F-Droid: The privacy-friendly alternative to Google Play Store
At Google Play Store you can find millions of apps. But you need an account to install and use them. That enables the „omnipresent data kraken“ to collect a lot of information on its users; and privacy isn’t exactly its priority. Not to talk about all those trackers to be found in more than two thirds of the apps listed there. With F-Droid there’s an alternative that respects the privacy of its users, and even makes it a priority to protect it.
In this series:
- Part 1: The privacy-friendly alternative to Google Play Store
- Part 2: for advanced users and developers
- Part 3: Your own F-Droid Repository with Repomaker
- Part 4 (external, by Nico Alt): Trust is good, control is better: Reproducible builds at F-Droid
more F-Droid articles at IzzyOnDroid:
- IzzyOnDroid’s F-Droid Repo with additional functionality (1/2018)
- Unofficial (and incomplete) list of F-Droid repositories (regularly updated)
What is F-Droid?
F-Droid is an alternative „App-Store“. As with Play Store, you can browse apps and install them unto your device. It has a website you can visit with your browser – and a client app for your Android device, taking care for installing and updating your apps.
But other than with Google Play Store you won’t need an account: you access it „anonymously“. The server only gets to know your IP address1 (you can’t download things otherwise) – which implies there can’t even be an age check; but neither did I see an app on F-Droid that made me think such check would be needed. That means, there’s no such filter either. All interaction happens locally in the client: browsing the lists, searching for apps, displaying details – all that happens using an index of available apps which has been downloaded from the server. Only icons and screenshots are „loaded live“ from the server.
Other than Google, F-Droid doesn’t make money with ads, and neither is obsessively interested in all the users’ data for any other reason. No data is collected, not even the server logs are archived but instead pruned regularely. Behind the „App-Store“ is the non-profit organisation F-Droid Limited. Further you’ll only find free apps with F-Droid: FOSS, i.e. Free (no cost, no limitations or restrictions, full freedom in use) and Open Source (the source code is freely available and accessible) Software – „Payed Apps“ you will look for here in vain. Often one can support the developer with a donation – and thus motivate her/him to keep up the good work. And of course you can donate to F-Droid itself as well, so its volunteers can have a beer now and then
How secure is it?
Often enough you hear and read: „Thou shalt only install thy apps from Google Play Store as only this is safe.“ But that is, at least for a big part, mostly „Google PR“. Of course you shouldn’t grab your apps from completely strange sources (websites, P2P services, pirate sites). But there are other safe sources. Not only in my opinion, F-Droid even is a safer place – security expert Mike Kuketz even recommends to avoid Google Play Store altogether and switch to alternatives like F-Droid.
At F-Droid, apps go through a security control: with the source code of each app freely available (or it won’t be taken in to start with), it can be investigated. If there are any „proprietary elements“ (parts which have their code not open sourced), or components violating the users’ privacy (e.g. tracker like Google Analytics or miscellaneous ad modules), the app is rejected. Did it pass all tests, the F-Droid team will compile it using the checked source code and sign it – so you can be sure you get what has been approved of.
Checking the source code involves multiple stages. There are automated processes looking out for „unwanted ingredients“ – which means black-lists (forbidden stuff) as well as white-lists (explicitly allowed places to import libraries from). And even if it passed all those routines and is marked „clean“ by them, it’s a human staff member who manually triggers the „final approval“. That this works is a.o. confirmed by a study dated September 2017: The only of the 27 Android „market“ platforms examined and found without any kind of adware or malware found on was F-Droid – while e.g. at Google Play Store they found about 2% Malware.
Nice side effect: As apps come without unnecessary ballast like trackers or ad modules, they are much gentler to your device’s resources: the battery lasts longer, as does your data plan. According to another study, apps eat up to 75% of the resources just for tracking and advertizing.
Another argument for the platform’s security is the conduct of Security Audits by external experts – which up to now always confirmed the core security model and standard operations as sound.
What about its choice of apps?
