reproducible builds. It means that an APK downloaded through F-Droid could be compared to a GitHub release, for example, and they would have the same key.
If you set URLCheck as a default browser and you can automate the process of making people think you love them
Even better https://f-droid.org/packages/com.trianguloy.urlchecker/
While fdroid is great for discovery or if you’re running without Play Services, I’m using the Play Store anyway so I’ll use that if they’re on there or if not then Obtanium to get them from the source repo.
Isn’t there some weirdness with signing apps on fdroid? A bit beyond my security knowledge when I last saw it discussed.
F-Droid compiles apps from source by itself, without blindly trusting that the APK provided by the developer actually came from the source code. After independent compilation, one of two things happen:
If the app uses reproducible builds, then F-Droid verifies that its own compiled APK matches byte-for-byte with the APK provided by the developer. If they match, F-Droid distributes the APK signed with the developer’s signing key, same as Play Store does (except Play Store doesn’t verify anything).
Otherwise, F-Droid distributes its own compiled APK signed with F-Droid’s signing key.
In either case, F-Droid guarantees that you get an app that matches the source code exactly.
None of this process should matter to you as a user, and it’s all fairly transparent from a user’s perspective. F-Droid gives you certain guarantees and internally enforces these guarantees, while Play Store does not.
Plus, if the app supports reproducible build, fdorid will just delivers the app to you via the developer’s signature. So it is just a additional verification without adding any trusted party. App signing section https://f-droid.org/docs/Security_Model/
fdroid also manually inspect the source to make sure nothing funky is going on. But of course that cannot be absolutely through, because the time and workforce constraint.
Finally, fdroid has updated to index v2 which improves the security of index v1, specifically:
https://f-droid.org/docs/Security_Model/
Yeah. Basically it builds and then sign the app with their own keys, not the developer’s. The problem people has with this approach is that if F-Droid suffers an hacking attempt, the attackers could mess with the apps.
The team behind F-Droid is already trying to fix that with reproducible builds. It means that an APK downloaded through F-Droid could be compared to a GitHub release, for example, and they would have the same key.
Also https://f-droid.org/packages/me.zhanghai.android.untracker/
On iOS, I use the Clean URLs iOS shortcut to cleanup links & remove tracking parameters.
Credit: mastodon.social/@DavidBlue
I want to create a version that adds a check for a YouTube link and creates a Piped.video link too - save me a few seconds each time.
Nice to see an app for it.
Android 13 and above comes with a clipboard editor which is super handy. I just edit all my links in that.
Oh nice, I had no idea that’s what that did, cheers!