What is F-Droid and should you use it?

Posted on June 23rd, 2023 by in How-to.

 

F-Droid is an app store for Android that features only free and open-source software (FOSS). This makes it a welcome alternative to the privacy-invading Google Play Store.

In this article, we look at what F-Droid is, why you might want to use it, and how to use it. We also examine some concerns about F-Droid. 

What is F-Droid?

Like the Play Store, F-Droid is an app repository that offers a curated collection of apps that  are free of charge, contain no proprietary software, and adhere to open-source principles. This means the source code of the apps is openly available, allowing you to verify their security, privacy features, and functionality. 

F-Droid is developed and maintained by a community of volunteers and aims to provide a privacy-friendly and transparent app ecosystem. You can download apps from the F-Droid repository, and F-Droid will help you keep them updated.  

This focus on FOSS aligns with Proton’s principles of transparency and user empowerment, which is why the Proton VPN app is available on F-Droid

Unlike the Play Store, there’s no need to register for an account to use F-Droid.

Why use F-Droid?

There are two main reasons to use F-Droid.

1. It’s not the Google Play Store

Google’s entire (and very profitable) business model is to learn as much about you as possible so that it can target you with highly personalized ads. 

When you download and use apps from the Google Play Store, Google collects a great deal of data about you. This includes information about your device, how you use the app, where you use the app (location data), and more. All of which is tied to your real identity and combined with other information Google collects on you from its many other apps, services, and trackers, 

Additionally, many apps on the Google Play Store incorporate third-party tracking libraries or software development kits (SDKs). These tracking mechanisms allow app developers and third-party companies to collect information about your behavior, interests, and usage patterns across different apps and websites. 

The also proprietary Amazon Store for Android suffers similar issues. 

Get Proton VPN!

2. Open-source apps

F-Droid provides an easily browsable repository of curated open-source apps, many of which aren’t on the Play Store. Open-source apps are, of course, also available on GitHub and similar platforms (this is part of what makes them open source), but there’s no easy update mechanism for APK files downloaded directly from their developers. F-Droid provides such a mechanism. 

F-Droid makes it much easier to find, install, and update open-source Android apps. Many people also view using F-Droid as a way to support the free and open-source community.

What are the best F-Droid apps?

There are many great apps on F-Droid, many of which aren’t on the Play Store. Even when an app is also on the Play Store, installing it from F-Droid removes Google from the equation.

The following list is by no means comprehensive, but it provides a sample of some of the high-quality apps available on F-Droid. Please note that Proton VPN hasn’t formally reviewed any of the apps listed here and in no way endorses them (except Proton VPN, of course). 

 1. Proton VPN – A Swiss no-logs VPN service from the makers of Proton Mail. You can choose between multiple VPN protocols (including WireGuard and our Stealth obfuscation protocol) or let Smart protocol choose the best option for you. Our Android app features a kill switch, split tunneling, VPN Accelerator, alternative routing, NetShield Ad-blocker, and more. 

2. Fennic F-Droid – An open-source browser based on the latest version of Firefox, but with additional tracking protection and proprietary bits and telemetry removed. Not available on the Play Store. 

3. Droid-ify/Neo Store/Aurora – Unofficial F-Droid apps that offer an improved experience for accessing the F-Droid repository. See below for more details. Needless to say, these apps are not available on the Play Store. 

4. Open Camera – An open-source camera app that supports HDR, face detection, video and audio recording, auto-stabilize, and more. Unlike the version available on the Play Store, the F-Droid version of Open Camera is completely ad-free.

5. DuckDuckGo Privacy Browser – We removed DuckDuckGo from our Best browsers for your privacy list because it is only partially open-source. The F-Droid version, however, is fully open source. 

It offers extensive anti-tracking features, forces HTTPS connections by default, has a “Fire” button to easily burn your browsing history, and can be locked and unlocked using biometrics. One of its more innovative features is its Privacy Grade — a scorecard for companies’ terms of service. And, of course, the app uses DuckDuckGo as its search engine.

However, it has a unique fingerprint, and the lack of any syncing function limits its usefulness as a general-purpose browser.

6. OsmAnd + – An open-source map app that uses OpenStreetMap (OSM) data and features offline maps, real-time voice and display navigation, and more. No, it’s not as good as Google Maps, but it also doesn’t track you everywhere you go. 

7. Music – A good-looking (Material) music player with Android widgets that does everything you need a local music player to do. This app auto-downloads artist and album art, allows you to edit songs’ tags and metadata, has a sleep timer, and more.

8. AnySoftKeyboard – A keyboard with support for multiple languages, gestures, an emoji keyboard, a dictionary, virtual keys, and voice data entry. And unlike your phone’s default keyboard and most commercial keyboards, it won’t spy on everything you type. 

How to use F-Droid

F-Droid is an app repository. You can access this repository (and other F-Droid-compatible repositories — see below) using the official F-Droid app, but many people prefer to use unofficial third-party apps instead. 

Among the most notable of these are Droid-ify, Neo Store, and Aurora Droid. You can run as many of these on your device at the same time as you like, and they will all notify you about updates for any F-Droid app.

The official F-Droid app features a rather clunky user interface. It also targets the outdated Software Development Kit (SDK) used for Android 7.1 (released in 2016), which means it lacks more recent security and privacy improvements.

