Most active commenters
  • JohnFen(3)

←back to thread

Everyone knows all the apps on your phone

(peabee.substack.com)
1192 points gniting | 12 comments | 29 Mar 25 21:26 UTC | HN request time: 0.404s | source | bottom
1. dTal ◴[29 Mar 25 23:46 UTC] No.43519791[source]
Another fantastic reason to strictly only install apps from F-Droid.
replies(2): >>43519959 #>>43521143 #
2. JohnFen ◴[30 Mar 25 00:22 UTC] No.43519959[source]
How does that address the problem? Does F-Droid do some sort of additional screening to keep out apps that do this?
replies(2): >>43520038 #>>43520090 #
3. marcodiego ◴[30 Mar 25 00:35 UTC] No.43520038[source]
First, f-droid only accepts OSS apps, so the incentives for spyware is simply not there. Second, anti-features are explicitly marked on f-droid. Third, f-droid apps are curated like a very rigorous linux repo.
replies(1): >>43520208 #
4. dandersch ◴[30 Mar 25 00:44 UTC] No.43520090[source]
packages on f-droid list all required permissions explicitly, and the mentioned permission seems to be listed as "query all packages: Allows an app to see all installed packages.". It doesn't mark the app as having "anti-features", but you can at least make a more informed decision this way.
replies(2): >>43520186 #>>43521191 #
5. JohnFen ◴[30 Mar 25 00:58 UTC] No.43520186{3}[source]
That's pretty cool, but the article says that most apps that are doing this sort of thing aren't using the query all packages permission and instead are using the facility to provide a specific list of apps they're checking for, which is not permission-gated.
replies(1): >>43520962 #
6. JohnFen ◴[30 Mar 25 01:01 UTC] No.43520208{3}[source]
Being an OSS app is not sufficient protection. Most OSS apps aren't terribly misbehaved, but some are. Being OSS in and of itself is not anything like a guarantee with this sort of thing.

> Third, f-droid apps are curated like a very rigorous linux repo.

Yes, I know. My question is is this one of the things they're screening for?

replies(1): >>43521238 #
7. wkat4242 ◴[30 Mar 25 03:16 UTC] No.43520962{4}[source]
It is. It specifically says that the apps must be declared in the manifest like other permissions. So it's a specific permission for each app really. F-Droid could query that if it wants to (not sure if it does)
replies(1): >>43521838 #
8. hnburnsy ◴[30 Mar 25 03:48 UTC] No.43521143[source]
My daily driver has minimal apps, most from F-Droid. An old iPad on my IOT network has any other apps needed.
9. duskwuff ◴[30 Mar 25 03:55 UTC] No.43521191{3}[source]
> It doesn't mark the app as having "anti-features"

I suppose they must be too busy ticking off "anti-features" like "can communicate with non-Free services" to notice that sort of thing.

(No, really. F-Droid will tag applications like a Mastodon client as having "anti-feature: Non-Free Network Services", presumably because it can be configured to connect to servers running non-free software?)

10. throwaway290 ◴[30 Mar 25 06:27 UTC] No.43521838{5}[source]
Did you stop reading before the post got to the MAIN loophole that doesn't require the list of apps in the manifest? How does F-droid describe MAIN?
replies(1): >>43523164 #
11. wkat4242 ◴[30 Mar 25 10:59 UTC] No.43523164{6}[source]
Yeah I did as the article was a bit long. But I'm sure this is detectable too as it must be in the manifest.
replies(1): >>43525994 #
12. throwaway290 ◴[30 Mar 25 17:45 UTC] No.43525994{7}[source]
The article already showed it is detectable. But it is not detected by Google and I am unclear if F-Droid detects it either...