About mobile privacy and open source

Hi Habr.

Not so long ago, I had a desire to write a whole series of articles on security, privacy and anonymity on the Internet. I do not want to waste the time of readers, once again describing a very deplorable situation with the collection of personal data, all this has already been done before me, so let's get straight to the point.

And so, is it possible to use a mobile device without serious damage to privacy?

The answer is yes, you can, but for this you need to get rid of software and services that collect data uncontrollably. This will require a desire to change something and any device on which you can install the custom Android system (iOS, for obvious reasons, is not considered, and of the alternatives only SailfishOS and GNU / Linux, but these systems can be installed on a very limited number of models). Anyone who is interested, I invite under the cat.

AOSP and LineageOS

The Android system ( AOSP ) itself is open under the Apache 2.0 license, but most smartphones and tablets go on sale with Google Play Services closed and cannot be deleted without root (except on Android One). Also, manufacturers often install their own proprietary software of dubious quality and functionality. It should be understood that any application that has received permissions (and when building the firmware, you can give the application any permissions) can collect huge amounts of information, therefore a more adequate alternative (for a person who cares about his privacy) is AOSP based assemblies ( Omnirom , NitrogenOS and etc.) or LineageOS ( CrDroid ,XenonHD et al.). The code for such systems is usually completely open (except for binary blobs required for compilation) and is supported by the community.


AOSP and LineageOS have a lot of forks and assemblies, unfortunately I can’t recommend something specific, because stability and performance strongly depend on the device model, components, phase of the moon, etc. But in addition to LineageOS itself, ROMs are quite popular 's AEX , Resurrection Remix , CandyOS , DotOS and Liquid Remix , I think with them it is worth starting.

CandyOS 9.0 * screenshots are clickable

The main difference between official and informal assemblies is that they are compiled from signed source codes, but not always so simple, for example, in the LineageOS project, only ROMs assembled on a special build server are signed with a secret key and receive the status of “official” (besides Lineage still has a calendar of releases and quite full support). Some other projects are a bit easier and you can build an official build on your own PC.

About F-Droid

The F-Droid catalog contains only free and open source software ( FLOSS ), all applications are compiled and published by the F-Droid team. If the catalog does not contain your favorite open application, then you can send a proposal here , or write a metadata yourself , but note that only open-source components and libraries are used in the build.

F-Droid client

Application catalog with the ability to connect third - party repositories (or your own). There are also alternative clients - m-Droid and G-Droid , but they are still damp for use.

Pros:

• Auto-refresh with adjustable frequency
• Ability to select a connection (Wi-Fi or mobile data) for download
• Privileged application for automatic installation / updating of applications without root (to install, you need to flash the archive through TWRP )
• Applications with anti-features are easy to spot.

Minuses:

• Application lists are not updated very quickly, application icons and screenshots are not always loaded (in m-Droid this problem was solved, it’s not the .XML file that is loaded, but JSON compressed in .gzip)
• No app ratings

Sources:	Gitlab
License:	GPLv3
F-Droid app *	Privileged Zip Archive

F-Droid Security

• The application builds on an isolated virtual machine, which is deleted at the end of the process. Metadata is signed on a separate virtual machine, the signature consists of an application hash (SHA-256) and a key (the signature supports timestamps and expiry).
• The public key to verify the signature is built into the F-Droid client .
• All communication between the client and the server occurs via https, but it is also possible to switch to Tor (via Orbot).

However, the F-Droid team cannot guarantee you 100% security, so it is recommended to check permissions and pay attention to hacking news.

Applications

It is clear that the applications presented in the catalog are far from always a full-featured replacement of proprietary programs from Google Play or other analogues, so I tried to make a small comparative analysis and find out which applications are suitable for everyday use, and which ones should be avoided.

