IzzyOnDroid Android App Repository

An F-Droid Repo for free Android Apps

This is an F-Droid style repository for Android apps, provided by IzzyOnDroid. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github).

If you are an open-source developer and wish your app(s) included, be welcome to contact me – which is ideally done via the Maintenance Repo at GitLab where you can also find the inclusion policy. Other ways to contact me can be found e.g. from the Imprint at the IzzyOnDroid Android site.

DISCLAIMER: I have not thoroughly checked the .apk files available here. As stated above, they are directly taken from the repositories of their resp. developers. Some basic measures are taken, though (see the Security section below). Still, use this repo at your own risk: I will take no responsibility whatsoever for any damages which might occur as result (not saying there will be any, though). Further note the inclusion policy of this repo (see the link above) is slightly less strict than F-Droid’s.

If you still wish to use this repository with your F-Droid client, this is the URL you should use to add it:

https://apt.izzysoft.de/fdroid/repo

If you want to make sure it's the right one (and nobody played with DNS). you can use additionally enter this fingerprint in the appropriate field of your F-Droid client: 3BF0D6ABFEAE2F401707B6D966BE743BF0EEE49C2561B9BA39073711F628937A. Or, both combined (as the QR code on the main page does it):

https://apt.izzysoft.de/fdroid/repo?fingerprint=3BF0D6ABFEAE2F401707B6D966BE743BF0EEE49C2561B9BA39073711F628937A

If you open that URL with your browser on a mobile device having the F-Droid client installed via scanning of the QR code, you will be asked to open it with the F-Droid app, which then directly offers to add the repo – just asking you to confirm.

How do apps come into this repo?

From time to time, I check on Github, GitLab and Codeberg for repositories featuring Android apps which are not part of the main F-Droid repository, but have .apk files along with the code. If such an app seems useful, has been updated not too long ago (at least within the last 12 month), and seems legit, I take a raw look at the .apk file (do the permissions look appropriate, are there and „crazy indicators“ making it look strange) – and if it passes, it gets added.

Of course I won't find them all: some serve their .apk files along with the releases/ (which I favor), some simply have them amongst the repository files (acceptable), some do not have any at all, and I'm afraid I've missed a lot. So I'm open to suggestions. To be accepted, good candidates must meet the inclusion policy already mentioned above.

If you know an app that would fit those criteria but is not listed in this repo (nor in the official one), you're welcome to visit the repo’s GitLab presence (where the full conditions are listed, so please make sure to read them first) and file an issue (please use the template, which is preselected; you can reset it if you instead need to file an issue for a problem you experience with this repo), specifying the necessary details.

What about updates?

Read between the lines above: if the .apk files were served in the releases/ resp. tags/ tree and are properly tagged for all versions, I have a script that runs automatically in regular intervalls to check for and download updates. For those apps, it works pretty well. Some other apps must be checked manually, which I don't do on a regular base (but those are few).

How many versions are kept?

Usually up to 3 versions per app are kept in the repository, but in sum they shall not exceed the „hard limit“ mentioned with the inclusion criteria. If a newer version is released after that, the oldest version is automatically purged. And no, I currently do not plan keeping a second „Archive Repo“ for older versions.

Do apps get removed from your repo?

This indeed may happen. Apps might get „kicked out“ if it gets obvious something „bad“ slipped in – e.g. by users reporting bad behavior of an app installed from here – or the developers have added too many proprietary libraries, trackers etc. (once more, see above inclusion criteria).

I might also decide to drop an app which hasn't been updated for a long time, no longer provides .apk files despite of new releases, or lost its value for other reasons (e.g. the service behind it went out of business); especially for the latter I must rely on the support of those using the repo to report broken apps. But generally, I plan no „purge actions for dubios reasons“. Especially I don't have the policy of excluding Ad-Blockers and the like ;)

Another reason for an app getting removed from my repo is if it was added to the „official F-Droid repository“. Removal then mainly is to avoid confusion at the users' end, due to signature mismatch on updates (if they installed an app from the official repo, signed with F-Droid's key, and an update rolls in earlier via my repo – which is usually the case – there'd be a warning displayed if they'd try to apply that update). In some cases an app still stays with my repo; usually it then uses reproducible builds so there'd be no signature mismatch.

Apart from that, I tend to let the users of the repo have a word on that, too. So you can find details e.g. in this poll. I might start more of them in the future.

What about security?

For this, two actions are taken:

Malware scan

Apps in this repo are scanned for malware, using the services of VirusTotal. VirusTotal currently runs more than 60 engines to check files, which is quite some coverage. However, results differ between engines: some are more prone to „false positives“ than others, and some even report ads as malware (we might tend to agree on that). So results might look different – and here's how they are presented for each file in this repo (for other repos supported by this repo browsers, no such shield is available):

Except for the „pending“ shield, the label will always link to the corresponding detail page at the VirusTotal website. Feel encouraged to check that. If a file is marked by a yellow or red shield, also check the app's description, which might hold further hints. Sometimes a finding might be „normal“ (e.g. a vulnerability test suite could easily trigger a „false alert“, as described above). Moreover, some scanners thread a „PUA“ (potentially unwanted addon/application) as alert – as indicated above.

Library scan

APK files are also checked for libraries they are using. This is done locally, using LibRadar (plus some additions of mine). Findings are grouped into three categories:

You will not only find the categories and names of libraries, but also some additional details: which permissions are found accessed by them is the most interesting part here. Where available, a link is given to their resp. websites/pages. Additionally, for most of the libraries there're additional details available, indicated by an icon and revealed by clicking on it:

Signature verification

APKs in this repository are signed by their respective developers/authors. To ensure nobody placed a malicious APK into their realm which this repository here then would distribute, the signature of their signing key is recorded when the app is first added – and then compared to each update fetched. Should the signature check fail, that APK will not be included with the index, but a warning is sent to its administrator (me) to check what happened (I will then contact the respective developer(s) to find out).

For some background: what would cause the check to fail? The check would fail when a different signing key was used to sign the APK. This could e.g. be the case if a developer lost their key (and thus had to create a new one), which unfortunately happens (and is the most usual reason for this mess). But it could also indicate that someone else signed the APK, somehow got access to the developer's account, and placed it there. So we're better safe than sorry.

So what if that check would not be in place? If you already had the app installed before, your Android system would do exactly the same: reject an APK if the signature doesn't match that of the installed version. But if this were the first time you'd install an app, Android would permit the installation (it has no records of a previously used key), and thus potentially put you in danger. We don't want that, right?

Talking about Javascript: How safe is your site?

There's no such thing as „absolute safety“ or „100% security“, but I did my best also in this regard. No 3rd party sources, especially no Javascript. But don't decide on my word alone, check the following sources which checked this site:

Binary Transparency Log

Those logs allow you e.g. to verify that the APK you got from this repo wasn't specifically tailored for you (aka „Bundestrojaner“ or „targeted backdoors“) but indeed was regularly published. This repo publishes its transparency logs via a git repo – a step happening automatically whenever a new index is being deployed. For more details on this, see e.g.:

You can find similar transparency logs in use by the Guardian Project (which also maintains one for F-Droid.org), Debian, and others.

You can find some details here on how to reach me with „goods“ e.g. via SEPA payment or Bitcoin. If you use a mobile wallet (e.g. „Bitcoin Wallet”, which you can find at F-Droid), it's as simple as scanning the QR Code next to this paragraph, enter a value, and send the transaction. Should the image be too small, just click it for a larger one.

LiberaPay