July 17 2025 GM

From TCU Wiki

Back To The Source: App Store Politics With F-Droid

  • Date: Thursday, July 17
  • Time: 9am EDT / 1pm UTC
  • Facilitator: Mardiya
  • Featured Guest: Hailey Still and Nzambi Kakusu
  • Where: On TCU Mattermost "IF Square" Channel.

Join us on July 17, to hear from Hailey, F-Droid’s project manager and UX designer, and Nzambi, F-Droid’s grant administrator, who will be talking about:

  • F-Droid's mission on creating a safe and privacy-respecting app store for people to access FOSS
  • How reproducible builds prevent malware and spyware from sneaking into your apks
  • How F-Droid is competing with Big Tech on trustworthiness, user-privacy, and freedom

Speakers:

  • Hailey Still - F-Droid’s new project manager and UX designer. She has a diverse background of experience in managing complex projects and designing user-friendly and intuitive interfaces. Hailey helps secure new grant opportunities, streamline operations and improve the user experience tools we work on.
  • Nzambi Kakusu - F-Droid’s grant administrator. Nzambi plays a crucial role in securing and managing funding for F-Droid’s continued development. With her experience in grant management, Nzambi helps ensure that the organization can continue to sustain and grow the project in a way that aligns with its mission and values.

What is Glitter Meetup?

Glitter Meetup is the weekly town hall of the digital rights and Internet Freedom community at the IF Square on the TCU Mattermost, at 9am EDT / 2pm UTC. It is a text-based chat where digital rights defenders can share regional and project updates, expertise, ask questions, and connect with others from all over the world! Do you need an invite? Learn how to get one here.

