Confused about app stores

n2gwtl

Hi all,

Reading this forum and privacyguides sometimes makes feel like I am chasing my tail. On one site Aurora is recommended, and on another Aurora is bad and I should just use the Google Play store. However, we are using grapheneos to drop google play and apple play store accounts. Then, we should create two user profiles one for downloading google play store (w/o logging in) for notifications, and the other for the rest of the apps that do not rely on google play store.

My question is how do I install apps without a google play store account? F-Droid and apk's are available for a limited number of apps. What do I do for the rest?

If I install google play store with an anonymous email address, can't google play uniquely identify me by my fingerprint (collection of apps installed + other device information). Does Google play have access to the IEMI or any other information from the phone that can be cross-referenced? If I turn off my VPN for a moment to perform a sync on my LAN, google will have my IP. There seem to be too many opportunities to de-anonymize if I sign into Google play.

Carlos-Anso

n2gwtl can't google play uniquely identify me by my fingerprint (collection of apps installed + other device information).

They can uniquely identify you by the account you log in with. If you move to another device and keep the exact same set of apps, while using a different account for Play that does create the possibility that you the Google apps could ascertain its likely the same person if you have a unique set of apps.

n2gwtl Does Google play have access to the IEMI or any other information from the phone that can be cross-referenced?

https://grapheneos.org/faq#hardware-identifiers

n2gwtl If I turn off my VPN for a moment to perform a sync on my LAN, google will have my IP.

If you dont need to use their other services active you could keep the Google Play apps disabled when not updating apps.

You may decide that you prefer to source your apps via Aurora Store or some other way. Many people do.

graphie

One option is to grab APKs from the Google Play Store with:

https://apps.evozi.com/apk-downloader/

Just paste the package name or the entire Play Store URL.

N1b

Okay, lots to unpack here, this has been discussed often and seems to be a controversial topic. There is no definite right or wrong in most cases, but you need to figure out your priorities and threat model if you want to make an informed decision.

In general:

Do not use appstores that haven't been updated in years (e.g. Aurora Droid, not to be confused with Aurora Store). These are a security risk and often don't function correctly anymore.
Avoid using closed source appstores except Google Play Store. They don't give you real benefits and could easily be infected with malware (Aptoide comes to mind).

Usually you need one or two sources for your apps, depending on the apps you want.

Source A will be for Open Source apps, some of which you won't be able to install from the big centralized stores like Google Play Store because Google doesn't like them (e.g. NewPipe for watching YouTube without ads).

Source B will have the closed source apps you might need and which are not available on Source A.

Source A and B will be complementary for most people, but some might get along with just one of the two.

Source A (Open Source) could be:

Apps that make use of the F-Droid repository and other repositories. The F-Droid Client is the original, but other clients like Droid-ify and Neo Store come with nicer user interfaces, security enhancements and prepared repositories that you just enable in the settings. I'd recommend Neo Store because it can do unattended, automatic updates of your apps. Droid-ify is prettier and easier to use though if that's important to you.
Apps that pull the apk files from a server (such as Github, the F-Droid Repository, developer website) and notify you if a new version is available. This would currently be done by Obtainium and could be everything you need. It takes some time to set up correctly and it won't do unattended updates for you.
The Accrescent App store which is super promising but still unstable and unfinished. Probably not yet what you're looking for.

For Source B (closed source) I can only think of two options:

Sandboxed Google Play store. By far the most secure, but least private option. Generally recommended if you want/need to use Google Play Services anyway, but a Google account is required. You could use a throwaway account and set up your owner profile to only install and update apps while you do everything else in dedicated user profiles with or without Sandboxed Play.
Aurora Store, which is pulling the APKs from the Play Store but log you in with a shared, anonymous account to mitigate tracking through Google. You could log in to your (throwaway) Google account to get access to apps you paid for, but it's not wise to do that since your account can get banned when being caught using Aurora Store. It's basically the option for people who refuse to install Google Services. Be warned though that some banking apps won't work if installed through Aurora.

There are other ways and I'm sure they will be mentioned here, but I assume the ones above are the most popular options for you.

So TLDR my recommendation:

Use Neo Store for Open Source apps (or Droid-ify if you prefer style over features)
Use Obtainium if you don't shy away from setting up everything yourself. It could potentially serve you with all the apps you need.
Use Play Store for closed source apps and to be most secure. If you really, really can't stand Sandboxed Play Services, go with Aurora Store instead, but prepare for some rough edges.

I simplified and left out a lot of information here, but I hope to get the gist across. Feel free to correct me if I made a big mistake or forgot to mention something important to you.