F-Droid
F-Droid is a free and open-source Android app repository that has been distributing FOSS applications since 2010. It operates as a non-profit volunteer project, offering over 4,000 apps without tracking, advertising, or developer fees. F-Droid verifies that all hosted apps are free software, scans for proprietary trackers, and is increasingly adopting reproducible builds. Funded by community donations and grants from organizations like the Open Technology Fund.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
Ciaran Gultnieks launches F-Droid as a small alpha-stage FOSS app repository forked from Aptoide's client. The project has a tiny catalog, no formal governance, and relies entirely on one volunteer developer. The non-profit, FOSS-only model means zero scores across monetization, lock-in, and extraction dimensions, but the limited catalog and nascent infrastructure create minor user value and governance concerns.
F-Droid gains recognition through the FSFE Free Your Android campaign and Guardian Project partnership, but growing pains emerge. The TextSecure incident exposes risks in F-Droid's build delay and APK signing model. The project remains entirely volunteer-run with no formal governance, creating sustainability concerns even as the catalog and user base grow steadily.
F-Droid undergoes its first security audit by Cure53, begins shipping reproducible builds, and fixes all identified vulnerabilities. The GNU Project's endorsement and growing catalog strengthen the project's position. While volunteer governance remains informal, the security audit process introduces external accountability and the OTF relationship provides occasional funding for infrastructure work.
F-Droid reaches its 10th anniversary with a growing catalog and NLnet-funded tracker detection tools. The second security audit confirms the core model is sound, and Liberapay integration improves sustainability. However, the project still runs on aging build infrastructure, volunteer labor remains unpaid, and the outdated API level 25 in the main client draws growing security criticism from the privacy community.
F-Droid formalizes governance with an inaugural board of directors under The Commons Conservancy, the index-v2 format dramatically improves update efficiency, and F-Droid Basic launches to address API level security concerns. Reproducible builds grow 10x to 191 apps. The Calyx Institute sponsors build infrastructure work, and CalyxOS ships F-Droid by default. The project is professionalizing while maintaining its non-extractive model.
F-Droid celebrates 15 years while facing its greatest external threat: Google's developer verification decree. The project secures $396,044 from the OTF (though funding is threatened by the Trump administration), joins the EU Mobifree consortium, hires its first project manager and grant administrator, and replaces its 12-year-old build server to achieve twice-daily updates. D8 ticks up to 1 as Google's policy creates competitive pressure the project must navigate through advocacy and coalition-building.
Alternatives
The default Android app store with millions of apps, including all commercial software F-Droid cannot host. Requires a Google account and collects extensive user data. Scored 61 here (Severely Enshittified). Easy switch but represents the opposite privacy tradeoff.
Open-source client for the Google Play Store that provides access to the full Play catalog without a Google account. Complements F-Droid by covering non-FOSS apps. Available directly from F-Droid. Easy to use alongside F-Droid rather than as a replacement.
In the News
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (41 events)
Ciaran Gultnieks Launches F-Droid Alpha Repository
British developer Ciaran Gultnieks publishes the first blog post on f-droid.org, announcing an alpha-stage FOSS-only Android app repository. The client is forked from Aptoide's open-source code. The project emphasizes automated compilation from upstream sources to promote verifiable free software apps.
FSFE Features F-Droid in Free Your Android Campaign
The Free Software Foundation Europe launches its 'Free Your Android!' campaign, prominently featuring F-Droid as the recommended alternative app store. The campaign raises awareness of privacy and security risks of proprietary mobile software and encourages adoption of free software on Android devices.
Guardian Project Launches Own F-Droid Repository
The Guardian Project, a suite of free and secure Android applications focused on privacy and circumvention tools, starts running its own F-Droid-compatible repository. This establishes the model of third-party repositories that would become central to F-Droid's decentralized architecture.
TextSecure Security Flaw Exposed in F-Droid Distribution
Security researcher Moxie Marlinspike criticizes F-Droid for distributing outdated versions of TextSecure containing a known bug that logged received messages in plain text. F-Droid removes the application at Marlinspike's request. He further criticizes F-Droid's handling of the disclosure and the practice of signing APKs with F-Droid's own keys rather than the developer's keys.
