Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yale Privacy Lab and Exodus Privacy's F-Droid Android App Store is a Replacement for Google Play That Features Only FOSS Apps That Don't Do Any Tracking (wired.com)

Posted by msmash on from the watchful-guardian dept.

Google Play, the marquee Android apps store, is filled with apps that are riddled with hidden trackers that siphon a smorgasbord of data from all sensors, in all directions, unknown to the Android user. Not content with the strides Google has made to curtail the issue, Yale Privacy Lab has collaborated with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. From a report on Wired: F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. F-Droid doesn't offer the millions of apps available in Google Play, so some people will not want to use it exclusively. It's true that Google does screen apps submitted to the Play store to filter out malware, but the process is still mostly automated and very quick -- too quick to detect Android malware before it's published, as we've seen. Installing F-Droid isn't a silver bullet, but it's the first step in protecting yourself from malware.

60 comments

  1. These aren't ... by Anonymous Coward · · Score: 2, Funny

    These aren't the F-ing droids you're looking for ... :-P

  2. Yay by Anonymous Coward · · Score: 1, Informative

    Now I can install all 4 Android apps that don't need access to everything on my phone.

    1. Re:Yay by TheMiddleRoad · · Score: 2

      5 apps, you idiot!

  3. Re:"announces" f Droid? by dos1 · · Score: 0, Troll

    The headline is garbage.

  4. Obligatory: Intel CPU Backdoor Report (Jan 1 2018) by Anonymous Coward · · Score: 0, Offtopic

    Intel shills down voted this to "Score: 0 Interesting" from the Intel thread, so I am spamming this to 3 non Intel threads in retaliation.

    Change log:
    2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

    Intel CPU Backdoor Report
    The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

    What we know about Intel CPU backdoors so far:

    TL;DR version

    Your Intel CPU and Chipset is running a backdoor as we speak.

    The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

    30C3 Intel ME live hack:
    [Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
    @21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

    [Quotes] Vortrag:
    "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

    "We can permanently monitor the keyboard buffer on both operating system targets."

    Decoding Intel backdoors:
    The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

    If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

    Backdoor removal:
    The backdoor firmware can be removed by following this guide using the me_cleaner script.
    Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

    2017 Dec Update:
    Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

    Useful links (Added 2018 Jan 1):
    Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
    me_cleaner: Set HAP AltMeDisable bit with -S option
    Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
    EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
    Sakaki's EFI Install Guide/Disabling the Intel Management Engine
    Intel ME bug storm: Hardware vendors race to identify and provide updates for d

  5. Re: Just Said No to Android by Anonymous Coward · · Score: 0

    agreed, and just lol at anyone who canâ(TM)t afford a real phone

  6. Hmmm by Anonymous Coward · · Score: 0, Troll

    So the previous submission regarding this story was pulled from the site, then resubmitted with the addition of F-Droid, which was originally posted in the comment section of the first submission-- then being purportedly stated as being announced as a new App store which was been active for years now..

    Good editing that.

    1. Re:Hmmm by Anonymous Coward · · Score: 0

      Yes, and it seems it has been edited for the 3rd time. Good editing indeed.

  7. Announce? by el+borak · · Score: 4, Insightful

    What's to "announce"? I've been running F-Droid for years.

    --
    An imperfect plan executed violently is far superior to a perfect plan. -- George Patton
    1. Re:Announce? by pnutjam · · Score: 1

      I wish there was an easy way to switch apps from play store version to f-droid version.

      --
      Cheap storage VM.
    2. Re:Announce? by TheMiddleRoad · · Score: 0

      Uninstall and reinstall? Not too difficult unless it's a lot of apps. Which it isn't because F-droid has relatively few useful apps.

    3. Re:Announce? by TheRaven64 · · Score: 1

      The problem is apps that maintain a lot of state outside of the SD card and don't have good export / import functionality. It's slightly annoying having to reenter login credentials.

      I don't really like it, but given that the alternative is to allow two apps with different signing certificates to access the same data (even with a 'train the user to click yes to security questions' box), I'm willing to put up with it. Almost all of the apps I have on my phone now are from F-Droid.

      --
      I am TheRaven on Soylent News
    4. Re:Announce? by Anonymous Coward · · Score: 0

      And then a hero comes along
      With the strength to carry on
      And you cast your fears aside
      And you know you can survive

    5. Re:Announce? by ctilsie242 · · Score: 1

      I've done it with Titanium Backup. Back up the app, dump it, load it from another source, restore your data. Of course, this is assuming the apps are at the same version level.

