Avatar

IronJumbo68

IronJumbo@lemmy.world
Joined
3 posts • 4 comments
Direct message

When installing from Github you only trust the developer and their signed certificate key.

When installing from F-Droid you additionally also have to trust the F-Droid developer’s signature.

Besides that F-droid has its own problems:

https://privsec.dev/posts/android/f-droid-security-issues/

I don’t use F-Droid. I use Obtainium and additionally check signatures in AppVerifier.

https://sideofburritos.com/blog/obtainium-overview/

permalink
report
parent
reply

It’s not about whether the application communicates with these addresses or not. It’s about the fundamental question: why are these addresses even encoded in the code of a VERY privacy-sensitive application?

My friend, in every answer you push F-Droid as a cure for all evil. There is no perfect store, F-Droid also has its problems (I wrote about it above). I am not an enemy of F-Droid (I also use it sometimes), but I will repeat: F-Droid control is insufficient (it’s security theater - it’s not a full audit of the source code).

permalink
report
parent
reply

I hope @epoberezkin@lemmy.ml will dispel our doubts or a member of the Simplex.chat team :(

permalink
report
parent
reply