Most notably, apps compiled using older SDKs have weaker sandboxing (a security mechanism Android uses to isolate apps so that if they fail or are compromised, the damage is more easily contained). 

That said, the official F-Droid app generally does what it’s supposed to do. You can browse and install apps by category and receive notifications when app updates are available. 

The official F-Droid app

You must update apps from F-Droid manually, but this is a one-tap process. (Automatic update and installation are possible, but only if you have a rooted device. Note that Google applies this limitation via the Android OS, and it applies to all F-Droid repo apps). 

Updating apps is a one-tap process

F-Droid also clearly flags anti-features that you may not like, such as advertising, tracking, or dependence on non-free software, in the app descriptions.

The app description will warn you about anti-features

Unofficial F-Droid repo apps offer improved user interfaces, target up-to-date Android SDKs, feature easy repository management (see below), and more. Below, we see Neo Store, which in typical FOSS fashion is a fork of Droid-ify, which is itself a fork of the also-popular Foxy-Droid

The Neo Store app

F-Droid repositories

As already noted, F-Droid is an app repository. There also exist numerous other open-source app repositories that are fully compatible with F-Droid. These are libraries of apps that are at least somewhat curated by their owners and can offer interesting apps that aren’t available on the official F-Droid repository. 

Most of them pull APKs directly from their GitHub pages, so they’re digitally signed by their developers. However, you use third-party repositories at your own risk. 

You can add these external repos to the official and unofficial F-Droid apps. 

Droid-ify offer greatly improved repo management

Unofficial apps such as Droid-ify offer greatly improved repo management over the official F-Droid app.

The popular Guardian Project repo specializes in privacy and security apps and is now included in the official F-Droid app by default. The IzzyOnDroid and Bromite repositories are also well regarded (but aren’t endorsed by Proton VPN).

Is F-Droid safe?

F-Droid provides a convenient way to find, download, and update open-source Android apps. To be allowed onto the F-Droid repository, apps are scanned for malware (using VirusTotal) and undergo a security check to ensure they meet F-Droid’s free software requirements. 

However, these checks are (in the F-Droid team’s own words) “basic”. By their very nature, open-source apps are more likely to be secure than closed-source apps, but this can’t be guaranteed. But then again, it also can’t be guaranteed for apps on the Play Store either. 

In January 2020, a widely shared (among the privacy community) critique of multiple aspects of F-Droid’s security was published on PrivSec.dev. For those serious about security, this document bears close reading. The most serious criticisms can be summarized as:

1. Apps are signed by F-Droid, not the app developers

On most app stores, apps are signed by the app developer. F-Droid, on the other hand, builds all apps from their source code and then signs them with its own key (a limited number of reproducible builds are exempted from this policy).

This offers a security advantage as long as you trust the F-Droid team, as it prevents malicious developers from adding code to their APKs that’s not present on their GitHub pages. However, it also means you need to trust another party (F-Droid). 

It should also be noted that since August 2021, Google signs apps on the Play Store. 

2. Slow updates

Regular updates are important, as they often fix pressing security vulnerabilities. The fact that the F-Droid team must review, build, and sign apps means there can be quite a delay between apps being updated and the updates appearing on F-Droid. 

This problem is compounded by F-Droid’s prohibition against apps using proprietary code. The result is that many apps have a different F-Droid version to comply with these rules, which requires extra time to maintain. 

3. Obsolete apps

We’ve already discussed how the official F-Droid app targets an old SDK (which is a problem fixed by most unofficial F-Droid apps). Unfortunately, this is also true of the F-Droid repository itself. 

This helps with backward compatibility (always an issue on Android devices) but also means that the F-Droid repo is full of apps that haven’t received security updates for years. 

You should always check when an app you plan to install was last updated on F-Droid. This information is available on its download page. 

So is F-Droid safe? This depends on your threat model. The above concerns (and others raised in the article) are valid, but for many people, F-Droid’s convenience outweighs its downsides. 

Are there any F-Droid alternatives?

Other than proprietary app stores such as the Play Store or the Amazon Store, not really. However, if the security issues raised above concern you, there is another option. 

You can manually download and install APKs directly from the developers’ GitHub pages (or even compile them from source if you have the technical skills). You can then use an RSS reader to monitor each app’s GitHub Releases page to receive a notification when an update is available.

Final thoughts

F-Droid is by no means perfect, but it nevertheless performs an invaluable service for the open-source community. There are hundreds of high-quality apps that provide excellent privacy-friendly alternatives to commercial proprietary software. If your threat model allows it, there is no easier way to find ones that work for you, install them, and keep them up-to-date.

Starting with ProPrivacy and now Proton, Douglas has worked for many years as a technology writer. During this time, he has established himself as a thought leader specializing in online privacy. He has been quoted by the BBC News, national newspapers such as The Independent, The Telegraph, and The Daily Mail, and by international technology publications such as Ars Technica, CNET, and LinuxInsider. Douglas was invited by the EFF to help host a livestream session in support of net neutrality. At Proton, Douglas continues to explore his passion for privacy and all things VPN.

Secure
your internet

Get Proton VPN
Get Proton VPN