F-Droid (new window)is an app store for Android that features only free and open-source software (FOSS). This makes it a welcome alternative to the privacy-invading Google Play Store.
In this article, we look at what F-Droid is, why you might want to use it, and how to use it. We also examine some concerns about F-Droid.
- What is F-Droid?
- Why use F-Droid?
- What are the best F-Droid apps?
- How to use F-Droid
- F-Droid repositories
- Is F-Droid safe?
- Are there any F-Droid alternatives?
What is F-Droid?
Like the Play Store, F-Droid is an app repository that offers a curated collection of apps that are free of charge, contain no proprietary software, and adhere to open-source principles. This means the source code of the apps is openly available, allowing you to verify their security, privacy features, and functionality.
F-Droid is developed and maintained by a community of volunteers and aims to provide a privacy-friendly and transparent app ecosystem. You can download apps from the F-Droid repository, and F-Droid will help you keep them updated.
This focus on FOSS aligns with Proton’s principles of transparency and user empowerment, which is why the Proton VPN app is available on F-Droid(new window).
Unlike the Play Store, there’s no need to register for an account to use F-Droid.
Why use F-Droid?
There are two main reasons to use F-Droid.
1. It’s not the Google Play Store
Google’s entire (and very profitable) business model(new window) is to learn as much about you as possible so that it can target you with highly personalized ads.
When you download and use apps from the Google Play Store, Google collects a great deal of data about you. This includes(new window) information about your device, how you use the app, where you use the app (location data), and more. All of which is tied to your real identity and combined with other information Google collects on you from its many other apps, services, and trackers,
Additionally, many apps on the Google Play Store incorporate third-party tracking libraries or software development kits (SDKs). These tracking mechanisms allow app developers and third-party companies to collect information about your behavior, interests, and usage patterns across different apps and websites.
The also proprietary Amazon Store for Android suffers similar issues.
2. Open-source apps
F-Droid provides an easily browsable repository of curated open-source apps, many of which aren’t on the Play Store. Open-source apps are, of course, also available on GitHub and similar platforms (this is part of what makes them open source), but there’s no easy update mechanism for APK files downloaded directly from their developers. F-Droid provides such a mechanism.
F-Droid makes it much easier to find, install, and update open-source Android apps. Many people also view using F-Droid as a way to support the free and open-source community.
What are the best F-Droid apps?
There are many great apps on F-Droid, many of which aren’t on the Play Store. Even when an app is also on the Play Store, installing it from F-Droid removes Google from the equation.
The following list is by no means comprehensive, but it provides a sample of some of the high-quality apps available on F-Droid. Please note that Proton VPN hasn’t formally reviewed any of the apps listed here and in no way endorses them (except Proton VPN, of course).
1. Proton VPN(new window) – A Swiss no-logs VPN service from the makers of Proton Mail. You can choose between multiple VPN protocols (including WireGuard and our Stealth obfuscation protocol) or let Smart protocol choose the best option for you. Our Android app features a kill switch, split tunneling, VPN Accelerator, alternative routing(new window), NetShield Ad-blocker, and more.
2. Fennic F-Droid(new window) – An open-source browser based on the latest version of Firefox, but with additional tracking protection and proprietary bits and telemetry removed. Not available on the Play Store.
3. Droid-ify/(new window)Neo Store(new window)/Aurora(new window) – Unofficial F-Droid apps that offer an improved experience for accessing the F-Droid repository. See below for more details. Needless to say, these apps are not available on the Play Store.
4. Open Camera(new window) – An open-source camera app that supports HDR, face detection, video and audio recording, auto-stabilize, and more. Unlike the version available on the Play Store, the F-Droid version of Open Camera is completely ad-free.
5. DuckDuckGo Privacy Browser(new window) – We removed DuckDuckGo from our Best browsers for your privacy(new window) list because it is only partially open-source. The F-Droid version, however, is fully open source.
It offers extensive anti-tracking features, forces HTTPS connections by default, has a “Fire” button to easily burn your browsing history, and can be locked and unlocked using biometrics. One of its more innovative features is its Privacy Grade — a scorecard for companies’ terms of service. And, of course, the app uses DuckDuckGo as its search engine.
However, it has a unique fingerprint(new window), and the lack of any syncing function limits its usefulness as a general-purpose browser.
6. OsmAnd +(new window) – An open-source map app that uses OpenStreetMap(new window) (OSM) data and features offline maps, real-time voice and display navigation, and more. No, it’s not as good as Google Maps, but it also doesn’t track you everywhere you go.
7. Music(new window) – A good-looking (Material) music player with Android widgets that does everything you need a local music player to do. This app auto-downloads artist and album art, allows you to edit songs’ tags and metadata, has a sleep timer, and more.
8. AnySoftKeyboard(new window) – A keyboard with support for multiple languages, gestures, an emoji keyboard, a dictionary, virtual keys, and voice data entry. And unlike your phone’s default keyboard and most commercial keyboards, it won’t spy on everything you type.
How to use F-Droid
F-Droid is an app repository. You can access this repository (and other F-Droid-compatible repositories — see below) using the official F-Droid app, but many people prefer to use unofficial third-party apps instead.