GNU Project Features F-Droid in 30th Anniversary Campaign
F-Droid is chosen as part of the GNU Project's 'GNU a Day' initiative during their 30th anniversary celebration. The campaign features F-Droid as Day 9, recommending Android users install it as a repository with hundreds of free software apps, lending significant credibility from the free software movement's founding institution.
First Security Audit by Cure53 Confirms Core Model Sound
Cure53 conducts F-Droid's first full security audit, funded by the Open Technology Fund. The audit covers the server-side implementation, Android client app, and WordPress plugin. Critical issues are found in the website and opt-in beta features, but the core security model for distributing apps via the Android client is confirmed as solid. All vulnerabilities are fixed by version 0.89.
F-Droid Begins Delivering Reproducible Builds
F-Droid starts shipping reproducible builds, enabling independent verification that distributed APKs match their source code. This is a significant step toward eliminating the trust requirement in F-Droid's signing process. Initially only a handful of apps are built reproducibly, but the capability establishes a foundation for future trust improvements.
Reproducible Build Process Allows Developer-Signed APKs
F-Droid enhances its reproducible build infrastructure to let developers use their own signing keys via the reproducible build process. This addresses the longstanding criticism that F-Droid signs all APKs with its own key, allowing users to verify that F-Droid's build matches the developer's original exactly.
F-Droid Adds Liberapay Support for Developer Donations
F-Droid integrates Liberapay as a free software donation platform, enabling users to support app developers directly through F-Droid's interface. This strengthens the ecosystem's sustainability model by directing funding to individual FOSS developers without any intermediary fees.
Second Security Audit by Radically Open Security Completed
Radically Open Security conducts F-Droid's second full security audit, funded by the Open Technology Fund via NLnet. The audit confirms the core security model and standard operations are solid. Issues identified in the build process relate to reliance on manual review by trusted contributors. The audit is published transparently.
NLnet-Funded Tracker Detection Uses Machine Learning
F-Droid launches the 'Tracking the Trackers' project with a 44,500 EUR NLnet grant. The project applies machine learning to detect tracking and advertising libraries in Android apps, drastically speeding up the audit process. The tools build on collaboration with Exodus Privacy and LibScout, developed with students at Vienna Economics University.
F-Droid Completes Free Software Donation Platform Integration
F-Droid completes integration of Open Collective and Liberapay across the ecosystem, prioritizing free software funding platforms and reducing visibility of proprietary donation options. The project enables developers to receive donations through their app listings, supporting FOSS sustainability without extractive intermediaries.
F-Droid Celebrates 10th Anniversary
F-Droid marks 10 years since founder Ciaran Gultnieks published the first repository announcement. By this point, the project has grown from a small FOSS hobby repository to a globally recognized alternative app distribution platform used by privacy-focused Android users worldwide.
F-Droid Implements Clean Insights Opt-In Privacy Metrics
F-Droid integrates Guardian Project's Clean Insights framework for privacy-respecting metrics. The system is entirely opt-in, requires enabling Expert Mode first, strips all personally identifiable information including IP addresses and user agents, and submits weekly JSON reports via user's preferred network settings including Tor support.
Filecoin Foundation Grant Funds Decentralized Distribution
Guardian Project receives a grant from the Filecoin Foundation for the Decentralized Web to add IPFS and Filecoin support to F-Droid's repository infrastructure. The work includes breaking out client logic into reusable libraries, setting up a full f-droid.org archive on IPFS, and enhancing nearby/app-swap capabilities using libp2p.
Calyx Institute Sponsors Build Server Overhaul
The Calyx Institute sponsors 42 hours per month of work on F-Droid's build infrastructure, funding the upgrade from 5-year-old Debian Stretch to Bullseye. Since CalyxOS ships F-Droid by default, Calyx has a direct interest in reliable app builds. The sponsorship covers build process modernization and signing automation improvements.
Replicant Project Removes F-Droid Over FSDG Compliance
The Replicant free software Android distribution removes F-Droid from its default installation, citing non-compliance with GNU Free System Distribution Guidelines. Replicant had raised the issue in 2016 regarding apps with anti-features that do not meet strict FSDG standards, but progress on resolving the concerns stalled.
