How much can popular FOSS apps be trusted for permissions?
In my use case, examples are KDE Connect (phone and Linux laptop communication), FMD (remote locate or control lost degoogled phone) and Kvaesitso (amazing homescreen).
Some of them ask "hard" permissions like accessibility, read notifications, extensive device control, and so on.
I definitely understand why they need them, it's not like some Play Store calculator app that somehow needs access to my GPS and contacts ;)
Also, only popular apps get some privileges from me, because there is more code monitoring in bigger projects I guess.
But I also see them as possible attack vector, especially stuff like remote factory reset via SMS (I didn't activate that feature btw).
I'm a bit torn apart.
Physical phone security is important of course. If I lose my phone somewhere, or it gets stolen, locating and ringing it could be extremely useful.
Same with amazing features that make my life easier.
On the other hand, this much power can escalate quickly (haxxor pushing malicious code in an update for example) and leaves me a bit vulnerable.
How do you handle this?
How much can we trust in good faith, checks and balances of software?
If it's something with a solid reputation, and a history of good code curation. Maybe backed by a non-profit foundation ( e.g FUTO, KDE's mobile apps ). I dont have any issue allowing whatever permissions it requests right off the bat.
If something ever ever happened with KDE Connect. There'd be hellfire, and shouting all over the internet for miles and miles. KDE is one of the organizations that actually has the resources and manpower to properly vet contributions. KDE hosts their own git client, with their own credentials, and their own dedicated team ( A bad actor can't just push a harmful update directly without humans reviewing it). They've also been doing this for longer than I've even been alive, they don't ask for a profit, and they make a damn good desktop environment so I guess I feel comfortable trusting apps from their F-droid repo xD
You could spend time manually reviewing the source for every FOSS application you install, which isn't a terrible idea. But at the end of the day it does matter to an extent how much you trust an individual / organization. And how open that individual / organization is to the community.
Everything should be minimum required. If something asks for a permission you don't think it needs, and can't explain it, don't trust it.
If like me you can't read source code I would trust it the same as a close source app.
Have been completely degoogled, trust FOSS more than google play.
Don't have a single app from the playstore myself.
108 apps on my graphenephone are from FOSS platform