Recommend F-Droid Basic over Neo Store

[jonaharagon]

Changes proposed in this PR:

• Recommend the first-party F-Droid Basic client now that it supports unattended upgrades.

• I have disclosed any relevant conflicts of interest in my post.
• I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
• I am the sole author of this work.
• I agree to the Community Code of Conduct.

[privacyguides-bot]

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/recommend-f-droid-basic-instead-of-neo-store/14311/2

[netlify]

✅ Deploy Preview for privacyguides ready!

Name	Link
🔨 Latest commit	b69edfe
🔍 Latest deploy log	https://app.netlify.com/sites/privacyguides/deploys/65429b6ada46a200087748ac
😎 Deploy Preview	https://deploy-preview-2293.preview.privacyguides.dev
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	4 paths audited Performance: 74 Accessibility: 91 Best Practices: 98 SEO: 88 PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[dngray]

Agreed, I think the language can be softened a bit as they have made some progress according to their blog.

[matchboxbananasynergy]

Agree with the change, though the unfortunate thing is that the F-Droid apps don't have a way to show you an app's targetSdk, which is what I personally liked about Neo Store, since F-Droid doesn't remove or hide apps with old targetSdk levels, and as far as I'm aware also doesn't prevent them from getting on to the store/updating their apps. Being able to see what the targetSdk level is at a glance is quite significant.

[dngray]

@matchboxbananasynergy iirc, that was the original and main reason for not really recommending F-Droid as much as we used to initially. As F-droid allows apps with lower-API levels, that means weaker sandboxing for those apps, than if they were in Google Play etc.

[dngray]

I think if we remove the privsec link here we should mention that apps in Google Play have to target a higher API level, and therefore have stronger sandboxing. We should perhaps show this article https://developer.android.com/google/play/requirements/target-sdk

[jonaharagon]

A forum member pointed out that F-Droid Basic does show a warning on apps with a low target SDK. My understanding is that minimum target SDK for when this warning will appear will advance similarly to Google Play's policy with each new Android release:

The app that's being installed targets API level 29 (Android 10) or higher. (Google notes that the target API level requirement will advance in future Android versions, a policy that's in line with Google Play policy on API target requirement.)

https://www.xda-developers.com/android-12-alternative-app-stores-update-apps-background/

[privacyguides-bot]

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/remove-note-about-getting-f-droid-apps-from-obtanium/14440/4

[dngray]

that F-Droid Basic does show a warning on apps with a low target SDK

It looks like it does, but it only says that it won't auto update. I think we should mention something which summarizes:

Every new Android version introduces changes that bring security and performance improvements and enhance the Android user experience. Some of these changes only apply to apps that explicitly declare support through their targetSdkVersion manifest attribute (also known as the target API level).

[jonaharagon]

I really don't see that change as critical given that:

1. We say:

   Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet modern security standards.

2. We also say:

   You should use your best judgement when looking for new apps via this method, and keep an eye on how frequently the app is updated. Outdated apps may rely on unsupported libraries, among other things, posing a potential security risk.

3. F-Droid Basic displays a prominent warning on apps with a low SDK, and that the cutoff to display that warning automatically increases with new Android releases

So... I don't know how to word the additional changes you're suggesting to fit it in cleanly on the page tbh, but if you want to commit a change adding that somewhere you think is best, that's fine w/ me.

[dngray]

That is fair I guess.

Maybe we should say:

modern security standards.

[blacklight447]

Looked it over, everything looks perfect.

[privacyguides-bot]

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/v3-17/15136/1