Episode 078 - De-Googling yourself could make you more vulnerable. Be careful!
Added 2022-11-20 13:41:01 +0000 UTCArticle: https://wonderfall.dev/fdroid-issues/
Comments
I think I am likely preaching to the choir - but you are entirely correct. There are much, much misconceptions in the field. Like the example you gave, LineageOS. In fact, it is even worse than just the bootloader, depending on the device and the maintainer. Lilke the SELinux policy set to permissive, userdebug builds and falsely increasing the patch level. Also, services like MicroG are perhaps more insecure and less private than stock ROMs. There are some open source projects that use F-Droid in a somewhat better version, like Molly - a Signal fork from the GrapheneOS community. They setup their own F-Droid repository, meaning, that as soon as they push an update, F-Droid is able to fetch and install it right away. GrapheneOS is simply put the best means available right now. I have been using it for years, when it was still known under the former project flag (I won't name it, since the same project is continued by a bunch of corporate douchebags and utterly insecure). The substantial hardening work and continued improvements are amazing work. Sad to see the continued misconceptions and the hate the GrapheneOS project members have to deal with. Same thing basically happened to the grsecurity folks, before going private. Their patchset was met with a great deal of bad behaviour, even from kernel devs. Anyway: "Hated One" - thank you for all your work and continued battling of these misconceptions and bullshit. I recently joined the Observer tier and intent to continue that for a long time :)
h3artbl33d
2022-11-25 11:09:13 +0000 UTCI watched that and saw he didn't verify the APK. So I think it's the same problem.
The Hated One
2022-11-23 13:46:07 +0000 UTCFrom Side Of Burritos: Here's how to do with F-Droid and why. Use RSS Feed instead of F-Droid and install app:s and updates directly from Github instead! Watch on YouTube or search Side of Burritos on NewPipe and watch it there. https://youtu.be/IzpVI4zaso0 https://youtu.be/lAbgeJau3eE https://youtu.be/FFz57zNR_M0
Humble_Swede
2022-11-21 10:55:39 +0000 UTCI saw that method but you'd still need to verify the initial .apk, no? How do you do that if they don't publish their keys or hashes?
The Hated One
2022-11-20 16:26:29 +0000 UTCHaving to wait so long for critical updates on F-Droid is really annoying. I had to download NewPipe manually from the devs once because the old version just broke and F-Droid took so long to get the new version. And it's even worse for security related updates. I saw a method where you just subscribe to the RSS feed of the repos of those apps and then you can see when theres an update. But you have to download and install it manually which is very cumbersome.
Anonymous
2022-11-20 16:23:27 +0000 UTC