    6. Re:Announce? by pnutjam · · Score: 1

      I'm envisioning something that would tell you what apps are installed from play and available on f-droid.

      --
      Cheap storage VM.
    7. Re:Announce? by dargaud · · Score: 1

      Aren't they the same ? One app I'd installed from the store simply showed up in the F-droid list as installed.

      --
      Non-Linux Penguins ?
    8. Re:Announce? by Anonymous Coward · · Score: 0

      What's to "announce"? I've been running F-Droid for years.

      You mean like some sort of walled garden?

    9. Re:Announce? by TheMiddleRoad · · Score: 1

      Good point. Last Pass or similar might help, too.

    10. Re: Announce? by Anonymous Coward · · Score: 0

      Fuck you, I won't do what you tell me!
      Fuck you, I won't do what you tell me!
      Fuck you, I won't do what you tell me!
      Motherfucker!
      Uggh!

  8. SO what is the news? by jbmartin6 · · Score: 3, Informative

    It isn't clearly stated, but it seems the news is some additional collaboration to vet apps in F-Droid

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. No human wrote this article by Anonymous Coward · · Score: 0

    I'm an FDroid user and this article makes no sense what so ever.

  10. Re: Just Said No to Android by Anonymous Coward · · Score: 0

    I think you're a Windows user who copied and pasted the curly apostrophe from Word to make iPhone users look bad.

  11. And now for Lineage OS! by Anonymous Coward · · Score: 0

    On my mobile devices, I run only
    Running Debian on my personal machines, and on mobiles Lineage OS and apps from f-droid store.
    With no social media or games (ok, 2048:) requirement, that suffices for me.
    Processor vulns not withstanding, this feels right for me, so that's what I go with.

    And yea, headline sounds misleading. At best, they announce the collab with fdroid, not the fdroid store. The store has been around for years. Also, added the Guardian Project to my fdroid repo's.

  12. Re:Just Said No to Android by Anonymous Coward · · Score: 0

    I am happy to be the fourth person in the world to own a Windows phone. I don't even mind the spyware, security holes and non-existent app library all that much.

  13. What is the point by jabberw0k · · Score: 1

    Why bother running free software on untrustworthy hardware with untrustworthy firmware running an untrustworthy operating system?

    1. Re:What is the point by Anonymous Coward · · Score: 0

      Why bother crying into the void without spending any time looking into stuff

      I guess you could fix some of your issues by running AOSP. Possibly more of it by using a Fairphone or something?

    2. Re:What is the point by Anonymous Coward · · Score: 3, Insightful

      Ah yes, you're the retard who turns up on every security related thread saying "Why bother to have any security when you can't have perfect security"
      Why even close your front door, they can just smash a window?
      Why bother walking on the sidewalk instead of on the road, you can still get run over?

      Do you have any idea how stupid you sound?

      Malicious apps are probably the biggest security problem on the Android platform. If you can live with the limited selection, Fdroid gives you almost complete protection against this.

    3. Re:What is the point by green1 · · Score: 1

      Because the alternative is running a stick on a chunk of rock. There is no such thing as a trustworthy computer at this point. Even if you trust every bit of software you've installed, we keep seeing more and more proof that the hardware isn't trustworthy, and there are really no viable alternatives when it comes to CPUs, motherboards, and graphics cards.

      Given that, you have to chose between the risks of some software that isn't as trustworthy as you might want, or running nothing at all. Being that you posted to slashdot, it seems you made the same choice as everyone else here in deciding to accept untrustworthy vs living in a cave.

  14. Longest headline? by Calydor · · Score: 1

    The headline is almost two full lines on my screen; longest yet on Slashdot?

    --
    -=This sig has nothing to do with my comment. Move along now=-
    1. Re:Longest headline? by DontBeAMoran · · Score: 1

      I need to increase the text size once since it's too small by default. On my old 4:3 monitor it means that headline takes three full lines on my display.

      --
      #DeleteFacebook
  15. Re:"announces" f Droid? by DontBeAMoran · · Score: 0

    The headline is extremely long garbage.

    --
    #DeleteFacebook
  16. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  17. Re:Obligatory: Intel CPU Backdoor Report (Jan 1 20 by Cajun+Hell · · Score: 1

    I am spamming this to 3 non Intel threads in retaliation

    A pro-spam shill posted some spam, so I need to post some Intel-shilling propaganda to three unrelated threads. Anyone have suggestions one what threads I should pollute with my unofficial Intel ads?

