I think a pretty good solution for this, specific to mobile, is to require users to approve an update when permissions have changed. Most non technical users don’t understand old software can contain security issues, they purely view updates as new bells and whistles. If these apps are actually malicious, they aren’t going to include their new keylogger in the release notes nor release on fdroid. I think automatic updates for the predominantly non technical population is still safer.
I think a pretty good solution for this, specific to mobile, is to require users to approve an update when permissions have changed. Most non technical users don’t understand old software can contain security issues, they purely view updates as new bells and whistles. If these apps are actually malicious, they aren’t going to include their new keylogger in the release notes nor release on fdroid. I think automatic updates for the predominantly non technical population is still safer.