IzzyOnDroid Android App Repository
This is an F-Droid style repository for Android apps, provided by IzzyOnDroid. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github).
If you are an open-source developer and wish your app(s) included, be welcome to contact me. Ways to do that can be found e.g. from the Imprint at the IzzyOnDroid Android site.
If you still wish to use this repository with your F-Droid client, this is the URL you should use to add it:
How do apps come into this repo?
From time to time, I check on Github for repositories featuring Android apps
which are not part of the main F-Droid repository, but have
files along with the code. If such an app seems useful, has been updated not
too long ago (at least within the last 12 month), and seems legit, I take a raw
look at the
.apk file (do the permissions look appropriate, are
there and „crazy indicators“ making it look strange) – and if it passes, it
Of course I won't find them all: some serve their
along with the
releases/ (which I favor), some simply have them
amongst the repository files (acceptable), some do not have any at all, and
I'm afraid I've missed a lot. So I'm open to suggestions. Good candidates
meet most of the following criteria:
- They are preferably hosted at Github. Code and
.apkfiles must be available.
.apkfiles are preferably located in the
releases/tree and are properly tagged. In this case, I can catch updates automatically.
- The repository should have a proper description so it gets clear what it is.
- It should be apps for end users (so no libraries, proof-of-concept demos, etc.)
.apksize should not be too big. 2-5 MB are fine, up to 10 MB is acceptable. Above 10 MB are exceptions (must be a real good reason here), and my current „hard limit“ is 20 MB.
- I usually exclude games and some other „special interests“. But that's not absolute.
What about updates?
Read between the lines above: if the
.apk files were served in
releases/ tree and are properly tagged for all versions, I
have a script that runs automatically in regular intervalls to check for and download
updates. For those apps, it works pretty well. Some other apps must be checked
manually, which I don't do on a regular base (but those are few).
How many versions are kept?
Usually up to 3 versions per app are kept in the repository, but in sum they shall not occupy more than 20 M per app (see „hard limit“ above). If a newer version is released after that, the oldest version is automatically purged. And no, I currently do not plan keeping a second „Archive Repo“ for older versions.
Do apps get removed from your repo?
This indeed may happen. Apps might get „kicked out“ if it gets obvious something „bad“ slipped in – e.g. by users reporting bad behavior of an app installed from here.
I might also decide to drop an app which hasn't been updated for more than a year, or lost its value for other reasons (e.g. the service behind it went out of business). But generally, I plan no „purge actions for dubios reasons“. Especially I don't have the policy of excluding Ad-Blockers and the like ;)
What about security?
For this, two actions are taken:
Apps are scanned for malware, using the services of VirusTotal. VirusTotal currently runs more than 50 engines to check files, which is quite some coverage. However, results differ between engines: some are more prone to „false positives“ than others, and some even report ads as malware (we might tend to agree on that). So results might look different – and here's how they are presented for each file:
- pending: This file was just added to the repo, and currently is enqueued for the scan. You should rarely see this, and usually it will be replaced within hours.
- Passed: This file has passed all scans, and no malware has been reported. That's what you should see in most cases.
- Notif: One scanner has reported a finding. As this means that 50+ others did not report anything, this can be given the doubt of a „false positive“ (in dubio pro reo). If you want to make sure, click the term to visit the VirusTotal result page for details. In many cases, you will just „roll your eyes“ then (as usually this is WhiteArmor reporting a „PUA“, Potentially Unwanted Addon).
- Warning: More than one, but less than five scanners reported they've found something. Please click the term to go to the result page and check. Again, these are mostly (and hopefully) just „false positives“.
- Alert!: This one you should see almost never. It means that five or more scanners reported findings. Such a file will usually be quarantined ASAP (the app might be unlisted for that), and the case investigated. In very rare cases, the file might still stay, and an explanation be added: after all, we cannot do anything about failing scanners. But for that to happen, a good foundation must be there which can be trusted. A good example for such a case is an app testing your device for vulnerabilities (search the repo e.g. for VTS): as it imitates malware, scanners are bound to fire.
Except for the „pending“ shield, the label will always link to the corresponding detail page at the VirusTotal website. Feel encouraged to check that. If a file is marked by a yellow or red shield, also check the app's description, which might hold further hints. Sometimes a finding might be „normal“ (e.g. a vulnerability test suite could easily trigger a „false alert“, as described above). Moreover, some scanners thread a „PUA“ (potentially unwanted addon/application) as alert – as indicated above.
APK files are also checked for libraries they are using. This is done locally, using LibRadar (plus some additions of mine). Findings are grouped into three categories:
- Libraries: These are usually development tools and libraries for „common tasks“ like parsing structures or dealing with network connections. Maps and social networking also fall into this category.
- Payment Modules: Basically, „all things money“. This is usually for in-app purchases, but could also be for „money transfers“.
- Ads & Analytics: Our favorites. Software being free and open source doesn't mean the compiled app cannot have some extras. Usually, if there are ad or analytics modules, that's also pointed out in the „AntiFeatures“ in the app description.
You will not only find the categories and names of libraries, but also some additional details: which permissions are found accessed by them is the most interesting part here. Where available, a link is given to their resp. websites/pages. Additionally, for most of the libraries there're additional details available, indicated by an icon and revealed by clicking on it:
- To not „get lost“ in long lists (some apps integrate 60 libraries or more), those you probably want to take a closer look on are emphasized.
- Webbkoll tells you how privacy-friendly the site is.
- SSL Labs tell you about the HTTPS security measures taken (spoiler: as of this writing, it got an A+ rating).
- Mozilla Observatory tells you how secure a site is set up. Spoiler again: as of this writing, we get 110 out of 100 points here, another A+ rating.