F-Droid: an alternative to Google Play

It is important to talk about Android at Linux conferences like linux.conf.au, Peter Serwylo said to start his talk. Android is deployed on millions or billions of devices, but it does suffer from some problems that F-Droid, an alternative Android app store, tries to address. The title of his talk noted that F-Droid is private, secure, free, and open, all of which are desirable traits for many in our community.

Serwylo got interested in Android because it was running on the first smart device he ever owned. He chose Android because he was getting interested in free software and recognized that Android was a well-supported version of Linux that was available on lots of different devices. But he found that the Android experience was not quite the "Linux experience that you are used to".

To start with, the first thing you have to do with a new Android phone is to sign into a Google account. Part of that is agreeing to the terms of service. There is a helpful "Skip" button, but if you use that, you cannot install any apps on the device. If Debian's installation had something similar, it would not be tolerated by most. But phone makers that want to distribute Android must do it "the Google way", which includes installing the Google Play Services that require the sign-in and agreement. That is the "Google Android experience", which he is not particularly interested in, he said.

So instead of Android the product, he wanted to focus on Android the technology as embodied in the Android Open Source Project (AOSP). It is the free system that he was hoping for, he said. AOSP is a Linux kernel and a bunch of user-space pieces that app developers use. As an app developer who cares about freedom, he is interested in the Android Framework that is released as part of AOSP. If an app developer wants their program to work on as many devices as possible, they will use the Android Framework; this allows alternative operating systems to still be able to run the apps that are available for Android.

For those who do not like the Google experience for one reason or another, there are some different "ROMs" available to install. These ROMs typically come with scary instructions on how to install them, however. It used to be that you would go to the XDA Developers Forum and get pointed off at some site where you could download the software to run on a device that you carry everywhere; there are now some established ROM projects. Three of the most prominent ROMs are LineageOS (formerly CyanogenMod), which is focused on supporting many devices, Replicant, which has a focus on freedom, and CopperheadOS, which has a security focus. These are well-run projects that provide an experience that is much more like a regular Linux distribution.

But even if you run one of the alternative ROMs, you will want to get software on your phone, he said. One of the common questions for users of those distributions is "how do I install the Play store?" The answer is to download the app (and supporting libraries) from a dodgy site, which is all rather scary. In addition, doing so means you have no license to actually run the code.

Enter F-Droid

This is where F-Droid comes in, Serwylo said. F-Droid provides an alternative to Google Play. There are actually lots of app stores in the Android world; this is different from the Apple world that is largely locked into a single app store. The most famous alternative Android app store is probably Amazon's, which sells the Amazon experience rather than the Google experience. There are many others, however, that typically spring up out of necessity. For example, China blocks access to the Play store, so there are multiple alternative stores. Another is APTDroid, which is what F-Droid was forked from after APTDroid moved away from a focus on freedom. There are many of them out there, some with a regional focus (e.g. Iran), and F-Droid is just another, but it is one that he thinks is much better than the others.

The F-Droid app has the features one would expect from an app store. You can search and browse for apps, get notified of updates, and so on. There are app categories for browsing and all of the searching is done offline, "which is nice", he said. You can look at the details of an app, including screen shots; unlike other app stores, F-Droid publishes older versions of the apps too.

There are other things that F-Droid does that other app stores don't. For example, you can turn your phone into a mini app store; others can download apps from your phone using Bluetooth or wifi. That feature is particularly nice in places where the internet is not easily (or reliably) available. You can still keep the Play app installed if you have the F-Droid app; in addition, the F-Droid app can access multiple repositories beyond just the official one. All of the apps on the official repository are free software, but Serwylo recommends that new users keep the Play store; "otherwise you might be horrified at the amount of stuff you are missing out on".

F-Droid is really a package manager for Android. Packages are built from source and signed by F-Droid, but no account is needed to download these packages. So there is no user tracking; in addition, there is no advertising in the store. It works like package managers for regular Linux distributions. Decentralization is also part of the puzzle since multiple repositories are supported; anyone can spin up their own, much like personal package archives (PPAs) for Ubuntu.

There is a "big stack of software" that makes up F-Droid, starting with the fdroidclient, which is the app that the user sees. Some who have rooted their phones can install the privileged-extension, which gives F-Droid the same level of access as the Play app. The fdroidserver is a bunch of command-line tools for curating an F-Droid repository: building and signing packages, producing metadata, and uploading packages. Build metadata for over 2000 open-source apps is stored in the fdroiddata repository, while new apps can be added by using the rfp (request for packaging) repository. There are some other parts and pieces, but those are the most important, he said.

Part of the reason that the F-Droid project cares so much about "privacy, security, and freedom" is that many of its users are vulnerable. They are activists and civil libertarians in places where the government does not want that, for example. That means it is important for those users to protect themselves and their personal devices.

