Update F-Droid Security Issues

[friendly-rabbit-35]

Detailed list of changes

• Part 1
  • Reword and rearrange the paragraph right before the Q&A section
    • Embed link to PrivSec post on FLOSS Security, specifically the section clarifying the role of source code
  • In the paragraph about F-Droid's lack of quality assurance, embed link to PrivSec post on Badness Enumeration
• MAJOR CHANGE: Add new section (Part 2) about F-Droid's inclusion policy and its negative effects on developers and end users
  • Add case study on Snikket's F-Droid app
  • Renumber subsequent sections of the post
• Part 3
  • Embed link to PrivSec post on Choosing your Desktop Linux Distro, specifically the section about release cycles
• Part 4
  • Update status of F-Droid's index v2 and add link to F-Droid API documentation that mentions index v2
  • MAJOR CHANGE: Add disclaimer that F-Droid's official client and F-Droid Basic now supports unprivileged unattended updates
  • Clarify part about the Play Store's non-use of certificate pinning (closes F-Droid Security Issues: Clarify cert pinning in Play Store #263)
    • The current wording reads as if the Play Store uses this feature, but it does not.
  • MAJOR CHANGE: Add section about F-Droid's infrastructure not following basic network security practices, which @TommyTran732 explained in the main Matrix room and the GrapheneOS Offtopic room
• Part 5
  • MAJOR CHANGE: Overhaul section about F-Droid clients (inspired by https://github.com/orgs/PrivSec-dev/discussions/190#discussioncomment-7825536)
    • Update the F-Droid section in the Android Tips post to reflect this major change
  • Embed link to GitLab issue in which an F-Droid maintainer states that F-Droid does not have a minimum or target SDK requirement
  • Update the Play Store's target API level requirements and mention that they're refreshed every year
  • MAJOR CHANGE: Reword the first part of the last paragraph (starts with "While it may" in the old version, "Keeping the" in the new version) for increased clarity
• Part 7
  • Add more specific link to the quoted material from the lead F-Droid developer
  • Move block quote for the run at startup permission for better idea flow
• Conclusion
  • MAJOR CHANGE: Reword the last sentence of the introductory paragraph for improved clarity
  • In the "Should I Really Care?" section, embed link to PrivSec post on Threat Modeling
  • "Isn't Google evil? Isn't the Play Store spyware?" section
    • Embed link to section of Aurora Store wiki about invalidation of dummy account sessions to highlight the "concerning" part of the shared accounts feature
• Meta
  • Modify wording about the non-representation of GrapheneOS in the post
• Make numerous grammar, wording, and syntax changes for improved clarity
  • MAJOR CHANGE: Switch Part 3 and Part 4 around for better flow of ideas
  • Rearrange several paragraphs for better flow of ideas
  • Append "the" before most instances of "Play Store"
  • In many parts of the post, break up long sentences into shorter ones for either improved readability or increased emphasis on certain points

New To Do

All done!

• Move section about F-Droid's false sense of security to a more appropriate location
• Complete the case study of Snikket in the newly created section on F-Droid's inclusion policy

To Do

All done!

• Introduction
• Part 1
• Part 2
• Part 3
  • Look into the status of F-Droid's privileged extension
  • Look into the status of v2 metadata format wrt F-Droid's index and, if needed, update accordingly
• Part 4
  • Research third-party F-Droid clients mentioned here
  • Develop comparison between third-party F-Droid clients, the official F-Droid client, and F-Droid Basic
  • Review the paragraph starting with "While it may seem bothersome"
• Part 5
• Part 6
• Conclusion
  • Review the third sentence of the first paragraph and, if needed, reword it for improved clarity
  • Look into status of Aurora Store's account tokens and, if needed, update accordingly
• Meta

[netlify]

✅ Deploy Preview for privsec-dev ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	18d31a3
🔍 Latest deploy log	https://app.netlify.com/sites/privsec-dev/deploys/67201e338b417a0008fe72bc
😎 Deploy Preview	https://deploy-preview-233--privsec-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[TommyTran732]

So far so good

[friendly-rabbit-35]

Most of the changes to the post are minor, but I would greatly appreciate any feedback on the ones marked as a "MAJOR CHANGE" in the initial comment to make sure that I'm not changing the spirit of the original work.

[friendly-rabbit-35]

Regarding the second bullet point, accessing platform version information is gated by an account login, so I didn't update this statistic.

[friendly-rabbit-35]

I welcome any suggestions for this concluding sentence. I'm not particularly thrilled with the final two words, but I can't think of any good replacements.

[TommyTran732]

Sounds good to me

[friendly-rabbit-35]

I formatted "accounturi" and "validationmethods" as code because they're described as parameters in this RFC: https://datatracker.ietf.org/doc/rfc8657/

Feel free to change it (or anything else in this new section) if it's not correct in this case.

[friendly-rabbit-35]

I think I'll close this PR and split its changes into separate PRs so that it's more manageable for reviewers.