this post was submitted on 11 Aug 2023
77 points (93.3% liked)

Open Source

31197 readers
206 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I've come to realize that a lot of foss android apps are pretty outdated and usually abandoned. Is that even safe to use? Like even the fdroid archive repository, are those safe to use? I'm still rather new to the foss world, but in my mind it seems a very outdated app is probably not safe or am I missing something here?

top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 73 points 1 year ago (1 children)

It depends on the app. A local markdown editor without any network functionality? Probably safe. A password manager with online functionalities? I would look for something else.

[–] [email protected] 5 points 1 year ago (1 children)

What about yet another call blocker? Seems that involves more sensitive info obviously

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

It gets the number that's ringing and compares it to a database it downloaded. It's not doing anything with your sensitive data.

At most if you decide to check online reviews against a number it'll search the phone number online, but you get a warning beforehand and you don't have to do that.

[–] [email protected] 20 points 1 year ago (2 children)

These are code health smells. Looking for the activity in a repository the number of contributors, the frequency of updates, these are all let you get a feeling for how well cared for a project is. Sometimes that doesn't matter, but it is definitely something you should factor in.

[–] [email protected] 7 points 1 year ago (2 children)

For any app that isn't network-facing and that works with protocols that haven't been changed in a long time, there is no point worrying over how "active" the development is on an app. If nothing has been broken, then nothing needs fixing. My music player has had all the features it needs for a decade, and continues to work to this day. Why change a good thing?

[–] [email protected] 2 points 1 year ago

For those kind of apps I'd love to see like a heartbeat commit. Everything's fine. 2020 nothing to change. All's working well. Just code smell

[–] [email protected] 1 points 1 year ago (1 children)

Gotcha. But what's stopping cyber criminals from seeing these abandoned repos and possibly taking over and implement malware or what not

[–] [email protected] 4 points 1 year ago (1 children)

Have you ever used Github? People can't just push code to the main repo.

And all submissions to F-Droid are checked for this kind of thing.

[–] [email protected] 1 points 1 year ago (1 children)

I mean yes I use github for reference and sometimes downloading but I don't actually know a whole lot about it like push and pull requests and what not, as I haven't found a need to learn it yet. So what you're saying is to basically download apps from github instead of fdroid to ensure you get the latest?

[–] [email protected] 3 points 1 year ago (1 children)

No, I'm not. I'm saying that downloading from F-Droid is perfectly safe, as they verify all updates before putting them on the repo.

[–] [email protected] 2 points 1 year ago

Ohhh I understand, thanks

[–] [email protected] 1 points 1 year ago (1 children)

So just because fdroid says an app hasn't been updated since 2020, that doesn't necessarily mean its not being maintend or is abandoned?

[–] [email protected] 2 points 1 year ago

Its a strong indicator it isn't being maintained, and it is abandoned. But its not a guarantee, some code is very mature, but its the exception rather then the rule

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (2 children)

I look at the latest release date. At leisure time, I would also go and check repository and issue tracker to see whether something serious is being ignored. If it's crucial for business, I would spare time investigating the source code itself.

I would not necessarily say that many apps uploaded to F-Droid and other repositories are unsafe, because I don't have all that energy to audit anything I use. What helps me to stay on the safe side is reading into things - enclosed descriptions and names may look like a small factor to some, once they tread the sources, but it saves me both the time and trouble. Sloppily written stuff usually implies a sloppy code, a lax attention to details on the developer's side.

[–] [email protected] 2 points 1 year ago (2 children)

Good tips, these are exactly what I need. Like which repos do you check out; like github and gitlab?

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago)

Wherever the app's code is on. I usually go around finding the link in the store page or through the search engine. Most of the time, they end up on GitHub and GitLab, sometimes on Codeberg or other instance.

Paranoid section ahead: Don't blindly trust the issues list, closed or open, because there are still ways to permanently delete those, hence giving bad actor a way to hide evidence of the on-going security problem.

[–] [email protected] 8 points 1 year ago (1 children)

In F-Droid, there is always a link to the repo. In english it is probably something like "source (code)". It is in the collapsable menu under "Links".

[–] [email protected] 1 points 1 year ago

Thanks, I've just been doing by the apps version numbers and the last date it was updated

[–] [email protected] 1 points 1 year ago

Plus there should be some tools or scanners to look at the app for any potential dangers, like play protect, right?

[–] [email protected] 12 points 1 year ago (1 children)

I am not sure what you mean with the repo archive being outdated, the latest commit was 30 minutes ago. Could you please tell us more what apps you are referring to and in what way you find the repo archive being outdated? Might be easier to answer your question that way.

Also bear in mind that its quite common for stable releases to be some time apart from each other. Florisboard for example had its latest release over a year ago, but is being actively maintained.

[–] [email protected] 1 points 1 year ago

Yea so, just about most of the apps on the market. Pick a category and once you get through the top apps that are up to date, not far down the list the rest of the apps list their current version and they just get older as you go hence sort by new. There's more outdated apps (I mean by like years) that truly aren't far from the up to date versions

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Depends what the app does, like some others have mentioned if it's transferring sensitive data over the internet, I would want it to be updated. But if it's something local like a call blocker checking a local database I wouldn't worry about it.

The other downside for the call blocker app is the database could be outdated, not sure how their mechanism works for that.

[–] [email protected] 1 points 1 year ago

Vep very true!