I Scanned 10 Popular F-Droid Apps With My Security Scanner — Open Source Secure

"It's open source, so it's secure." I hear this all the time. The idea is simple: if the code is...

domenica 24 maggio 2026 New tab

1,124 words~5 min read

"It's open source, so it's secure."

I hear this all the time. The idea is simple: if the code is public, someone must have reviewed it. Vulnerabilities would be caught. The community would fix them.

I decided to test this assumption with real data.

I took 10 popular open-source Android apps from F-Droid — apps that millions of people use every day — and ran them through my static analysis security scanner. Then I manually verified every single finding against the decompiled APK code.

The result: 60 confirmed vulnerabilities across 10 apps.

I Scanned 10 Popular F-Droid Apps With My Security Scanner — Open Source Secure

I Scanned 10 Popular F-Droid Apps With My Security Scanner — Open Source Secure

Other newsrooms on this story

Related reading

Free Security Audit API: Scan Your Code in 30 Seconds

I scanned 8 popular open source repos with one command. Here's what I found.

I was tired of security scanners with 90% false positives, so I built my own

The problem with security scanners isn't the scanning

Day 15 - Software Composition Analysis(SCA)

Low-Budget Multi-Device QA: Automating 3 Platforms with Open Source Tools

Other newsrooms on this story

Related reading

Free Security Audit API: Scan Your Code in 30 Seconds

I scanned 8 popular open source repos with one command. Here's what I found.

I was tired of security scanners with 90% false positives, so I built my own

The problem with security scanners isn't the scanning

Day 15 - Software Composition Analysis(SCA)

Low-Budget Multi-Device QA: Automating 3 Platforms with Open Source Tools