Yalp and Aurora

I understand that the complete abandonment of non-free software is impossible for many people. But at least you can get rid of Google Play Services on your smartphone without losing access to the Google Play store. Yalp and Aurora applications allow you to download .apk directly from Google servers, technically both applications are very similar since Aurora is Yalp's fork using the material design, there is no particular difference in stability and functionality:

• You can use an anonymous account (in both applications it periodically falls off)
• Ability to download only delta updates
• Lists of trackers in applications provided by the Exodus Privacy project
• Notes on the dependence on the Google Service Framework (the fact that an application depends on GSF does not mean that it will not work without, but some functionality may not work)

There are some differences:

• Aurora has a preferred extension, but you cannot use Tor (Orbot) as a proxy.
• The Yalp Spartan Design and Less Resource Consumption

Yalp Store
Sources:	Github
License:	GPLv2
Download in F-Droid	Rating:
Aurora Store
Sources:	Gitlab
License:	GPLv2
Download in F-Droid	Rating:

Browsers

The first thing that strikes you is the absence of familiar brands like Mozilla Firefox or Chromium, but in fact not everything is so bad, at least the Firefox browser is present in the directory, albeit under a different name, but the assembly of a mobile chromium seems to be It still depends on Google Play Services, so there are only downloaders in the catalog that download .apk from a third-party resource. The same problem applies to browsers made on the basis of Chromium, so the F-Droid mainly presents add-ins for AndroidSystemWebView and browsers on the Gecko engine.

Icecatmobile

GNU IceCat - fork of the Firefox ESR browser (Extended Support Release), originally branched off from GNU IceWeasel, but unlike the Debian project focused on rebranding, code changes were made to IceCat . The mobile version is supported by a separate team that has returned to the MPL 2.0 license. Of the new products introduced by the community, a cat with a huge tail on the logo stands out as follows:

• No DRM systems: Encrypted Media Extensions and Google Widevine Content Decryption have been removed
• Third-party cookies are not accepted by default.
• WebRTC is configured with the flag media.peerconnection.ice.default_address_only = true, which fixes a LAN IP leak when using a proxy and VPN
• Telemetry deleted
• Fingerprinting countermeasures enabled obstructing browser fingerprints
• Addons Tor Button, HTTPS Everywhere, Hidden HTML (shows hidden HTML code), GNU LibreJS, Searxes Third-party Request Blocker

Regarding GNU LibreJS (blocking all non-open-source scripts) and Searxes Third-party Request Blocker (blocking third-party resources), I advise you to remove them because it is inconvenient to use them - so to add a site to the white list LibreJS you need to either copy the site address, or enter it manually (all scripts will be allowed at once), and in the TPRB addon it is impossible to add a second level domain entirely for example in the form of * .wikipedia.org. Instead of these additions, you can put uBlock Origin , uMatrix or NoScript to choose from. Hidden HTML should also be disabled, since this addon will interfere with constant requests. Incidentally, the add-ons page has been redone, now it leads here , there you can already find a linkto the list of recommended extensions, but some links (for example, NoScript) are broken, so I personally use the usual Firefox addon site .

Pros:

• Gecko safe browser based on the latest version of Firefox ESR
• Some features that increase browser privacy are enabled by default.
• Full addons

Minuses:

• Pre-installed add-ons are inconvenient to use.
• Tangled add-ons page
• Optimization is worse than in browsers using Blink / WebKit
• Additional security patches, for example from the Tor Project, are included in the project from time to time (this is not a drawback, just keep in mind that if you need increased security, use the Tor Browser)

Sources:	GNU
License:	MPL 2.0
Download in F-Droid	Rating:

DuckDuckGo Privacy Browser

The browser is from the development team of DuckDuckGo search engine , a service that is positioned as an alternative to respecting the privacy of users (note that the code of the search engine itself is not open). For rendering pages uses AndroidSystemWebView.
Some features of the browser are quite interesting:

• The system of assessing the privacy of sites (rating from A to D and F in the address bar, where A is the best rating and F is the worst)
• The Privacy Protection extension blocks ad networks and trackers, and the Increase Encryption Protection redirects connections via https
• Fire Button - removes all user data in 2 clicks
• Tabs and storage are cleared when closing (can be customized)

In my opinion, the main drawback is the lack of history or at least switching between incognito / normal modes (after all, this should be in the main browser).

