It depends on the app. A local markdown editor without any network functionality? Probably safe. A password manager with online functionalities? I would look for something else.
this post was submitted on 11 Aug 2023
16 points (94.4% liked)
Open Source
29020 readers
167 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 4 years ago
MODERATORS
Depends what the app does, like some others have mentioned if it's transferring sensitive data over the internet, I would want it to be updated. But if it's something local like a call blocker checking a local database I wouldn't worry about it.
The other downside for the call blocker app is the database could be outdated, not sure how their mechanism works for that.
Vep very true!
These are code health smells. Looking for the activity in a repository the number of contributors, the frequency of updates, these are all let you get a feeling for how well cared for a project is. Sometimes that doesn't matter, but it is definitely something you should factor in.
For any app that isn't network-facing and that works with protocols that haven't been changed in a long time, there is no point worrying over how "active" the development is on an app. If nothing has been broken, then nothing needs fixing. My music player has had all the features it needs for a decade, and continues to work to this day. Why change a good thing?
Gotcha. But what's stopping cyber criminals from seeing these abandoned repos and possibly taking over and implement malware or what not
Have you ever used Github? People can't just push code to the main repo.
And all submissions to F-Droid are checked for this kind of thing.
I mean yes I use github for reference and sometimes downloading but I don't actually know a whole lot about it like push and pull requests and what not, as I haven't found a need to learn it yet. So what you're saying is to basically download apps from github instead of fdroid to ensure you get the latest?
No, I'm not. I'm saying that downloading from F-Droid is perfectly safe, as they verify all updates before putting them on the repo.
Ohhh I understand, thanks
So just because fdroid says an app hasn't been updated since 2020, that doesn't necessarily mean its not being maintend or is abandoned?
Its a strong indicator it isn't being maintained, and it is abandoned. But its not a guarantee, some code is very mature, but its the exception rather then the rule
I look at the latest release date. At leisure time, I would also go and check repository and issue tracker to see whether something serious is being ignored. If it's crucial for business, I would spare time investigating the source code itself.
I would not necessarily say that many apps uploaded to F-Droid and other repositories are unsafe, because I don't have all that energy to audit anything I use. What helps me to stay on the safe side is reading into things - enclosed descriptions and names may look like a small factor to some, once they tread the sources, but it saves me both the time and trouble. Sloppily written stuff usually implies a sloppy code, a lax attention to details on the developer's side.
Plus there should be some tools or scanners to look at the app for any potential dangers, like play protect, right?