Just got a pixel and installed GrapheneOS - best way to install apps?
soon404 The setup you're referring to is mainly for people who want a setup where their main profile is 100% google-free with only FOSS apps, while maintaining a separate compartment that has the Google stuff installed.
This will definitely offer better compartmentalization and privacy protection, but it comes with some downsides:
- A setup without sandboxed Google Play services (GPS) may result in increased battery consumption due to messaging apps needing to maintain a constantly open websocket for notifications instead of relying on GPS. From personal experience, Telegram is fine, but Signal has horrendous battery drain when used without GPS.
- You'll need to switch back and forth between different profiles and it is structurally impossible to have data flow back and forth between different profiles. This is usually a feature, not a weakness, but there are times when I want to have data flow from a trusted app to a proprietary app. An example is copying bank details from Signal and pasting it into a proprietary baking app.
- Edited
Below is AI generated content and may contain inaccurate content.
App Installation Options
Google Play Store:
Pros: High security, broad app availability, seamless updates.
Cons: Requires a Google account, less privacy.
Usage: Best for essential apps like banking apps, which require strong security measures.
How to Use: Install Google Play Services from the "Apps" app on GrapheneOS, then install the Play Store and use it as you normally would.
Aurora Store:
Pros: Access to Google Play apps without a Google account, maintains some level of anonymity.
Cons: Security not as robust as direct Google Play Store use, potential for unreliable updates.
Usage: Good for general apps where you want more privacy but can compromise a bit on security.
How to Use: Download and install Aurora Store from its official website or a trusted source.
F-Droid:
Pros: Focus on open-source apps, strong privacy.
Cons: Slower updates for some apps, not all mainstream apps available.
Usage: Ideal for open-source apps and privacy-focused users.
How to Use: Install F-Droid from its official website.
Obtainium:
Pros: Fetches and updates apps from official websites or GitHub, strong privacy.
Cons: Requires manual setup and maintenance.
Usage: Good for apps not available on other stores or for those who want to avoid centralized app stores.
How to Use: Download and install Obtainium from its official GitHub page.
Recommended Apps and Sources
Telegram:
Option: Telegram X or the FOSS version.
Source: Aurora Store or F-Droid for FOSS version.
Signal:
Source: Directly from Signal's official website or via F-Droid.
Session:
Source: Available on F-Droid or directly from the official website.
VLC Player:
Source: F-Droid or Google Play Store via Aurora Store.
WinZip Alternative:
Options: ZArchiver or 7Zipper.
Source: F-Droid or Aurora Store.
Orbot:
Source: F-Droid.
Notes App:
Option: Notally, Joplin, or Standard Notes.
Source: F-Droid for Notally and Standard Notes; Joplin can be downloaded from its official website.
ProtonMail:
Source: Directly from the ProtonMail website or Aurora Store.
Crypto Wallet (e.g., Exodus):
Source: Directly from the official website or Aurora Store.
Tips for Best Practices
Compartmentalization: Use different profiles for different types of apps to enhance privacy and security. For instance, keep your main profile Google-free and use a secondary profile for apps requiring Google services.
Updates: Regularly check for updates, especially if using F-Droid or Obtainium, to ensure apps are up-to-date and secure.
Permissions: Be cautious with app permissions and review them regularly to minimize exposure.
Vagabond8630 The GOS community recommends using the Play Store, but if you are willing to sacrifice security for privacy, or do not want to use sandboxed Google Play services, you could use AuroraStore's anonymous account to download proprietary apps.
Compared to using an anonymous Google account, how does this increase my privacy?
soon404 Doesn't really seem like there's a way to make a completely anonymous one.
There is: https://discuss.grapheneos.org/d/3366-how-to-create-google-account-anonymous/66
If by anonymous you mean that they don't know who you are, then this is anonymous. You are not giving up personal information.
soon404 Besides, won't having play store installed on the device just have it in the background.."spying"? Or won't it know my activities on apps and therefore be able to technically profile who I am?
That's not how it works, not at all. Play Store can't see your activities in other apps. Play Services on GrapheneOS run in the standard app sandbox, without the privileged access it has on stock OS. In other words, it cannot do anything more than any other app you install on your phone.
Being an app store, it will need to see which apps you install and have installed. Like any other app, it can collect your activities within the Play Store app itself. Of course also your IP address, if that matters to you.
I've basically paraphrased the entry about Sandboxed Google Play on grapheneos.org: https://grapheneos.org/features#sandboxed-google-play
soon404 I've seen people say to download them on a different profile but I don't really understand the benefits of this, still a big noob lol
There are several benefits to user profiles. But as a new user, I personally recommend not using them unless you have a clear reason to do so. I'm not saying that to dissuade the usage of profiles in general. Rather, I'm observing many users who start out by separating their apps into two or more profiles, because they think this is a necessity to use GrapheneOS (it's not; it's your choice) and then come here and express how exhausted they are with constantly switching between profiles, and then saying that GrapheneOS is not for them because it's too tiring.