Notes

Can you share a bit more about yourselves and your work with F-droid?
  • My name is Hailey and I have been working with F-Droid for around one and a half years. Officially I am responsible for research and UX design, but since we are entirely volunteer driven, I wear a lot of hats and I am also heavily involved in sourcing new grant and funding opportunities to help support the growth and development of the F-Droid as well. Then once we secure a new grant, I help with project management too. We are a small team so everyone tries to pitch in. At the moment we are participating in two grants MobiFree and OTF's FOSS Sustainability. So I am heavily involved in the research, project management and admin side of those grants.
  • Hello, so glad to be here. My name is Nzambi Kakusu and I work as a grants administrator supporting F-Droid and its strategic initiatives. My work involves efforts in organizational policy creation and updates to ensure alignment with industry standards, supporting project management, coordinating with stakeholders and contributors and largely involved in fundraising efforts. I am passionate about the use of technology to solve societal issues.
What is F-DROID? What do you do?
  • When people think of F-Droid, they typically think of our main repository which is basically like an app store. In reality, F-Droid has a lot of different pieces, but maybe we can start with the app store first and see how far we get.
  • F-Droid is an open-source Android app marketplace that is committed to respecting user’s privacy. We don't have user accounts which means we don't know who has downloaded F-Droid, where they are located or anything about them such as their email, phone numbers or age.
  • One of our main goals is to put users back in charge of the software they install on their devices by providing access to free apps that do not contain proprietary software. In addition, the vast majority of the apps we include on our main repository do not contain ads or tracking. If an app does contain this sort of code inside, we flag it during our app submission process and then we tag it with something called an anti-feature label. This is displayed in a really large banner to users before they download the app, ensuring they can make informed choices. All apps are free and open source. Thats a requirement!
  • An important piece of information is that F-Droid also allows users to find applications that have been banned from Google Play due to their strict policies but are still being developed and shared openly by an active community, for example, NewPipe which is a popular open-source client for YouTube.
  • Basically we are an alternative app store, specifically for FOSS, privacy respecting apps. Plus we have other cool features like, you can create your own repository of apps (basically like your own mini app store) then share it using our tooling with friends, colleagues or a specific community. The tools we provide, help decentralize app distribution, give people more control in how they share and download apps.
How do you check or ensure that the apps do not contain ads or tracking? What process do you use to identify this?
  • During the app review process there is an automatic scanning step, where we scan the code to identify proprietary libraries, malware, the presence of ads or tracking code. Then someone from our F-Droid data team reviews the app code as well. Furthermore because the app submission and review process is transparent and all the code is open source, anyone can review it. It is a completely different process to proprietary and closed systems, where you have to trust that Big Tech is doing what they say and you dont have any insight into the process as a user.
  • All our source code is public, anyone can audit it or review it. All our apps are reproducible, meaning the source code that is submitted by the developer is recreated from scratch before it is added to the main repo, and in addition it is open source so it can be audited by anyone at any time for correctness. I was trying to think of a metaphor to explain the concept of reproducible builds and I think maybe you can think of reproducible builds like a puzzle made out of cardboard. The developer sends us their puzzle with the picture on the box. We open the puzzle and put all the pieces together, so we recreate the app from the source code. Then if our puzzle looks like the picture on the box, and we dont have any extra pieces or missing pieces, it is a match and we know it is reproducible as in the source code can be reproduced. And anyone can open the puzzle box and see if it has all its pieces and try to recreate it.
Do you worry that folks will try to make the mini App Store into an opportunity to be influencers? Like TikTok shop?
  • I think the chances of F-Droid  transforming into an influencer platform similar to TikTok shop are extremely low because the fundamental principles together with technical design and community values of F-Droid stand in direct opposition to the commercial and data-intensive nature of such models. As such, F-Droid developers who use external platforms including blogs YouTube and social media to discuss their F-Droid applications maintain a separate entity from the platform itself. The project actively works against the financial elements which make influencer marketing successful on other platforms.
Are you interested to start a similar project to F-Droid for iOS given their discussions to open the app store ecosystem in the European Union?
  • We are only on Android for the moment. Apple was closed from the beginning so it is a difficult OS for us to integrate into. We work closely with other Android OS projects, who ship F-Droid on their devices such as Calyx.
  • I dont know if folks here are familiar with Europes Digital Markets Act. https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en In a sense it is a sort of anti-trust law that helps break up big tech players like Google and Apple, but it also aims to improve interoperability, push for user rights such as the right to privacy or even more basic, the right to deinstall apps on your phone, and aims to make digital markets more fair and open in general. The Technical Lead of F-Droid Hans has been asked multiple times to go to Brussels to speak as a counter weight to Big Tech during the European commission DMA workshops. It has been a big opportunity for F-Droid and other FOSS projects to have a voice and speak for privacy and user rights. So we are trying to make an impact here within the Android space
What is your stance on the new Android Advanced Protection Mode that disables 3rd party app stores? Is there any alternative suggestion for them to protect our phones more without losing the access to 3rd party stores?
  • About Android Advanced Protection Mode, I think if you know enough to ask about third party app stores, then you probably know enough to evaluate whether to trust a third-party app store. If a third-party app store does not feel quite right, then do not install it, and you're protected.
  • Google uses security features to lock people into their services. They are doing this even more, now that the EU Digital Markets Act is forcing them to stop gatekeeping Android.
  • They hard part is the lump in the useful stuff with the stuff that is really just useful to lock users into Google. We're working on getting F-Droid preloaded on devices. Google is not making that easy. And there is App Fair for iOS, which aims to be the free software app store for iOS, inspired by F-Droid: https://appfair.org/
Are there tips to analyze apps distributed in F-Droid based stores? For instance, I saw that a repressive country has its own store, and I would love to know how can we analyze more efficiently what they upload there
  • It's more a "do your own research" type of thing, do you trust them? if not... that's why F-Droid does everything in the public, you know what is built, from which code, and (for reproducible builds) that it matches the developer package. The main F-Droid repository only includes apps that are FLOSS, so your 4 freedoms are guaranteed
  • The security and app distribution model of F-Droid operates differently from Google's centralized system because it emphasizes user autonomy and clear disclosure practices. The F-Droid platform supports Free and Open Source Software (FOSS) because it allows users to inspect app code and reproduce builds which creates a trust system through community evaluation instead of corporate oversight. The  platform actively identifies "anti-features" which include advertising and tracking. F-Droid supports users who want better protection alongside alternative app sources by recommending privacy-focused custom ROMs (e.g., GrapheneOS) and proper app permission management and verified  side loading and system updates and firewall deployment and ongoing security threat education. Users gain enhanced control and understanding through this approach which differs from security systems that rely on single vendor oversight.
You did note somewhere that f-Droid tends to compete with big tech companies on trustworthiness, user-privacy, and freedom, what does that mean? What does such competition look like, are there any challenges you face while doing this?
  • Well yes we try to compete in the sense that we are a small fish in their very big pond. But yes for example at a DMA workshop, Apple claimed they were the most trustworthy app store on the market and Hans asked them to try competing with F-Droid on trustworthiness. All our source code is public, anyone can audit it or review it. All our apps are reproducible, meaning the source code that is submitted by the developer is recreated from scratch before it is added to the main repo, and in addition it is open source so it can be audited by anyone at any time for correctness.
How can one connect, and submit their app/ software to F-droid? Or become a part of the community?
  • So if you want to submit your app to F-Droid there is a page on our website outlining a quick start guide: https://f-droid.org/docs/Submitting_to_F-Droid_Quick_Start_Guide/ But the short response is you can submit it via a Gitlab merge request. Then it goes over to our maintainers for review. They will review and reach out if there are any questions. It helps to also have a look at the inclusion policy beforehand, so you can see if your app would likely not be included due to the inclusion policy: https://f-droid.org/docs/Inclusion_Policy/