With F-Droid solely accepting fully open source software, not even permitting the use of proprietary libraries in apps, you won’t find most of Play Store’s apps here: most developers are not willing to adjust their code accordingly or generally making their source code open. So the number of apps with less than 2,000 is much lower than the millions available at Google Play. Nevertheless you’ll find a fitting app for most things. Prominent examples:
- Navigation: OSMAnd~ (payed at Playstore), Maps (a free variant of Maps.Me)
- Traffic: Oeffi, Transportr – both for connections in public transport
- Mail: K-9 Mail, Tutanota, FairEmail
- Internet: Firefox Klar, Fennec, Nextcloud, DAVDroid, AdAway, Net Monitor
- Messengers: Silence (encrypted SMS/MMS), Conversations (XMPP), Riot
- File manager: Amaze, AnExplorerPro, Ghost Commander
- Office: Markor (Notepad with Markdown support and more), LibreOffice Viewer
- Social: Tusky, Mastalab (Mastodon); twitlatte
- Media: NewPipe, SkyTube (YouTube clients); AntennaPod (podcasts)
- Image viewer: A Photo Manager, Camera Roll
- Photos: FineGeotag, Open Camera
- Smartwatches & Fitnesstracker: GadgetBridge (also see Smartwatches and privacy)
What to do if I encounter problems with it?
Should something not work as expected, you can contact the F-Droid team directly:
- General: IRC (Internet Relay Chat) on Freenode.Net, Channel
#fdroid; F-Droid Forum
- Problems with the F-Droid Android App: Issue-Tracker for the Android Client at GitLab
- Problems with the F-Droid Website: Issue-Tracker for the F-Droid Website at GitLab
- Suggest missing apps: Issue-Tracker „Requests for Packaging“
These are no robots where, after filling a form, you maybe receive an auto-reply made up of boilerplates. All the given sources will get you in direct contact with the members of the F-Droid team. And users help each other there, too.
On the other hand, if you run into problems with an app you’ve installed from F-Droid, you’d rather seek contact with the developer of that app. For that, app descriptions contain a link to the corresponding issue tracker (if there is one) or some other place where you should find the corresponding developer.
How do I get F-Droid running on my device?
In the rarest cases you’ll find the F-Droid app pre-installed on your device – e.g. on smartphones made by the German company SHIFT, or a Fairphone that came with the Fairphone Open OS. Technically adept users also find it coming with some „custom ROMs“ (adapted firmware) like Replicant, CopperheadOS or LineageOS for microG; further there are generic ROMs for devices supporting Android Treble. If you use one of those, you can skip the following paragraphs. Otherwise, it’s your turn to install it manually.
There’s only one: you need to enable installation from „unknown sources“ on your device; as shipped Android only accepts one source: the Google Play Store. Doing so is often described as massively risky – which is quite a bit exaggerated: even with this enabled, each installation has to be manually approved by the user. Details are described (in German) e.g. at MobilSicher.
Up to (and including) Android version 7 aka „Nougat“, this is a global switch: you either allow it generally or not at all. Starting with Android 8 (Oreo), the risk is minimized even more: it’s now a per-app-switch. So in our case, you only need to permit it for the F-Droid app – as you want to use it to install other apps.
If you are technically adept, you take the shortcut: Download the APK file2 from the F-Droid Homepage, and install it using
adb install org.fdroid.*.apk. Done. If you have no clue what this means, you’ll need to read on and follow the more verbose steps:
After you’ve activated „unknown sources“3 open the browser on your Android device and go to the F-Droid Homepage at https://f-droid.org/. There you’ll find a blue button labeled „Download F-Droid“, which you tap. To ensure this wasn’t done accidentally, Android will ask your confirmation. Once the download is completed (which is indicated by the little download arrow in the status bar stopping to blink) open the notification area (by pulling down the notification bar) and tap the entry stating the download has been completed.
This now opens the app Installer, which is part of the Android system. It will ask you whether to install the app – which you of course confirm in this case. After the installation is completed, it will show you an „Open“ button to start the app.
First Start: Setup and Use
The first start will present you with an almost empty screen – and a little message telling you that package sources are being updated. As described, the app will use a local index with available apps – which it first needs to download from the server. This will use about 1 MB of data. That completed, the empty screen will be filled and show you recent apps. Don’t be confused that all apps will now show the same gray F-Droid icon: the real one will be loaded with a little delay, and then become visible automatically.
Browse the Catalog
To find an app you of course could scroll the entire list – but even with slightly less than 2,000 apps this is a bit time consuming. If you already have an idea what you’re looking for you can use the „floating magnifier“: enter your search term, and the list will be filtered accordingly. Alternatively, you could also use the categories to narrow down candidates: just tap the corresponding icon (in the bar at the bottom, the second from the left).
To see what apps you already have installed from F-Droid is a bit less intuitive: you have to go to Settings, using the right-most icon in the bar.