Among the most notable of these are Droid-ify(new window), Neo Store(new window), and Aurora Droid(new window). You can run as many of these on your device at the same time as you like, and they will all notify you about updates for any F-Droid app.
The official F-Droid app features a rather clunky user interface. It also targets the outdated Software Development Kit(new window) (SDK) used for Android 7.1 (released in 2016), which means it lacks more recent security and privacy improvements.
Most notably, apps compiled using older SDKs have weaker sandboxing(new window) (a security mechanism Android uses to isolate apps so that if they fail or are compromised, the damage is more easily contained).
That said, the official F-Droid app generally does what it’s supposed to do. You can browse and install apps by category and receive notifications when app updates are available.
You must update apps from F-Droid manually, but this is a one-tap process. (Automatic update and installation are possible, but only if you have a rooted device. Note that Google applies this limitation via the Android OS, and it applies to all F-Droid repo apps).
Update February 2024: F-Droid 1.19+ supports unattended updates(new window).
F-Droid also clearly flags anti-features that you may not like, such as advertising, tracking, or dependence on non-free software(new window), in the app descriptions.
Unofficial F-Droid repo apps offer improved user interfaces, target up-to-date Android SDKs, feature easy repository management (see below), and more. Below, we see Neo Store, which in typical FOSS fashion is a fork of Droid-ify, which is itself a fork of the also-popular Foxy-Droid(new window).
F-Droid repositories
As already noted, F-Droid is an app repository. There also exist numerous other open-source app repositories that are fully compatible with F-Droid. These are libraries of apps that are at least somewhat curated by their owners and can offer interesting apps that aren’t available on the official F-Droid repository.
Most of them pull APKs directly from their GitHub pages, so they’re digitally signed by their developers. However, you use third-party repositories at your own risk.
You can add these external repos(new window) to the official(new window) and unofficial F-Droid apps.
Unofficial apps such as Droid-ify offer greatly improved repo management over the official F-Droid app.
The popular Guardian Project(new window) repo specializes in privacy and security apps and is now included in the official F-Droid app by default. The IzzyOnDroid(new window) and Bromite(new window) repositories are also well regarded (but aren’t endorsed by Proton VPN).
Is F-Droid safe?
F-Droid provides a convenient way to find, download, and update open-source Android apps. To be allowed onto the F-Droid repository, apps are scanned for malware (using VirusTotal(new window)) and undergo a security check to ensure they meet F-Droid’s free software requirements.
However, these checks are (in the F-Droid team’s own words(new window)) “basic”. By their very nature, open-source apps are more likely to be secure than closed-source apps, but this can’t be guaranteed. But then again, it also can’t be guaranteed for apps on the Play Store(new window) either.
In January 2020, a widely shared (among the privacy community) critique(new window) of multiple aspects of F-Droid’s security was published on PrivSec.dev. For those serious about security, this document bears close reading. The most serious criticisms can be summarized as:
1. Apps are signed by F-Droid, not the app developers
On most app stores, apps are signed by the app developer. F-Droid, on the other hand, builds all apps from their source code and then signs them with its own key (a limited number of reproducible builds(new window) are exempted from this policy).
This offers a security advantage as long as you trust the F-Droid team, as it prevents malicious developers from adding code to their APKs that’s not present on their GitHub pages. However, it also means you need to trust another party (F-Droid).
It should also be noted that since August 2021, Google signs apps on the Play Store.
2. Slow updates
Regular updates are important, as they often fix pressing security vulnerabilities. The fact that the F-Droid team must review, build, and sign apps means there can be quite a delay between apps being updated and the updates appearing on F-Droid.
This problem is compounded by F-Droid’s prohibition against apps using proprietary code. The result is that many apps have a different F-Droid version to comply with these rules, which requires extra time to maintain.
3. Obsolete apps
We’ve already discussed how the official F-Droid app targets an old SDK (which is a problem fixed by most unofficial F-Droid apps). Unfortunately, this is also true of the F-Droid repository itself.
This helps with backward compatibility (always an issue on Android devices) but also means that the F-Droid repo is full of apps that haven’t received security updates for years.
You should always check when an app you plan to install was last updated on F-Droid. This information is available on its download page.
So is F-Droid safe? This depends on your threat model. The above concerns (and others raised in the article) are valid, but for many people, F-Droid’s convenience outweighs its downsides.
Are there any F-Droid alternatives?
Other than proprietary app stores such as the Play Store or the Amazon Store, not really. However, if the security issues raised above concern you, there is another option.
You can manually download and install APKs directly from the developers’ GitHub pages (or even compile them from source if you have the technical skills). You can then use an RSS reader to monitor each app’s GitHub Releases page to receive a notification when an update is available.
Final thoughts
F-Droid is by no means perfect, but it nevertheless performs an invaluable service for the open-source community. There are hundreds of high-quality apps that provide excellent privacy-friendly alternatives to commercial proprietary software. If your threat model allows it, there is no easier way to find ones that work for you, install them, and keep them up-to-date.