Third Security Audit Covers New Index-v2 Format
Radically Open Security completes F-Droid's third security audit, funded by NLnet, focusing on the new index-v2 work in the Android client and the new front-end webserver setup. Findings include XML External Entity vulnerabilities, outdated TLS protocols, and insecure encryption modes in the client. No issues found in the webserver setup. Full report published transparently.
F-Droid Publishes Reproducible Build Roadmap and Progress
F-Droid publishes a detailed blog post on progress toward reproducible builds, reporting approximately 20 apps built reproducibly in November 2022. The post outlines plans to dramatically increase adoption and establishes the goal of making reproducible builds the default rather than the exception.
New Index-v2 Repository Format Reduces Update Size by 99%
F-Droid releases client version 1.16 with support for the new index-v2 format using JSON and RFC 7396 JSON Merge Patch. Diff files are only 80 KB compressed versus the full index, reducing bandwidth by 99%. The format also adds localizable anti-features, categories, and SHA256withRSA signing, replacing the legacy JAR-based index.
F-Droid Establishes Formal Board of Directors
The F-Droid community formally adopts a governance plan and inaugural board of directors under The Commons Conservancy, a Netherlands-based nonprofit foundation. Board members serve staggered 2-year terms: Morgan Lemmer Webber (Chair), John Sullivan (Vice Chair), Michael Downey (Treasurer), Matthias Kirschner, Andrew Lewman (Clerk), and Max Mehl.
F-Droid Client Libraries Published for Third-Party Integration
F-Droid publishes its core client libraries for use by third-party projects like CalyxOS, enabling any app to embed F-Droid repository functionality. This modularization of F-Droid's client logic makes it easier for alternative Android distributions and apps to integrate FOSS app distribution without reinventing the infrastructure.
F-Droid Basic Launches as Minimal Privacy-Focused Client
F-Droid Basic version 1.23.0 is released as a minimal client with a reduced feature set, targeting Android 13 and supporting unattended updates without privileged extension or root. It drops features like nearby share and panic mode to minimize attack surface, addressing security community criticism of the main client's outdated API level.
Reproducible Builds Grow 10x to 191 Apps
F-Droid reports that reproducibly built apps have grown from about 20 in November 2022 to approximately 191 by September 2023 — a nearly 10x increase. The blog post explains the signing key model and how reproducible builds allow developer-signed APKs to be distributed through F-Droid, directly addressing the trust concerns around F-Droid's own signing key.
CalyxOS Proposes Sponsoring F-Droid Client Maintainer
CalyxOS proposes to officially sponsor a maintainer position for the F-Droid Android client, reflecting the growing dependency of privacy-focused Android distributions on F-Droid's infrastructure. CalyxOS ships F-Droid Basic by default and drops special privileges for the main F-Droid client in favor of the Basic variant.
F-Droid Publishes Webserver Privacy Design with IP Stripping
F-Droid documents its webserver privacy design, which replaces IP addresses with country codes in server logs based on Guardian Project's Clean Insights research. Servers delete log data after 14 days. The configuration has been running for over a year, demonstrating F-Droid's commitment to minimizing user data collection even at the infrastructure level.
Board Expands with Three New Directors Across Three Continents
Juliana Sims, Peter Serwylo, and Sebastian Crane are appointed to the F-Droid board for two-year terms, replacing departing founding director Max Mehl. The appointments bring geographic diversity with directors from Australia, the USA, and Britain. Sebastian Crane succeeds Morgan as Chair, and the board plans new subcommittees.
Client 1.20 Ships Repository Management Overhaul
F-Droid client version 1.20 delivers a massive overhaul of repository management. Users can now see which repository each app comes from, choose between repositories when an app is available from multiple sources, and reorder repository priorities. This makes third-party repositories like IzzyOnDroid safer and more transparent to use.
F-Droid Joins EU Mobifree Project with 4.4 Million EUR Grant
F-Droid becomes a primary partner in Mobifree, an EU Horizon Europe-funded project with 4.4 million EUR to develop ethical mobile software alternatives. F-Droid's role includes contributing to FOSS app distribution, building Appiverse (a catalogue of F-Droid-compatible repositories for interoperability), and creating APIs for alternative distributors.