Pros:

• Pretty simple and convenient browser.
• Ad blocking and trackers

Minuses:

• Few settings
• Advertising is not completely blocked, there is no possibility to connect the lists
• No story

Sources:	Github
License:	Apache 2.0
Download in F-Droid *	Rating:

Privacy browser

The add-on for AndroidSystemWebView with a focus on privacy, although one feature caused my questions: the browser sends the user agent with the PrivacyBrowser / v1.0 parameter. You can imagine how many people use the browser with such an agent, and if you consider that the OS can be easily calculated using a specific TCP / IP stack, then this doesn’t make sense at all (and there is also JavaScript spoofing, tap detection, etc.), however in the settings you can set another agent. Of the features:

• Additional listings for an ad blocker (EasyPrivacy, Fanboy's annoyance list, UltraPrivacy)
• Javascript quick switch button
• Ability to block all requests to third-party resources
• Orbot support
• Automatic cleaning when closing the application (can be customized)

Pros:

• Various settings
• Potentially privacy threats (Dom Storage, third-party cookies, etc.) are disabled by default, but you can easily enable them.

Minuses:

• Some settings reduce anonymity rather than increase
• No tabs and history

Sources:	stoutner.com
License:	GPLv3
Download in F-Droid	Rating:

Bromite

Fork browser Сhromium, changes aimed at improving privacy and blocking advertising. Patches from projects such as Iridium, Brave, Ungoogled Chromium and Inox patchset were included in Bromite .
Features:

• Advertising blocker (EasyList, PrivacyList, etc.)
• Support DNS-over-Https
• Switch between constant mode incognito / normal mode
• Removed Google components
• Fingerprinting protection (canvas, audio, client rects, WebGL and sensor APIs)
• Play video / audio in background
• Import / export bookmarks

To download Bromite you need to add a repository .

Pros:

• Good optimization
• Extended functionality
• Additional security features and privacy
• Easy to go with Chrome

Minuses:

• There are closed components (video codecs)

Sources:	Github
License:	GPLv3
Repository *	Rating:

More options (no rating)

Tor Browser - build provided by The Guardian Project (you must enable the repository in the settings). Until recently, the Tor Project did not support the Tor Browser for Android, and the applications that made it possible to access the Tor network — Orfox and Orbot — were developed by the Guardian project team. In September 2018, the Tor project participants announced the release of an alpha version for the Android system, although they still do not have their own F-Droid repository.

Fennec F-Droid is essentially a FOSS version of Firefox . I never managed to find a complete list of proprietary components used in current versions of mobile Firefox, so it’s hard to say what was cut out besides the trackersanalysts (AdJust and LeanPlam) and DRM. For example, the wiki says that the Health Report module (telemetry) has been removed, but in the current version it is and works after launch. But in any case, there are no non-free dependencies in Fennec (otherwise they could not have collected it).

FOSS Browser is another add-on, in principle, a good application, but on some firmware it transmits a smartphone model in the agent (WebView 66 version, but in many add-ons this has been fixed). An ad blocker is present, and the address bar has been moved down.

Firefox Klar - it’s Firefox Focus (the difference is that Klar’s ​​telemetry is disabled by default), Mozilla’s private browser uses GeckoView, there is a tracker lockout.

▍ Interesting in the Play Store:

Brave Browser - is based on chromium, there is a built-in ad blocker with local lists, HTTPS Everywhere and protection against fingerprint removal.

The Brave team came up with a rather interesting way to monetize the content: any Brave user can make a donation, which will then be transferred to the cryptocurrency and distributed among the visited sites or blogs registered in the Brave Reward program, but this feature is not yet available in the mobile version.

Waterfox - fork of XUL-versions (up to the 57th) Firefox browser, telemetry and non-free components are removed.

Messengers

Of course, in the F-Droid directory, you will not find the popular WhatsApp, Viber or Skype applications, but there is a Telegram client. But note that push notifications do not work in F-Ddroid messengers, since in Android they are tied to Google’s proprietary service Firebase Cloud Messaging .

