I currently use CalyxOS, and while I can choose to use the Play Store version, I really don’t want Google proprietary code running directly on my password manager.
I use microG for other apps that are less critical, but my password manager has literally everything I need to manage and it affects pretty much all other apps in my device and life overall. Bitwarden also has (had? native doesn’t have it, I suppose it will arrive sometime) access to the device as an accessibility service, which is pretty invasive, and combined with the proprietary code used for FCM, it isn’t great.
F-Droid does seem to allow for FCM to be used if it is being used with the UnifiedPush FOSS code, check Moshidon. It interacts with GMS for push notifications, but has the option for UnifiedPush. This was done with FOSS code, the only thing not FOSS here is the Google server. If Bitwarden was built like that, it could potentially be the same in the Google Play Store and F-Droid with reproducible builds.
F-Droid official builds almost came but licensing issues arise, from the SDK, hopefully those are solved by Bitwarden in the future, but in any way, I’m fine with the F-Droid Bitwarden repo ATM. It gets the job done, just unfortunately limits the functionality on the app for it. Thanks devs for maintaining this version, even if it is not the main one.
This would help. I do strongly think that Bitwarden should move more towards that direction of FOSS software, especially given it is a main security tool for thousands of people.
One problem with UnifiedPush ATM that I can say is that the main tool recommended as a distributor, is ntfy, of which the default server is ntfy.sh. ntfy.sh has a few issues, it seems to be either whitelisted or at least blocks a bunch of domains, so it ends up only working with specific things, and many, most people don’t even know this or realize things aren’t working, it’s silent. Hence why integrating with FCM as a default with UnifiedPush has a benefit there, depending on it isn’t great though.
I think some of the traces of the ‘login with another device’ feature are also being removed from the F-Droid build, which is unfortunate but makes sense since it doesn’t even work properly. Implementing this would allow it to.
Isn’t FCM also used for syncing the vault while the app is off? That’s an important benefit there that’s lost with the ‘F-Droid’ variant.
Open Source or even FOSS doesn’t make things automatically secure or malware free, and to be fair I doubt in a way that the dependencies used for FCM are, but the possibility there, just isn’t great, for the risk we’re talking about.