[ignoramous]

Open source apps can absolutely have trackers in them. F-Droid isn't a security solution by any measure. I have inspected code of at least one popular "privacy" app that absolutely tracks its users out in the open (I mean, the code is right there on GitHub), yet I see repeatedly that app (and F-Droid) being touted as some elixir that fixes security and privacy for one and all. It doesn't. Don't place your trust on F-Droid apps blindly, and more importantly, refrain from blanket advocating F-Droid apps as a security / privacy panacea.

What I do instead is monitor Android's traffic with a LittleSnitch-esque firewall and block all apps I don't use. Also, I've disabled auto-updates on non-essential apps. Only Photos, Maps, Chrome, and Firefox are allowed to auto update on my Android.

[JeremyNT]

Were the trackers already labeled in F-droid? They maintain a list of these anti features for all apps. If not, when you reported your findings to F-Droid, did they flag the app as having trackers at that time?

Nobody said blanket trust anything. F-Droid is a community project with a framework that allows for disclosing user hostile behavior in apps. By using it and paying attention, we can all make it even better - the exact opposite of Google, whose incentives do not align at all with these goals.

[marcodiego]

F-droid flags apps that have known anti-features. Using Open source software is a very significant security solution.

[epicide]

(F)OSS by itself is not a security solution. Largely because you can't "solve" security.

There are plenty of insecure open source apps. To deny that would be to deny tons of security-related CVEs.

Yes, open source software is easier to audit, but does nothing to a) make those audits actually happen (frequently enough), nor b) improves the quality of those audits.

i.e. just because I have access to information does not validate that information. Work still has to be done.

[marcodiego]

FLOSS may have security vulnerabilities, just like any other software. An OSS android app which has no anti-feature flags on f-droid with intrusive advertisements or malware behavior, deliberately implemented by its own developer, is something I have never heard about.

The same can't be said about 'free' (or sometimes even paid) proprietary apps from play store.

[krageon]

It would be more compelling if you actually mentioned what app you've found that's so naughty.

[higerordermap]

It's manually curated and generally flags such things as anti-features if found, and I'd believe them more than some tensorflow_script_to_detect_malware.py

[ignoramous]

I wouldn't depend on F-Droid or FOSS as a measure of security. Of course, I get that F-Droid is run by volunteers, but I hope no one is spreading the notion that the F-Droid apps are magically uber secure and private or anything.

[higerordermap]

I wasn't clear. What I told was comparative.

[rectang]

What open source gives you is an audit trail, which is helpful but not sufficient. You still need to be able to trace malicious code to actual individuals. Then you need the ability to punish those individuals, ideally through criminal prosecution.

[schmorptron]

What app are you talking about specifically?

[ignoramous]

https://news.ycombinator.com/item?id=25492855 and https://news.ycombinator.com/item?id=25263876

[You-Are-Right]

why is nebulo not on fdroid?

[ignoramous]

It is on the main developer's f-droid repo: https://github.com/Ch4t4r/Nebulo#f-droid

[You-Are-Right]

I do like the fdroid review process - private repos do not have that.

[schmorptron]

ah, thanks!