Pix-Art Messenger

Pix-Art is a fork of Conversations , a mobile client using XMPP for communication. In F-Droid there are also Conversations Legacy , which retains the functionality of version 1.23+ (OTR and custom names for client identification, but without the novelties from version 2+). Pix-Art Messenger relies on the 2+ branch, but there is an integrated OTR, as well as daily backups, a list of servers for registration and a revised menu.
Features of the application:

• End-to-end encryption OTR , Omemo and PGP (via OpenKeychain)
• Synchronization with desktop clients
• Integration with contacts (permission can not be given)
• Avatars, transferring pictures, files, video, audio and locations (in Conversations Legacy, the last 2 are implemented using plug-ins)
• Conferences (or groups)
• You can configure the deletion of messages (after 1 day, week, month or six months)
• Check server hostname via DNSSEC
• Connection support via Tor (Orbot)

In all versions / forks of Conversations, it is possible to leave the active service after the client is closed, which, in theory, should not allow the system to close the client’s connection to the server, but many custom builds have strict power saving policies, so you need to add Conversations to the exceptions (thus push notifications).

Pros:

• Convenient interface
• End-to-end encryption
• Support for XEP standards (fix messages, check delivery, etc.)
• Additional security and privacy tools
• Rich customization options

Minuses:

• Beginners may not understand how to register, make backups, etc. (in Pix-Art this is implemented a little easier)

Sources:	Github
License:	GPLv3
Download in F-Droid *	Rating:

Rocket.Shat

Corporate instant messenger with the ability to use your own server (FOSS version supports up to 1000 users). If XMPP does not suit you (for example, the lack of a uniform client on all platforms or 2FA ), then Rocket.Chat is not such a bad choice:

• Room and private group support
• Public Channels
• Avatars and other Emoji (most importantly, they can be disabled)
• Deleting and editing messages
• Upload and transfer files
• Two-factor authentication (LDAP and Active Directory support)

The application is not very suitable for ordinary users, after all, it is focused on teams with a professional admin.

Pros:

• Integration with desktop clients (if you are not confused by React Native on a PC, the Android version is written in Kotlin)
• Installing and setting up the server is pretty easy.
• Quite comfortable chat rooms

Minuses:

• In the mobile version there is no E2E encryption (there is only TLS to the server, but the implementation seems to be going)
• The FOSS version of the server (Community) has some limitations.

Sources:	Github
License:	MIT
Download in F-Droid	Rating:

Riot.im

The command messenger, an analogue of Slack, uses the Matrix protocol . There are community supported servers . Software servers in the Matrix protocol are divided into two types of HomeServer (stores all correspondence and account data) and Identify Server (email mapping to Matrix User ID, this server is used only if you link mail to an account or send an invite to another user by email). There are various server implementations: Synapse (HomeServer in Python / Twisted ), Dendrite (HomeServer on Go), Sydent (Identify Server) and mxisd (Identify Server with an emphasis on privacy). Riot clientwritten in React Native , so if you are allergic to JavaScript, you'd better refrain from using it. Features Riot.im:

• E2E Olm encryption
• Audio / Video calls
• Synchronization of history and notifications with other clients and browser version
• Rooms (Rooms)
• Permalinks on messages
• Chat history search
• File transfer (can be shared per room)

Pros:

• Good scalability (suitable for friendly 1-by-1 correspondence, and for thousands of people in hundreds of rooms)
• Nice design, chat rooms are quite convenient to use.
• Just like with Pix-Art, there is an active service in notifications, so that the connection does not terminate
• No phone or email required for registration (but you can add them)

Minuses:

• It depends on the non-free Identify Server Vector.im, and you can clear the Identify Server input field, but Vector.im will still be used , but if you raise your mxisd server, everything works fine (but does not work with Sydent, such things).

Sources:	Github
License:	Apache 2.0
Download in F-Droid *	Rating:

More options (no rating)

Telegram is a very popular messenger, the application in F-Droid is updated with a delay because it is essentially a fork with components cut out. Telegram uses closed servers on which the history of correspondence from “unclassified chats” is stored, the account is tied to a mobile phone number, and indeed the project has some strange privacy policy (and I understand that due to the lack of Push, the list of servers is not can be updated automatically).

