Frühere Suchanfragen
Suchoptionen
Vorsicht mit dem neuen @accrescent App-Store:
Das ist ein neuer alternativer Android-App-Store, der von sich behauptet, auf Privacy und Security fokussiert zu sein. Er wird auch über den @GrapheneOS Appstore angeboten.
Bei genauerem Hinsehen finden sich allerdings Apps, die Werbe- und Analysetracking enthalten, wie ich nach kurzer Prüfung feststellte.
Der Entwickler sieht darin kein Problem …
1/2
@rufposten @accrescent @GrapheneOS
Ich denke der Hintergrund ist ein grundsätzlich unterschiedliches Verständnis von Datenschutz in verschiedenen Bubbles der Privacy-Community.
Auf der einen Seite ist es mehr absolut: Was eine App kann, das müssen wir auch annehmen, dass sie das auch tut. Ob es faktisch Tracking gibt oder nicht, ist dabei fast egal, genauso wer die Daten bekommt (weil er ja weitergeben könnte). Der einzige wirksame Schutz ist, die zugreifbaren Daten zu reduzieren.
@rufposten @accrescent @GrapheneOS
Auf der anderen Seite ist es deutlich differenzierter: Bei FOSS Apps guckt man einfach was sie machen und die Berechtigungen sind quasi nebensächlich, bei proprietären Apps gilt zwar die Annahme, dass sie womöglich die Daten "falsch" verwenden, aber ein Nachweis dazu macht es eben doch noch schlimmer. Dazu kommt, dass man einem kleinen, lokalen Unternehmen anders Daten zugesteht als etwa Apple oder Google (wo Missbrauch stärker vermutet wird).
@rufposten @accrescent @GrapheneOS
Meiner Erfahrung nach sind diese Gruppen auch regional verschieden. In US findet man erstere Einstellung häufiger, in DE eher letztere.
Beide Seiten haben irgendwie recht, es ist halt einfach nur ein anderer Fokus. Vielleicht sollte man unterschiedliche Begriffe für diese Beiden Einstellungen finden, damit es keine Verständnisprobleme gibt.
@pixelschubsi @rufposten @accrescent
That's really not actually how open source works and how it influences privacy and security. It is not easy to determine what apps do even with full access to the sources, let alone if they are private and secure.
Sandboxing and permissions are certainly relevant to open source apps. They are very relevant within the OS too. Sandboxing and the principle of least privilege is used throughout the OS and is immensely important. Open source doesn't change this.
@pixelschubsi @rufposten @accrescent
You're still trusting the developers of open source apps with access to whatever you trust them with. The app being open source or built by someone else doesn't mean you aren't trusting the people who developed it. The fact that serious vulnerabilities persist for so long in open source projects before being discovered and fixed disproves the idea that an intentionally hidden privacy or security hole would be discovered because they're open source.
@pixelschubsi @rufposten @accrescent
Open source provides no inherent privacy and security properties itself, only easier review of the code. That doesn't mean there is actually any significant review of the code in practice. It only helps to enable it, which usually doesn't happen for most open source projects. It does not prevent the developers putting in shady code and does not mean it will be quickly discovered. It can in fact play a role in hiding it through unwarranted trust.
@GrapheneOS @rufposten @accrescent
I'm not saying that FOSS has better privacy just because it's FOSS, but also we know that in practice, this is the case. The average FOSS app is more privacy friendly. If you install 10 random apps listed on F-Droid, you're likely to end up with 10 somewhat privacy-friendly apps (especially if you have the filter for anti-features enabled). If you install 10 random apps from Play Store, about half of them probably perform tracking that is illegal in the EU.
@pixelschubsi @rufposten @accrescent If you install 10 apps from F-Droid, you have 10 apps where you receive delayed privacy/security patches from the developers, which are built with outdated tools/SDK with vulnerabilities often being introduced and where a group of highly untrustworthy people involved in incredibly underhanded attacks on projects like GrapheneOS and our userbase have control of the signing keys for ~9/10 of those and are capable of shipping malware if they choose to do it.
@pixelschubsi @rufposten @accrescent F-Droid is not a good way of obtaining open source apps. It also has a strange selection of the open source Android app ecosystem heavily weighted towards obsolete, no longer maintained apps and with a huge number of high quality modern apps not included.
F-Droid is not the open source Android app ecosystem. It's a poor way to access that ecosystem. It's not secure and it's not trustworthy. There are better ways to get open source apps.
@GrapheneOS @rufposten @accrescent
I just took F-Droid as an example source for FOSS apps and not to discuss issues F-Droid has, which (while they exist and are relevant) are no excuse to not realize that FOSS apps - as they exist in reality - are on average significantly more privacy-friendly than proprietary apps with known included tracking.