• c0mmando@links.hackliberty.org
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    The diminished security resulting from the increased likelihood of a (single point of failure) supply chain attack.

    Yes its possible for malicious devs to trojan apps, but due to apk signing it is much more difficult for a third party entity to induce a supply chain attack, which is my real concern when it comes to phone security.

    If you have a lower threat model, this post isn’t for you…

    • I don’t see how supply chain attacks on F-Droid are any different from other app stores. Supply chain attacks would also attack the APK compiled on a deb’s machine.

      Also, APKs are signed on Google’s servers, devs don’t have control over those signatures anymore, unless they distribute their APKs through other means (which would impose similar if not worse risks compared to F-Droid, of course).