F-Droid’s Week 22 update is less about one headline app and more about operational drift: apps gained permissions, dropped old Android support, added ML features, changed sync behavior, and expanded privacy-sensitive workflows. For mobile security, that is the useful reading of a long changelog.
The update also repeats F-Droid’s wider warning that Android app distribution is under pressure from Google’s installation changes, pointing readers to KeepAndroidOpen.org. That context matters, but the immediate work is local: check what changed on the apps you actually run.
What changed#
F-Droid’s “This Week in F-Droid” post for 29 May 2026 is a dense weekly roundup. It lists major updates, newly added apps, and a large tail of smaller app updates. The signal is not in the total count. It is in the kinds of changes landing across the repository.
Several apps received substantial feature updates. ArcaneChat was updated with many fixes and improvements. Calls are no longer experimental, channels are no longer experimental, location streaming was improved, translations were updated, and the app also saw design fixes, sync optimisations, chat filters, room tags, thumbnail control, and push notification changes for multi-account use.
A media app, now renamed from a more generic earlier name, received a very large changelog after features took time to stabilize and become fully FLOSS. The F-Droid note mentions maps integration, INTERNET permission use, optional ML features, app sandboxing processing, 360-degree support, vault overhaul, markup, album groups, FCast, private folder, timeline, subtitles, and new video controls. That is exactly the kind of update users should not treat as “just a new version.” It changes what the app can do, what it can access, and what the user may need to trust.
ProofMode-related work also appears in the roundup, including WebDAV server support and bug fixes. The source describes the app as useful for documenters, archivists, journalists, and advocates working in complex technological and human situations. That is a higher-stakes user group than casual utility software. In that context, small workflow changes can affect evidence handling, backup habits, and privacy risk.
Other updates are more ordinary but still worth noting. A game update mostly concerns the game itself, while the Android side gained a new settings screen and quality-of-life improvements for touch screens. If the game fails after update and complains about missing game files, F-Droid suggests reimporting the game data files. Another camera translation app added live camera translation, while some older Android users saw crashes that the developer has reportedly fixed, with the next release still pending at the time of the F-Droid post.
Gitnex, a client for Forgejo and Gitea, received a UI overhaul. Another Git-related app update touches mobile interaction with GitLab. There are also bug fixes and saved-signature export as PNG in another listed app. The new app list includes tools for Work Profiles, VPN/proxy detection, call verification against deepfake impersonation, SSH/SFTP, LAN file sharing, private AI chat, on-device translation, household management, offline health tracking, two-factor authentication, and privacy scoring.
That mix is the story: the repository is not only games and simple utilities. It now contains many apps that sit near identity, location, communications, media evidence, AI workflows, and network routing.
Why it matters for mobile security#
Open source distribution reduces one class of trust problem, but it does not remove operational risk. F-Droid users often prefer APKs built from visible source rather than opaque release uploads. That is a rational trust model. It still leaves the user with normal mobile security work: permissions, network access, update behavior, OS age, account exposure, and backup choices.
The most obvious example in this roundup is app permissions. When an app adds maps integration and begins using INTERNET permission, that may be justified. It may also change the privacy model. A media app that was previously local-first in practice can become a network-capable app after an update. Optional ML features can be useful, but they also raise questions about where processing happens, what models are used, and whether content leaves the device. The F-Droid summary says optional ML features and app sandboxing processing are part of the changelog, but readers should verify the details in the app’s own release notes before assuming the safest interpretation.
Old Android support is another practical issue. The source notes that one app dropped Android 5 support while fixing annoyances and technical debt. That is not automatically hostile to users. Supporting very old Android versions can limit maintainability and security posture. But for people stuck on old devices, the impact is direct: updates stop, app compatibility narrows, and the device becomes harder to keep in a safe operating state.
F-Droid points readers toward finding a newer compatible Android distribution, with the LineageOS Wiki mentioned as a possible guide, or buying a newer device if finances permit. That advice is grounded. It is also unevenly available. Some users can unlock, flash, and maintain a community ROM. Others cannot, because of locked bootloaders, missing builds, regional device variants, or risk tolerance. Treat “install a newer distribution” as an option to evaluate, not a universal fix.
The update also matters because several listed apps operate in sensitive contexts. Tools for journalists, advocates, digital forensics, private chat, call verification, VPN detection, Work Profiles, and two-factor authentication are not interchangeable with a flashlight app. A bad permission choice, weak backup setup, or misunderstood sync feature can expose sources, identities, location patterns, or recovery codes.
What to check before updating or installing#
Start with the apps you actually use. A long F-Droid update list is not a call to audit everything. It is a prompt to inspect the software that touches your messages, files, identity, network path, location, camera, microphone, or authentication.
For each important app, check the update notes and permission changes. Pay special attention to new network access, location features, camera use, microphone use, storage access, push notifications, account sync, and backup/export features. If an app added INTERNET permission, ask what feature needs it and whether the app remains usable without that workflow.
For Android security, check your OS version against the app’s supported range. If an app drops support for your Android version, do not assume the old build remains safe indefinitely. It may keep working, but it will miss future fixes. If you are on Android 5 or another old release, check whether your device has a maintained alternative ROM, whether your bootloader can be unlocked, and whether you can tolerate the failure modes of flashing. If not, plan around reduced trust: fewer sensitive apps, less stored data, stronger account recovery hygiene, and no assumption that app updates will save the device.
For communications and evidence apps, test workflows after updating. Calls, channels, push notifications, WebDAV export, media vaults, private folders, and sync optimisation can change the failure pattern. A feature that works in a normal chat may fail under bad connectivity, multiple accounts, low storage, or aggressive battery management. Security operations depend on boring reliability.
For AI and ML-related apps, separate three questions. Is the feature optional? Does processing happen on device or through a provider? What data is sent, stored, exported, or logged? The F-Droid post lists private AI chat and on-device translation-style tools, but each app needs its own check. “Open source” and “private” are useful signals, not proof that your specific configuration is safe.
If you use Work Profiles or sandboxing tools, verify isolation after update. Can the app still see the accounts, files, notifications, or network routes you expect? Can cloned or isolated apps still receive push notifications? Are backups separated? These checks are dull, but they catch the real breaks.
What not to overclaim#
This F-Droid post is a weekly roundup, not a vulnerability report. It does not say these apps are compromised. It does not establish that new permissions are abusive. It does not prove that Google’s installation changes will affect every user in the same way. The right conclusion is narrower: many Android apps in the open source ecosystem are changing capability, support, and trust boundaries at once.
It is also not proof that F-Droid is risk-free. F-Droid improves inspectability and build trust for many users, especially compared with downloading random APKs from release pages or mirrors. But users still need to read permission changes, understand app-specific privacy models, and maintain the underlying device.
The practical posture is simple. Prefer source-grounded distribution where possible. Keep the OS current where realistic. Read major changelogs for sensitive apps. Treat new network, location, sync, ML, and backup features as security-relevant until checked.
Long changelogs are not noise. They are where mobile security changes shape before it becomes an incident.