Skip to content
Snippets Groups Projects

Should f-droid warn about dangerous apps?

There is an issue with how much, and where, f-droid provides information to the user about apps in the repository. F-droid presents a list of apps, with brief summary information about each app. However, I think it is a good question to ask how f-droid should deal with information about potentially dangerous apps in its repository.

If a user installs an app from f-droid and the user finds that the app has functioned in a dangerous way, what should f-droid do about it? For example, if an app deletes the user's files, it is clearly a very dangerous app. If an app, modifies your contacts without asking you, it is also a dangerous app.

In such cases, should f-droid have a way for users to give direct feedback on the danger of the app to other potential users?

At the moment, there are only the user ratings of apps, but this information is separate from the app listings. The rating system does not allow a user to say that an app is potentially dangerous. Therefore, it is not easy for new users to receive clear warnings about dangerous apps using the ratings.

I want to give a real example of a very dangerous app. The blame is obviously 100% with the app, and putting the story here helps to show the seriousness of the issue of how f-droid should handle dangerous apps after they have been discovered.

I installed the Amaze file manager.

I ran it.

I selected 300 photos and videos in my S4's internal storage in .../DCIM/Camera.

I moved the selected files to my external encrypted SD card.

After a few minutes, Amaze crashed, giving no error message. There was only the standard Android message "Unfortunately Amaze has stopped".

I restarted Amaze.

I found the original files were all still in the internal storage.

I found 10 of the original files had been copied, not moved, to the external SD card. I checked that the originals and the copies all had correct MD5sums.

I re-selected the 300 photos and videos in my S4's internal storage.

I moved the selected files to my external encrypted SD card.

I saw there were two separate Android notifications, both of them saying that files were being moved to the external SD card, and both of them were actively updating at the same time.

After 10-15 minutes, the moving finished, with no errors or warnings.

The first 10 files had been moved OK to the external SD card, but each of the remaining 290 files had zero bytes. Worse, Amaze had deleted all 300 original files.

This was going to be the first backup of the 300 files. No Google account, no previous backups.

I don't know if there is a way to recover any of the 300 deleted files from the internal Android filesystem in its current state. It would be nice. Too bad if not.

Clearly Amaze is a very dangerous app. I want to warn other potential users of the danger. However, f-droid does not provide any way for me to do this directly in the repository, where I think it would be most likely to be seen by users before they install the app.

https://f-droid.org/repository/browse/?fdid=com.amaze.filemanager&fdpage=2