I started typing a very long response explaining my risk model, how a malware on my mobile device will be a nightmare to my whole digital life, etc. Long story short, my case might differ from yours and I consider Izzy’s security not enough for me.

I consider myself fairly educated in infosec. Security is layered, no single measure can give you assurance it will not fail.

I suspect Google to perform automated reverse engineering on the Play store apps. F-Droid get the source, not the binaries. Much easier to look for sketchy behaviour if you’ve got the sources. Yes, Google sometimes get malware on the Play store, but it usually does not stay very long or affects a lot of their users.

Izzy simply does not have the resources to do so, so they use VT as a “replacement”, which is not good enough for me; AV solutions have traditionally shitty engines for mobile apps.

Also, Izzy is a much more confidential source for apps. Only a few (if any) security researchers will look at it. Even if someone finds a malware, I strongly doubt it will make news, even in IT security websites. Whereas the Play store or even F-droid…

I don’t blame them nor anyone using them, I’m just saying the risk of potential malware on my phone is not worth the benefit of installing bleeding edge apps for me.