Getting an app onto F-Droid

Serwylo then stepped through the process of getting an app onto F-Droid while highlighting some of the privacy, security, and freedom considerations at each step. It was meant to be a "whirlwind tour of how we take care of the user".

The first step is sourcing the app, perhaps from a GitHub repository. In order to be added, the app must be free and open-source software and must not depend on Google's Play Services. The app developer would submit a request for packaging, which will (eventually) get picked up by one of the two or three active maintainers (more help needed here, he said). The maintainers will create the build metadata after ensuring that the app does not depend on non-free software; they will also flag any anti-features that they find, though some may slip through. For example, if the upstream of the app is non-free, such as for a GitHub client, that will be noted for the package metadata.

The next step is to build the app. Building thousands of apps "could be considered a dangerous pastime from a security perspective", as the F-Droid documentation notes. This is handled by building each app inside its own virtual machine, which is connected to the internet so that dependencies can be fetched. Unfortunately, the Java Maven repository provides no real way to check the signatures on its packages, which is a bit of a hole at this point, he said.

Something that could be done to thwart a man-in-the-middle attack against the F-Droid build machine would be to have verification servers that also build the package. If reproducible build techniques are used, the hashes of those packages can be compared. There is a verification server running, but that information is not used by the client at this point. It would be great ("contributions welcome") if the client could check with three separate servers. Serwylo did not mention it specifically, but given the difficulty of checking Maven signatures, having packages replaced with malicious versions would still seem to be a problem.

Next up is signing packages. Android has "quite a nice signing model", he said; it will only install signed packages and will only update a package that is signed by the same key as the original package was. There are several different levels of signing, from a developer signing on their laptop that is on the open wifi at some local restaurant (not recommended, of course) to using an air-gapped machine and hardware security module for signing. The latter is what F-Droid uses.

But there is still a problem. If a user has installed an app from the Play store, which is signed by the developer's key, it cannot be upgraded via F-Droid, because the keys differ. Users would need to uninstall and reinstall the app, which is painful, especially for apps with a lot of configuration (an email client, say). The solution is similar to the verification server idea, though it is more complicated. By using reproducible builds, F-Droid can verify that a package signed by the developer's key is the same as what was built from source. It can then distribute both the developer-signed package and the F-Droid-signed package. The problem is that, unlike the verification server, F-Droid does not directly control the build environment for all of the app developers, so build reproducibility will be impacted.

Once the package is signed, there needs to be a way to get the metadata across the internet to the client that may be in a hostile environment. The client will only trust metadata that is signed with the F-Droid key (or the key for another repository that the user has chosen to add). That metadata contains the hashes of the binaries, as well as the usual description, version number, and the like, so it is important to ensure it is not tampered with.

A feature that has not been added yet, but should be coming soon, is to add per-ROM certificates so that one of the ROMs can ship F-Droid with the ROMs certificates pre-installed. That will allow users to get apps and updates directly from the distribution. Any certificates that are not installed with the F-Droid app can be accepted on a "trust on first use" basis.

F-Droid respects privacy by not requiring accounts and by sending everything over HTTPS. In addition, it has first-class support for Tor and other proxies. Another thing the project cares about is not leaking information about browsing and searching for packages, which is why they are done locally. Beyond that, the metadata contains all of the supported languages as well, so that the server does not get any information about the user's language setting.

There is support for repository mirrors, though the official F-Droid repository does not have any at present. However the Guardian Project has a half dozen for its repository. Those mirrors are on lots of popular domains (e.g. amazonaws.com, githubusercontent.com, gitlab.com), which makes it harder for a repressive regime to cut off access. The Guardian Project calls this "collateral freedom", Serwylo said.

Installing a new app is done by downloading it from the server and then checking the hash in comparison to the value in the metadata. That way F-Droid can detect if the package has been tampered with. When it is doing that check, however, it needs to ensure that it does not use Android's external storage. Otherwise, any app with the proper access could replace the package after the hash check but before F-Droid has requested that it be installed.

Google Play is able to install apps via "magic", he said; it is a blessed app with special privileges that few other apps have. This is where the privileged-extension comes into play. By installing that, you can give F-Droid the same level of blessing so that it can install apps. Otherwise users must enable installation from unknown sources ("a euphemism for 'not Google Play'", he said). The problem is that enabling that means that other apps can also request package installation, "which is a little scary". Later versions of Android allow giving that permission to individual apps, which makes things a bit less scary.

The project has put a lot of thought into freedom, security, and privacy, he said. Little of what has been done is truly new, in some ways it is rebuilding infrastructure that already exists, but the project started small and grew organically over time. He hopes that F-Droid will help people start thinking about their phone as their own device, where they can securely install their choices, rather than a kind of disposable device that they get from Google and other providers and move on from in a year or two.

A video of the talk in multiple formats is available from archive.org.

[I would like to thank LWN's travel sponsor, the Linux Foundation, for travel assistance to Sydney for LCA.]