F-Droid Signs Open Letter Defending EU NGI Funding
F-Droid co-signs an open letter by Les Petites Singularites calling on the European Commission to maintain Next Generation Internet funding. The letter warns that a draft Horizon Europe working document for 2025 omits NGI, which has funded over 500 FOSS projects since 2020 including multiple F-Droid initiatives through NLnet.
Security Researcher Publishes APK Signing Key Bypass PoC
Security researcher obfusk publishes a proof-of-concept demonstrating multiple bypasses of fdroidserver's AllowedAPKSigningKeys certificate pinning. The PoC exploits differences between how apksigner validates APK signatures and how fdroidserver extracts certificates, allowing an attacker to construct valid signatures that fdroidserver matches to the wrong certificate.
F-Droid Awarded $396,044 OTF FOSS Sustainability Grant
F-Droid receives a $396,044 grant from the Open Technology Fund's FOSS Sustainability Fund for a 24-month program. The grant funds Android client refactoring, internal tooling modernization, governance strengthening, donation infrastructure improvements, localization workflows, and policies for handling government takedown requests.
Trump Administration Threatens OTF Funding for F-Droid
USAGM senior advisor Kari Lake announces termination of the Open Technology Fund's federal grant following a Trump executive order to reduce agency functions. The OTF, which had awarded F-Droid $396,044, sues to preserve its $43.5 million in congressionally approved 2025 funding. The threat endangers internet freedom tools including F-Droid, Tor, and Let's Encrypt.
F-Droid Makes Reproducible Build Status Visible Per App
F-Droid adds a 'Reproducibility Status' link to every app page on f-droid.org, funded by NLnet. A verification server shows whether each APK was successfully reproduced. By end of 2025, approximately 21% of the 4,061 apps in the main repository are built reproducibly and signed by developers.
F-Droid Launches Legal Resilience Research Series
With OTF funding, F-Droid begins publishing a legal resilience research series covering takedown processes, government information requests, contributor liability, jurisdiction, and transparency. The research draws on interviews with legal experts, nonprofit infrastructure providers, and digital rights organizations, shared openly for other FOSS projects to benefit from.
Google AGP 8.12.0 Breaks Builds on F-Droid Server Hardware
Google's new aapt2 binary in Android Gradle Plugin 8.12.0 begins requiring CPU instructions (SSE4.1, SSSE3, BMI1) that F-Droid's build farm hardware does not support, breaking builds for hundreds of apps. F-Droid advises developers to downgrade to AGP 8.11.1 while pursuing a server hardware upgrade funded by community donations.
F-Droid Calls Google Developer Verification an Existential Threat
F-Droid publishes a detailed analysis of Google's developer verification decree, which would require all Android app developers to register with Google by September 2026. F-Droid calls this an 'existential threat' to alternative app stores, noting it would force anonymous open-source contributors to submit government-verified personal information and could end F-Droid's ability to distribute apps on certified Android devices.
F-Droid Publishes DMA, DSA, and Online Safety Act Analysis
F-Droid publishes detailed analysis of how the EU Digital Markets Act, Digital Services Act, and UK Online Safety Act affect independent FOSS app stores. The analysis concludes F-Droid is not a 'very large online platform' under any framework but has some DSA obligations as a service accessible within the EU. The research is shared openly for other FOSS projects.
F-Droid Challenges Google's Sideloading Narrative
F-Droid publishes 'What We Talk About When We Talk About Sideloading,' arguing that Google's use of the term 'sideloading' is deliberately designed to make installing software from non-Google sources sound illicit. F-Droid points out that Google's claim that 'sideloading is not going away' is misleading given the developer verification requirements.
New Build Server Doubles Update Frequency to Twice Daily
F-Droid replaces its 12-year-old core build server with new hardware funded entirely by community donations. Update frequency improves from once every 3-4 days in early 2025 to twice daily by December. The server is physically controlled in a data center by a long-time contributor with proven security credentials.
F-Droid Co-Signs Open Letter Opposing Developer Verification
F-Droid joins the Electronic Frontier Foundation, Free Software Foundation Europe, Software Freedom Conservancy, Proton AG, and dozens of other organizations in signing an open letter at keepandroidopen.org opposing Google's mandatory developer verification. The letter argues the policy will impact hundreds of governments, millions of businesses, and billions of citizens.