Jami - in other words VoIP-softphone Ring, supports third-party SIP and IAX services and TLS and ZRTP encryption. Open under license GPLv3.

TRIfA - uses the Tox protocol, there are audio / video calls, although it is impossible to use them (maybe if you raise the Tox-node, the situation will change), until the connection is broken, and the client periodically drops. Messages also sometimes do not reach.

▍ Interesting in the Play Store:

Signal - as well as in Telegram, the account is tied to a phone number, the Signal Protocol is used for communication , and all correspondence is stored on user devices.

Interesting fact: previously there was a free implementation of LibreSignal (with remote components of Google), but moxie0 was against the use of servers and the name Signal. I do not understand how the 3.5 anonymus, which use LibreSignal, could prevent, so I will not express my opinion about this situation.

Wire is another instant messenger using Signal Protocol, supports email for registration, as well as group calls for up to 10 people, the application is open under GPLv3 license ( uses Google Firebase Analytics, Mixpanel, and HockeyApp).

Cards

Perhaps the main drawback of open-source cards is the lack of cross-platform applications, and the integration of these applications with online services. For example, there are online maps on the site www.openstreetmap.org , but you cannot transfer the planned route from the browser to the PC to your smartphone (at least I did not succeed, when I try to export the map to the .osm file, all the routes disappear). On the other hand, if you do not care about the synchronization problem, then everything is not so bad.

Maps

Offline maps. Fork application Maps.Me, owned by you know what the Russian company on the "M". In the original application, according to the Exodus project, there are 15 different analytics trackers and there is advertising, but on Maps both have been removed. Despite its apparent simplicity, the application has quite a few useful features:

• Laying the way (by car, on foot, transport and bicycle)
• Bookmarks
• Icons for various sites (attractions with a link to Wikipedia, hotels with a link to Booking, restaurants with working hours and telephone, parking and transport stops, as well as hospitals, shops and pharmacies)
• Ability to make changes to the OSM project
• There is a search function for nearby restaurants and attractions.
• In general, the maps are quite detailed, although they are inferior to OsmAnd ~

Pros:

• Good optimization
• When approaching an area, you are prompted to download a map.
• Low weight cards

Minuses:

• Object descriptions are not very detailed.
• Few settings, no alternative maps.

Sources:	Gitlab
License:	Apache 2.0
Download in F-Droid	Rating:

OsmAnd ~

Very detailed and well-developed application, there are both detailed offline maps based on OpenStreetMaps and online maps for navigation. OsmAnd offers a large number of interesting features:

• Offline and online navigation (with voice assistant, auto-rotations and real-time route creation)
• Custom maps, for example maps of topologies or Ski maps, on which are marked lifts, descents and ski routes
• As well as in Maps, there are objects and the ability to contribute directly to the project OpenStreetMap
• Audio and video notes
• Travel guides - a plugin using the offline database Wikivoyage (a project created by Wikimedia for travelers), you can display interesting points on the map or just read about the city where you are
• Mapillary - Review Photos
• Transport and road maps

The application is open under the GPLv3 license, but not all of the offered services are free.

Pros:

• A large number of settings and plugins
• Very diverse functionality
• Objects with a detailed description (time, links, photos, etc.)
• You can turn off the display of unnecessary objects.
• Detailed road maps, up to the state of coverage

Minuses:

• Works slower than Maps, maps take up more space.

Sources:	Github
License:	GPLv3
Download in F-Droid	Rating:

More options (no rating)

Open Map is an online map, though unlike previous ones, it is non-interactive, and with regular images in .jpeg format, instead of vector rendering.

PocketMaps is another application using OpenStreetMaps, but with the size of the cards, the developers obviously overdid it, for example, the map of Japan weighs 3.1 GB. As in the Open Map, the map itself is non-interactive.

