[Nutomic]

Google could also distribute a differently signed apk to selected users. And there's no way for users to check the signature of an apk (if they didn't have it installed before).

And I certainly trust an open source project much more than a US company.

[lorenzhs]

But that angle of attack only works if they target you from the moment you first install the app. It would be much easier to just push a modified Google application update to your phone if that is what they wanted.

What it boils down to is that with the Play store, you can be sure that you're not getting malicious updates from some intermediary, as each developer signs their own APKs, and Google doesn't have the keys. Whereas if f-droid is compromised, all applications they build are compromised. That's a much greater risk.

[btczeus]

You can set up your own repo.