I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?
I’m curious, how does F-Droid detect malicious codes within an app?
From what I know, F-Droid compiles apps from source so you can be sure that the code you’re running is actually made from the source code that it claims to be built from. On most other platforms, the developers could be uploading malicious programs that actually have the code changed from what’s shared online as its source code. Then add the fact that other developers can and do look at the code, and what changes are made from version to version.
Part of it is automated, part of it is real people looking at the source code. That’s done by sampling of course, since it’s not feasible to have someone manually look over every new update to every app.
Yeah. I haven’t looked it up, but a huge part seems to be manual labor. They have a good look at it when it gets included into the f-droid repository. The app then gets re-packaged to meet their standards and compiled from source. During this process tracking libraries and other (proprietary) components get stripped.
They have an automated build server. I’m not sure if that does any additional tests or just checks if it can build the app. But this also prepares the updates.
I doubt there are automated antivirus scans involved. Usually only windows users do that.
And you have a community with many other users who use the same build of an app. They’ll file bugreports and maybe notice if an app stops working or starts consuming huge amounts of data and battery. Those users also tend to be more tech-savy than playstore users.