Security and anonymity

There are many applications in the F-Droid directory that help protect your data: from encryption software to anonymous network clients, but not all software is available by default. So the repository of The Guardian Project (a project aimed at creating easy-to-use secure applications and open libraries) is disabled by default in the settings.

EDS Lite

The analogue of the program VeraCrypt, allows you to create encrypted containers with the file system Fat or exFat. Features of the application:

• TrueCrypt, Veracrypt , LUKS or EncFS compatible containers to choose from
• AES-256 encryption , TwoFish and Serpent (but, unlike VeraCrypt, combined encryption is not supported)
• For the container LUKS there is also support for encryption GOST R 34.10-2012
• Supports XTS encryption mode (TrueCrypt, Veracrypt, LUKS)
• Hash Algorithms SHA-512 , RIPEMD-160 and Whirlpool
• Does not support key files

The Play Store also has a paid version of this application with enhanced functionality similar to VeraCrypt and LUKS, but EDS Full contains proprietary components.

Pros:

• Strong encryption algorithms
• Compatible with PC software

Minuses:

• Some security features are cut from the open-source version.
• The interface is not very intuitive.

Sources:	Github
License:	GPLv2
Download in F-Droid	Rating:

KeePass DX

Java fork KeePass. Computer security experts recommend using different passwords for each service, it’s clear that remembering a large number of complex passwords is impossible, and it’s not necessary, it’s easier to use a manager with random password generation and database encryption, so you only need to remember one master password ( NIST standard recommends long passwords like “SmokeontheWatertheFireintheSky” that are easy to remember and hard to find), and then which file is used as a key.
Features KeePass DX:

• Support for .kdb and .kdbx databases with AES-256 , TwoFish , ChaCha20 and Argon2 encryption
• Compatible with KeePass, KeePassX and KeePassXC
• Quick copy password and open URL
• The ability to open the base with a fingerprint (convenient, but not very safe)
• Auto-fill fields and MagicKeyboard (allows you to quickly fill in fields)

The developers of KeePass DX do not want to complicate the application code by adding cloud synchronization (though they are thinking of forcing some file manager to simplify access to remote resources), instead we recommend using a client of any cloud service (for example, NextCloud with free client / server), you can put the database in the directory with the configured synchronization.

Pros:

• Strong password database encryption algorithms
• Many settings and nice interface
• Customizable password generator (up to 64 characters, support for special characters, ASCII, etc.)
• There are several ways to automate form filling.
• Fully compatible with PC software

Minuses:

• Annoying hints (can be disabled in the settings)

Sources:	Github
License:	GPLv3
Download in F-Droid	Rating:

andOTP

I remember once upon a time, at the time of the 4th Android, I used the Google Authentificator application to generate OTP codes used in two-factor authentication. Once an update to version 5 arrived on my smartphone and guess what? Naturally, everything has flown to ... But this is not important, because in the andOTP application there is an opportunity to make a backup (how do you find such a Ilon Mask Google?) File saved in JSON. In addition, there are many other features:

• Time-based One-time Passwords ( TOTP ) and HMAC-Based One-Time Passwords ( HOTP ) support
• Protecting your application with a pin code or password
• The backup file can be encrypted using OpenPGP (need OpenKeychain ) or the AES algorithm
• Ability to hide the contents of OTP tokens
• Sync backup via Android Sync
• Panic Trigger (deleting accounts or deleting all application data, need an alarm button )

Pros:

• The ability to make an encrypted backup
• Additional security features
• The ability to fine tune

Minuses:

• There is no possibility to choose a cloud service for synchronization.

Sources:	Github
License:	MIT
Download in F-Droid	Rating:

Wireguard

Of course, OpenVPN and IPSec still comply with security standards, but we must understand that they were designed for corporate use, rather than anonymizing actions on the Internet. Therefore, if a client / server is configured incorrectly, various leaks (DNS, local IP, IPv6 addresses, etc.) and other privacy issues are possible. WireGuard, on the other hand, was designed to be easy to set up and use a VPN, with a primary focus on performance and security . Features:

• It uses the Curve25519 algorithm for key exchange, СhaCha20 and Poly1305 for imitation protection and Blake2s for hashing
• Supports IPv4 and IPv6
• The codebase is 4000 lines (against 400000 for OpenVPN and 600000 for IPSec), which makes it easier to find bugs and support code
• Can work natively in the Linux kernel

Representatives from the University of London conducted a security audit of the WireGuard protocol.