    --
    "Believe me!" -- Donald Trump
  18. They can't handle the load by Anonymous Coward · · Score: 0

    Seems to me that if you want to advertise yourself as an alternative app store, you might want to make sure you can actually handle it. The F-Droid site takes a long time to load, all images broken, etc. Was able to install the app and it's apparently trying to update the repositories.....for the last five minutes.

    Pass.

  19. Worth The Risk? by Thelasko · · Score: 2

    I ran F-droid a few years ago. Sure, the apps are FOSS, and in theory more secure. However, you have to allow non Play Store apps system-wide (unless something changed). This is a vulnerability I am not willing to accept. Especially since most of the apps on F-droid are in the Play Store too.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:Worth The Risk? by TheMiddleRoad · · Score: 2

      Yes, but it's not like apps can automatically install from other sources. You still have to accept them. Also, Google Play has all sorts of crooked, spying apps. It's not like it's an especially safe source. Better than most. Worse than Fdroid. I use both. I did uninstall Amazon Underground. That shit is pure spyware.

    2. Re:Worth The Risk? by Anonymous Coward · · Score: 2, Informative

      In Android Oreo you can control this per-application. Under Apps & notifications -> Special app access -> Install unknown apps.

      If you're stuck using a version of Android older than Oreo then disable the feature of installing from unknown sources when you're not using it and enable it when you want to install from F-droid.

    3. Re: Worth The Risk? by Anonymous Coward · · Score: 0

      In fact, Google Play Services itself is a spying app. (Go on and check what permissions it requires by default, which you usually can't revoke in non-rooted Android. And I'm pretty sure they use it as well, since when I used Google Maps, Google started asking me to review restaurants I'd been to even though I had revoked Google Maps ability to remain active in the background and hadn't used it for over a month due to trying out Maps.me as a replacement.)

    4. Re: Worth The Risk? by Thelasko · · Score: 2

      In fact, Google Play Services itself is a spying app. (Go on and check what permissions it requires by default, which you usually can't revoke in non-rooted Android. And I'm pretty sure they use it as well, since when I used Google Maps, Google started asking me to review restaurants I'd been to even though I had revoked Google Maps ability to remain active in the background and hadn't used it for over a month due to trying out Maps.me as a replacement.)

      Google Play Services has consumed a bunch of other apps that used to do various tasks. For example, it is responsible for managing all requests to the GPS card. It's like the Android equivalent of systemd.

      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    5. Re:Worth The Risk? by Anonymous Coward · · Score: 0

      I have F-Droid on my Nexbit running lineage, but I also have Play Store only for installing some apps that will never be available in F-Droid. Until the not in touch with reality FOSS pushers realize they need a compromise and stop pushing apps that have the quality inspection done by a chimpanzee it will not take off. The reason that Redhat/Ubuntu are popular is that they realized this and include those as a repo/non-free etc.

    6. Re:Worth The Risk? by green1 · · Score: 3, Interesting

      Something has changed. Allowing non-playstore apps is now assigned as a permission specific to each app. So you can let F-Droid install these apps without letting any other app do so.

      That said, the Play store has so much more content, of much better quality apps, that really the only use for f-droid is for apps that Google doesn't approve of, like ad-blockers (if you want one that actually works, you won't find it on the play store)

    7. Re:Worth The Risk? by Anonymous Coward · · Score: 0

      I started using fdroid awhile back and quickly most of my apps came from it. For the apps that did not allot where google.

  20. Re:"announces" f Droid? by psm321 · · Score: 1

    undoing bad mod

  21. Re:"announces" f Droid? by higuita · · Score: 2

    Actually f-droid improved a lot in the last years... no, it will not replace google store yet nor in anytime soon, but it is going in the good path

    --
    Higuita
  22. Re:"announces" f Droid? by dos1 · · Score: 2

    Even after the change, the headline is still garbage. And I'm not trolling, it's just plain wrong and misleading. Somebody read the Wired article, misunderstood it and wrote this headline.

    Yale Privacy Lab and Exodus Privacy started to *collaborate* with F-Droid, a long-standing free software project endorsed by FSF.

    Check out the true source: https://www.f-droid.org/en/201...

  23. Longest Title by Anonymous Coward · · Score: 0

    This must be the longest title in Slashdot history.

