I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?
Tl;dr: Don’t download random APKs from the internet, just because they claim to be FOSS. Just get them from F-Droid and you’re safe.
Long answer: Depends on the project. Look how many people use it. If it’s a bunch, chances are other people also keep an eye on it. Even better if you get that sofware packaged. That means from the package manager of your linux distribution or - in your case, using Android - from F-Droid. This way somebody from that team has a look at it, and F-Droid even strips all those trackers from Apps. I’d say chances for a virus/spyware getting through the F-Droid process are close to none. Not more than chances are of a virus slipping past Google’s antivirus.
(Play Store doesn’t do anything against excessive tracking.)
I’m curious, how does F-Droid detect malicious codes within an app?
Part of it is automated, part of it is real people looking at the source code. That’s done by sampling of course, since it’s not feasible to have someone manually look over every new update to every app.
From what I know, F-Droid compiles apps from source so you can be sure that the code you’re running is actually made from the source code that it claims to be built from. On most other platforms, the developers could be uploading malicious programs that actually have the code changed from what’s shared online as its source code. Then add the fact that other developers can and do look at the code, and what changes are made from version to version.