Pros:

• Fast modern encryption algorithms
• Relatively easy to install and configure server
• High performance

Minuses:

• There is a certain entry threshold for setting up your own server, and it is unlikely that this protocol will quickly appear with VPN providers.

Sources:	zx2c4.com
License:	GPLv2
Download in F-Droid *	Rating:

More options (out of rating):

Orbot is an application using system proxies to redirect traffic over the Tor network.

PixelKnot - allows you to encrypt the message in the picture using the F5 steganography algorithm .

OpenVPN for Android is a client implementation of the most popular VPN protocol.

I2P is a client of an anonymous distributed network I2P, opened under Apache 2.0 license.

Openkeychain- implementation of the OpenPGP encryption standard for the Android system opened under the GPLv3 license. Integrated into many of the applications mentioned in this article (andOTP, Conversations, K-9 Mail, etc.)

Ripple- panic trigger button, can be used in some applications mentioned above. Sources .

AFWall + ** - firewall, add- on over iptables. Allows you to create different profiles, export / import lists, works with VPN. Root required

AppOpsX ** - thin control over the permissions of applications, for full-fledged work (for example, banning normal permissions ), you need root.

▍ Interesting in the Play Store:

KeePass2Android is another implementation of KeePass for Android, there is synchronization with cloud services.

Useful apps from F-Droid

Scarlet Notes FD is a good note editor, you can create lists, insert photos, set a reminder, select a note color, tags, etc. You can enable cloud sync.
Perhaps the only negative is that you can not share a note in Google Keep.

Sources:	Github
License:	GPLv3
Download in F-Droid

NextCloud is a free and open GPLv2 cloud client , it is possible to use your own server or connect to a third-party provider (there are free plans that provide from 2 to 10 GB).
Features:

• Server supports AES encryption
• You can share files
• Sync folders and files

Sources:	Github
License:	GPLv2
Download in F-Droid

DAVx5 - synchronization of contacts and calendar (can be configured to work with NextCloud).
Also supports synchronization editor notes Tasks .

Sources:	Gitlab
License:	GPLv3
Download in F-Droid

K-9 Mail is an e-mail client with a simple interface that supports POP3, IMAP, Push IMAP and OpenPGP encryption ( OpenKeychain is needed ).

Sources:	Github
License:	Apache 2.0
Download in F-Droid

NewPipe is an unofficial YouTube client with support for background playback. There is no regional top yet (but it is possible that it is better not to go there).

Sources:	Github
License:	GPLv3
Download in F-Droid

oandbackup is a utility for backup, you can make a system cast or a backup of a separate application (data or .apk, or all together). To work, you need a root.

Sources:	Github
License:	MIT
Download in F-Droid

Forecastie is a weather application using the OpenWeatherMap API . There are forecasts for 5 days ahead, graphs of temperature, rain, pressure and wind speed. As well as the global wind map on in, precipitation and temperature.

Sources:	Github
License:	GPLv3
Download in F-Droid *

AntennaPod is a podcast manager with the ability to listen to online streams and download recordings (there are download settings on a schedule: at intervals, by time, network selection, etc.).
You can add your own podcast directory.

Sources:	Github
License:	MIT
Download in F-Droid

Let's sum up

For obvious reasons, I am not able to cover everything, or even any significant part of everything that can be called “mobile open-source”. But I can still say that over the past 2-3 years, the situation with open source software for Android has become much better, many new things have appeared, and some old projects have grown significantly in terms of quality and functionality. In my opinion, the guys just did a great job, and without demanding anything in return. Yes, there are problems and much has to be set up manually, but isn’t privacy worth the small inconvenience?

^{* - localization is incomplete or missing
** - added by suggestions from comments}