Add Android app repositories

[hugoncosta]

As of now, the page only provides open source ROMs, as you can see here: https://www.privacytools.io/#mobile_os

First of all, I believe we should include a message right after the title, like you can see on some of the sections, warning users about the use of Google Apps (which are sometimes necessary for the rom to boot).

Second, we should refer to other markets where you can get either Open Source apps (like F-Droid) and/or platforms to download apks without the Play Store (such as APKMirror). Or we could link FOSS alternatives to essential apps (such as Phone, Calendar, Navigation).

[kewde]

GApps warning: sounds good.

The application distribution marketplaces are outside the scope of the mobile OS section. I think a new section has to be created for that.

[hugoncosta]

#344 on the GApps notice.

About the new section, what should it be? Mobile Apps? Mobile App Markets? Mobile App Sources? Or should we just keep it like this for now? On second thought, I think that if we delved into apps, we'd probably need to do the same for computer OS, and that'd be way too much info.

[kewde]

I'd focus on getting application distribution apps on here (see F-Droid) and maybe a list of external/additional F-Droid repo's aimed at security and privacy..

[ghost]

+1 for F-Droid
+1 for G-Apps Warning

I also suggest the MicroG fork of LineageOS which has F-Droid and MicroG built-in.

[Mikaela]

Related: https://github.com/privacytoolsIO/privacytools.io/issues/849

[IzzySoft]

For F-Droid, be welcome to link to my site (disclosure: I'm one of the maintainers), where I have a blog series on it – starting with F-Droid: The privacy-friendly alternative to Google Play Store (other articles are linked from there). Moreover, F-Droid isn't just one central place – there are multiple 3rd party repositories available as well (for a list, see e.g. Unofficial (and incomplete) list of F-Droid repositories), like my own – which is to the F-Droid main repo something between what nonfree and testing is for Debian: IzzyOnDroid’s F-Droid Repo with additional functionality.

Besides, my "blog" has multiple other articles on this topic (apps & privacy) which might be interesting in this context – like

• Privacy and permission friendly apps
• Android without Google: Where do I get my apps now?

</ShamelessSelfPromotion>

[ghost]

availability advantage on F-Droid

Note as well that F-Droid is inclusive of all Android users.

The Playstore app is proprietary and only licensed to run on Androids where it is factory installed. Cheap Androids from China often do not have the Playstore app and it is both difficult and illegal to install it.

security

Scientific study showing F-Droid to come out ahead on security =>
https://nsl.cs.waseda.ac.jp/wp-content/uploads/2018/04/submitted_wama2017.pdf

APK mirrors dicey

platforms to download apks without the Play Store (such as APKMirror)

A lot of APK mirror sites are in CloudFlare's walled-garden of privacy abuse so we'd need to avoid linking the CF ones.

[ghost]

@IzzySoft

there are multiple 3rd party repositories available as well (for a list, see e.g. Unofficial (and incomplete) list of F-Droid repositories), like my own – which is to the F-Droid main repo something between what nonfree and testing is for Debian: IzzyOnDroid’s F-Droid Repo with additional functionality.

I suggest moving your repo off https://gitlab.com/IzzyOnDroid/repo/, due to gitlab.com privacy abuses. Notice in that thread it was just announced that PTIO will have their own Gitlab instance, which will hopefully not treat Tor users with the hostility of CAPTCHA hell. That may be a more suitable place.

[IzzySoft]

@libBletchley I long time considered moving it to Codeberg (even before it was named such, and even before information on it was public). But I decided having it in the same place as the official F-Droid stuff is – for reasons of cross-reference, cross-working (who has an account on one can use it on the other, which eases assignments etc.). I already mirror most of my stuff at Codeberg, and other stuff at home (both use Gitea). Unfortunately, mirroring only works one direction.

I've addressed GitLab multiple times on that reCaptcha stuff and told them I won't count buses, storefronts or solve other puzzles as I have no time for that shit (sorry, but really). Should F-Droid go, I go along (and Codeberg would love to have us). But F-Droid uses a lot of GitLab specific features (including CI stuff), which is what holds us back currently.

Oh, speaking of which: Codeberg would fit in your lists quite fine. I know several members of the team personally, they are very privacy focused. So maybe you'd consider moving there as well – away from an MS hosted store? Codeberg would be the perfect match for PTIO. And you could focus on your main task without dividing power to maintain your own GitLab instance. Keep it in mind; and once issue-migration and MR-migration problems are solved at Codeberg, be ready to make the step 😄

[Mikaela]

Are you familiar with IPFS by the way? They are making package managers their top priority for this year and I have opened an issue about F-Droid (ipfs-inactive/package-managers#39) and noticed there being at least one mirror on it (even if it's currently down).

[ghost]

@IzzySoft
I recall finding an bug or issue with F-Droid, but opted not to report it because I couldn't be bothered to go through the Gitlab CAPTCHA hell and then the series of email address rejections until it accepts one. I wonder how many bugs go unreported because of that.

Thanks for the suggestion about Codeberg. I've added that to the proposed list of privacy-respecting Github/Gitlab alternatives, although it looks like PTIO is unwilling to leave MS Github.

[IzzySoft]

@libBletchley that's why we sometimes get issues mailed, and then either solve them straight (the easy ones) or file them ourselves. Luckily doesn't happen that often – but yes, I see the issue (and certainly don't like it).

I threw in my 2 cent on the issue you just referenced. Might sound like lobbying, but it's for a good cause – and I really mean what I say (someone said about me that if I'm convinced about something I can sell ice to Eskimos and sand to beduines – and here I am convinced). So if PTIO is open to investigate, I'd see to solve open questions, like PTIO's requirements and how they'd be met (or could be made met) – ideally by bringing one of the Codeberg crew into the discussion, to avoid ping-pong.

[blacklight447]

i get a bad feeling about actually recommending repos rather then individual pieces of software, becuase they can change fast overtime, and include things we as privactools.io may not really agree with/stand behind. i love to get some more thoughts on this from everyone here!

[IzzySoft]

@blacklight447-ptio I second your concern. Though I can assure you that neither F-Droid nor I will change our stance on privacy (I even kick out apps if an update violates the repo's principles – like an app dealing with sensitive data suddenly adding trackers – as soon as I notice, and there's a daily cron job that should report such things to me). I'm pretty sure the same can be said about microG.

And it would certainly be helpful for people to know where to look for some app not yet mentioned explicitly by PTIO. Such a listing could of course be accompanied with a "warning" message that you cannot vouch for all content there (but have a "general good feeling" about the listed repos).

Again, just suggestions. No bad feelings whatever the final decision might be (even if only my repo would be excluded while the other two get listed 😉)

[blacklight447]

I would recommend for now to start listing the F-droid app under our android recommendations, and later start a separate investigation on whether we should include third party repo's. I will soon create a PR for this.

[dngray]

We would really rather the apps be in F-Droid where they can have reproducible builds. Closing.