smpl

https://ticeapp.com/en/

I’ve now finished reading and it wasn’t about the xz code as I thought. The article was about the F-Droid developer Hans-Christoph Steiner telling a story about someone attempting to put pressure on F-Droid to merge code that was vulnerable in response to what happened with the xz project. So F-Droid never had the vulnerable code in it.

Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant now.”

My intention was not to influence your writing. I’m just curious as to why apps from F-Droid would be more likely to be malicious. I was surprised because my intuition tells me that apps from F-Droid are inherently safer than apps from Play, because the apps are carefully reviewed. If it’s just the XZ incident, which was a fascinating case of a supply chain attack, I’m not convinced since I’d assume apps in other app stores using liblzma would be equally affected.

Thanks for sharing your experiences!

Could you please provide sources for this claim?

F-droid: Is an alternative store that can be used in place of Google Play. It has mainly FOSS applications but occasionally it can contain malicious software. You must be aware of this and know what you are looking for.