Security
See the security docs for FMD Android and FMD Server.
We have static analysis with SonarQube Cloud thanks to their Free tier. It checks for security issues and clean code.
Reporting vulnerabilities
If you discover a security vulnerability in FMD, please contact us to organise a coordinated disclosure.
We also have a security.txt.
Release Signing
The FMD Android release APKs are currently built and signed by F-Droid.
The SHA-256 fingerprint of the signing key is
87a6c136f5499db255c93f4d384cb1a5d314f6908f2bf197e0ec07ed58bb5872.
You can verify an APK by running:
apksigner verify --verbose --print-certs /path/to/app.apk
In the future, we plan to sign APKs and FMD Server releases ourselves. See issue #228 and the NLnet blog post.