    Yale Privacy Lab and Exodus Privacy's F-Droid Android App Store is a Replacement for Google Play That Features Only FOSS Apps That Don't Do Any Tracking

    Including spaces, that's 152 characters. :D

  24. Re:Look its APK's slightly less retarded brother by Anonymous Coward · · Score: 0

    APK actually has a good method for blocking Intel AMT-ME from your router using port filtering and it gets upmods https://yro.slashdot.org/comments.pl?sid=11605941&cid=55919181/ left and right like no tomorrow everytime he posts it.

  25. ... doesn't offer the millions of apps by Anonymous Coward · · Score: 0

    ... a smorgasbord of data from all sensors ...

    When every developer added 'microphone' to their permissions, I went through and checked applets weren't accessing the Contact or Calendar lists, and Internet. This has been made more difficult because later versions of Android automatically (and secretly) allow full network access.

    ... a smorgasbord of data from all sensors ...

    This is why I do not use my phone or tablet for email, ever. (Everyone forgets this is how Facebook builds its friends network for people.) It's not difficult to find a PC and if it's really urgent, there's SMS.

    ... offers FOSS apps without tracking ...

    Translation: Apps that don't use the internet, ever. Since many applets have DLC, perform cloud storage tasks, perform their own license checks, or use server-driven voice processing, that means most apps won't qualify.

    Three of the 5 free, no-DLC apps I use, aren't on this list. One of them is market leader and highly rated, the other provides features that it's competitors don't. The third doesn't use the internet so it should be on the F-droid list.

  26. Used F-Droid ever since, no Google on my Android by ffkom · · Score: 3, Insightful

    ... devices. I have yet to miss anything, F-Droid has more "Apps" than I would ever want to install. My smartphone is still a phone, it is not a gaming console. Everything regarding communication or navigation is covered by the applications on F-Droid. Never felt a tickle to create a "google account" or to install anything from that "play store", which has a correct and telling name.

  27. Re:"announces" f Droid? by Anonymous Coward · · Score: 0

    Actually f-droid improved a lot in the last years... no, it will not replace google store yet nor in anytime soon, but it is going in the good path

    Post-Snowden I would argue that yes, F-Droid is getting better, but at a snail's pace. Of course it was quite a few years after Snowden that amazon finally went https. Of course around the same time, we were orwellianly told that in addition to chocolate rations going up, that our ISPs had always been allowed to freely sell our metadata to the highest bidder unlike landline phone companies.

    F-Droid will get a ton better in the next year just because it would be too embarassing if it didn't.

    You still can't build an android app with pure debian (though that milestone has been on their wiki for some time now). Once a useful subset of f-droid's apps can be built reproducibly with pure-debian, then I'll start to be anything but very unimpressed.

  28. Globalist JEWgle agenda outlined by Anonymous Coward · · Score: 0

    Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all (for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in the 1940 under Perrone, Spanish inquistion & Spain 1492 (Christopher Columbus the jew https://duckduckgo.com/?q=%22C... sailed to the US for them to create it), France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above. Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud. This is the province of the synagogue of Satan (Khazar/Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):

    Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?... just like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer

    "Most Jews do not like to admit it, but our god is Lucifer â" so I wasnâ(TM)t lying â" and we are his chosen people. Lucifer is very much aliveâ Harold Rosenthal http://www.thetruthseeker.co.u...

    Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...

    Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.

    Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...

    Finkelstein also admits JEWS DID 9/11 https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).

    Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.

    George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis. Zucker @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @ CNN said it is bs. Van Jones did also.

    What World-famous Men have said About the Jews https://www.youtube.com/watch?v=4MYPzKNQUE0/

    Bernie Madoff (who made off with everyone's money, especially construction union pensions)

  29. Re: "announces" f Droid? by Anonymous Coward · · Score: 0

    Except for its new gui design that sucks major balls. Super unintuitive.

  30. Re:Used F-Droid ever since, no Google on my Androi by Anonymous Coward · · Score: 1

    +1, I was given an "old" mid range phone from 2014, unusable because it had only 8GB of storage and a plain android install would pretty much take 7.5GB...(with all the unnecessary google crapware that you can't remove).

    Installed lineageos without the gapps (google apps, requirement for playstore, facebook, etc). Now it takes around 2GB and run like a new smartphone.
    My only complaint would be the lack of push notification email without gapps.
    F-droid is fine, if you are out of the social media garbage.

  31. Not only that by sad_ · · Score: 1

    you get open apps, without adware, build in trackers but have you looked at the size of them?
    much smaller then what you normally find on the play store, that is what you get when you leave out all of the bits nobody wants in the first place.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.