The only app I can’t live without. Except for gboard, all of my applications are Foss. There is no competition for gboard’s swipe typing, not to mention its many capabilities like as searching for gifs, stickers, being able to paste copied images, translating, and so on. I’d like to know how I can use gboard while maintaining my privacy. According to what I’ve heard, it sends all typing data to Google’s server. If you ask me, that’s a massive no-no. Do you have any suggestions?

  • argv_minus_one@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 年前

    From your quote: “It really shouldn’t be compared to the Android platform in any way.”

    I quoted that because it’s part of the borderline misinformation. Security is security. Malware is malware. Android isn’t magical and neither is desktop Linux. They absolutely can be meaningfully compared.

    And where exactly does it downplay reproducible builds ? “reproducible builds are not as common as we would have wanted.”

    Ah, you’re right. I misread that part, sorry.

    I’m just trying to spread security awareness.

    So am I. I’m an ornery old Linux nerd and security snob. I’d excise all proprietary software from my home and office if I could, precisely because it has such an appalling track record and the blatantly unnecessary attack surfaces of DRM and telemetry.

    Can F-Droid be more secure than it is? Sure. Do the issues described in this paper mean F-Droid is so rampantly insecure that even Play is safer? Absolutely not.

    By the way, I’m not sure I understand how Neo Store is supposed to be more secure, as it’s supposedly just an alternative UI for F-Droid. As for Obtainium, it’ll protect you from malfeasance or compromise on the part of the F-Droid repository, but it won’t protect you from malicious app developers, and unless I’m mistaken, the latter is a much more common threat.

    • user@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 年前

      “I quoted that because it’s part of the borderline misinformation. Security is security. Malware is malware. Android isn’t magical and neither is desktop Linux. They absolutely can be meaningfully compared.”

      That’s why the author said it’s tempting. You cannot compare desktop Linux to Android. Android is light-years ahead in terms of security than desktop Linux will ever be.

      If you install Debian on your machine then that means you trust the Debian developers. If you trust the Debian developers then that means that you trust their repositories. The same cannot be said about Android. If you, for example, install GrapheneOS you’re trusting the graphene developers for the OS and the individual developers for their individual apps you install on your phone.

      On Android a compromised user doesn’t have root, on ordinary Linux desktops, a compromised non-root user with access to sudo is equal to a full root compromise. On a Linux desktop with Xorg you can easily keylog everything with one malicious app(that app automatically gets these permissions without prompting you), with modern Android that’s not even an option(you’d need to accept all of these invasive permissions yourself, unless the app has a zero day that can bypass permissions).

      The list goes on and on and on. You can read more here

      “Ah, you’re right. I misread that part, sorry.”

      No biggie :D

      “By the way, I’m not sure I understand how Neo Store is supposed to be more secure, as it’s supposedly just an alternative UI for F-Droid.”

      Neo store has the highest target SDK currently so it can use security and privacy APIs that Android provides with each new version. That alone is one of the biggest reasons to use neo store over native F-Droid. It shows you the target SDK, permissions (Way more understandable than whatever F-Droid does) & trackers for the apps you want to install. So you can make a more informed decision if you want that app installed.

      “As for Obtainium, it’ll protect you from malfeasance or compromise on the part of the F-Droid repository, but it won’t protect you from malicious app developers, and unless I’m mistaken, the latter is a much more common threat.”

      You are adding more attack surface when using F-Droid, but when using Obtainium, you have one less attack surface. Instead of worrying about malicious F-Droid developers and malicious app developers, you only worry about the latter. Malicious app developers can still publish to F-Droid without F-Droid getting compromised.