The settings have quite good default values; the „average user“ will hardly need to change anything here. But good to know you can, if need arises. Most items are pretty much self-explaining, so I’ll only explain a few. For the option names I’ll go by the (German) screenshots, putting the (English) meaning in parenthesis behind:
- Installierte Anwendungen verwalten (manage installed apps): Here you find the apps installed on your device which are available at F-Droid (most because you installed them from there). You can also use this to uninstall one of them.
- Paketquellen (repositories/package sources): For advanced users and hence explained in a following article. In short: next to the „official F-Droid repository“ there are many third-party-repositories you can use.
- Aktualisierungen (updates): Default setting is to use mobile data only if you actively try to install an app; everything else (like updating the index) will only happen when connected to WiFi. If you have an unlimited data plan, feel free to push the slider for that to the far right to permit everything on mobile data.
- Inkompatible Versionen einbeziehen (also show incompatible versions): Usually uninteresting, as you couldn’t install them anyway. But helpful if you want to find out what‘s available in general..
- Anti-Feature-Apps einbeziehen (include AntiFeatures): Do you only want apps that are „absolutely kosher“, leave this off – and only see fewer but clenar apps. If you turn this on you of course will be able to distinguish affected apps: the „Anti-Features“ will be shown in their details. For example, that it „advertizes unfree services“ (if it, as e.g. Yalp Store, is intended to access the Google Play Store. Or it is unlikely it will receive any future updates, as the source is no longer freely available or the project shut down. A list of AntiFeatures can be found in the F-Droid Wiki.
- Name Ihrer lokalen Paketquelle (name of the local repo/package source): how your device is named on your peer’s device when using App Swap
- Notfallknopf-Einstellungen (settings for the emergency button): Using an app like Ripple you can trigger „emergency actions“: Do you e.g. remember having sensitive data on your device when entering border control at the US or Australia and just see border control collecting devices to investigate, you can arrange „necessary steps“ with the tap of a button. The F-Droid app offers to hide itself then.
So what about updates? Playstore does that automatically. And F-Droid?
In the Settings we‘ve seen an item dealing with this: in the interval defined (by default once daily) the app will download the index and update it locally. If updates are found (including for the F-Droid app itself), the user will be informed (with a notification). If you configured it such, the update will also be downloaded automatically – so you dont have to wait for that when finding out.
But as long as F-Droid wasn’t installed as system app but just the way described above (which is all you can do without root access), it isn’t permitted to install or even updates automatically – which is a security precaution. In a later article of this series intended for advanced users, I will show a way to work around this.
This feature enables you to exchange apps with other F-Droid users near to you (hence the icon is labeled „Near“) – without Internet, without any other server involved. Apps to exchange do not necessarily need to come from F-Droid: you can share all apps installed on your device. And don‘t you fear: your „peer“ doesn‘t see all apps you‘ve installed, only those you selected to share. It’s not „I take it“ but „I give it“ – sending, not pulling.
„Who would neet that?“ It’s not only interesting to save roaming costs on vacation. In some areas the network is, put euphemistical, „a little shaky“ – or when available at all, quite pricey. An example would be Cuba, where F-Droid shares it repository this way. Moreover it’s sometimes easier to simply share an app that way with a friend – so the friend doesn’t need to search for it in some store. Or if you want to transfer apps to a new device – though that would leave out their settings and data.
Compared to Google Play Store, the number of available apps on F-Droid may be rather managable – but most important things can be found here, too. Summing up one could say: „A little step for app choices – but a big step for your privacy“. And concerning security, F-Droid is definitely not „left behind“. Your Android device will also reward you with a longer lasting battery and smaller data usage, thanks to the lack of trackers and ad modules. In addition you have real human contact when problems arise. A clear recommendation!
which wont be kept; server logs are not archived ↩︎
The abbreviation „APK“ stands for „Android PacKage“ and means an archive format used for distribution and installation of Android Apps. From the technical point of view it is a ZIP file with a specific structure, as described at Wikipedia.
F-Droid as well as other Android app-stores provide apps using this format, where clients download and install them. ↩︎
for F-Droid you can ignore this warning with a clear conscience: as shown, this is a safe and secure source. If you still have doubts, turn it off again when the installation is completed – but then you’ll need to toggle it again for each install and update from within F-Droid. With Android 8 and up, only permit „unknown sources“ for F-Droid itself, and no need to worry. ↩︎