It's interesting to discuss privacy practices, but when installing GrapheneOS for the first time, I recommend starting out simple. Use the Play Store, install the apps you usually use, then slowly go from there based on what you want/need further.
fid02 You wouldn't be connecting directly to Google's servers when using Aurora Store, and you can skip needing to create and log into a Google account altogether. You also don't have to have GPS installed at all if going the Aurora route. Whether that has tangible privacy benefits compared to using an anonymous Google account with sandboxed GPS, I'm not sure.
To be clear, thanks to your advice, I use an anonymous Google account to download apps through the Play Store, but I wanted to let @soon404 know of alternatives.
Vagabond8630 Thank you, that has cleared up a few confusions :D
- Edited
Subliminal Thanks so much, this is great - is there a privacy & security "issue" with just downloading every one of these from the Aurora store instead of getting them all through F-droid?
soon404 Apps on F-droid are all FOSS by definition, while Aurora store has both FOSS and closed-source apps. So, any apps that are available on both F-droid and Aurora store are FOSS apps that are also available for download on the Play Store (through the Aurora store client).
However, that sometimes means that apps that normally don't come with any Google dependencies on the F-droid version come with Google dependencies with the Play Store/Aurora version. An example is Bitwarden, a FOSS password manager that is on both F-droid and the Play Store. The F-droid version doesn't come with Google Firebase, while the Play Store version does (source):
Since the Bitwarden F-Droid build does not include Firebase Messaging, push notifications for live sync updates of your vault will not work.
In these cases, I always try to download the F-droid release to avoid proprietary code as much as possible, but directly from the source via Obtanium (Example Bitwarden release page with multiple release versions).
Privacy Guides has a great section on their recommendations for installing apps on Android. I recommend you to give that a read, together with various GOS-community recommendations on best practices (link1, link2, and so on).
The overall community consensus seems to be:
Obtanium > F-Droid Basic > F-Droid for FOSS apps, and Sandboxed Play Store with anonymous G account > Aurora store with anonymous user >= Sandboxed Play Store with personal G account for proprietary apps.
Vagabond8630 The overall community consensus seems to be:
Obtanium > F-Droid Basic > F-Droid for FOSS apps, and Sandboxed Play Store with anonymous G account > Aurora store with anonymous user >= Sandboxed Play Store with personal G account for proprietary apps.
This list, are you saying that people's first choice is Obtainium then next is F-Droid, and so on? Because that's not the impression that I get, nor is it the project's recommendation.
Google Play is the most secure way to install apps. Accrescent is another secure place to get apps, but since they're still in the early stages they don't have many apps listed.
Using F-Droid is pretty much discouraged across the board because there are many issues with how they do things, covered here: https://privsec.dev/posts/android/f-droid-security-issues/
Right, I should have clarified that the "for FOSS apps" qualifier implies:
- Apps that are only available on public repos/F-droid and not on Play Store
- ex: NewPipe
- For users who want to avoid as much Google code as possible
- ex: Google Firebase Messaging that is included in Bitwarden's Play store version but not in the F-Droid version
- Apps that offer better experience on the F-droid version
- ex: Apps that require in-app purchase on the Play Store version, but offer the full functionality on the F-droid version, such as Tasks.org
For "regular" apps that aren't included in the above, I agree that the Play Store is definitely the most secure app installation method.
Using F-Droid is pretty much discouraged across the board because there are many issues with how they do things, covered here: https://privsec.dev/posts/android/f-droid-security-issues/
I agree, which is why I put Obtanium (direct download from source repo) above F-Droid and F-Droid basic. F-droid Basic is slightly more secure than F-Droid due to reduced attack surface, but I still prefer to get apps directly from their source repo. However, I still use F-Droid Basic for apps that don't have .apk releases or recent updates on the repo, such as Shelter.
In the case of Shelter, I use the custom F-droid repository, which is both signed by the author and has faster updates, which alleviates most of the security concerns with F-droid.
With that said, I choose Obtanium over everything else for FOSS apps whenever possible for the reasons I gave above.
Whoops. Looks like I was reading too fast and missed an important point.
Dumdum thanks for pointing that out!
Vagabond8630 sorry for that! I do see your point that the FOSS versions of certain apps aren't available on Google Play. Also, other apps aren't listed there for various reasons.
- Edited
fid02 There are several benefits to user profiles. But as a new user, I personally recommend not using them unless you have a clear reason to do so. I'm not saying that to dissuade the usage of profiles in general.
Hey there, I am a rather new user and have been running two profiles since the start. (pixel 8 launch)
I install everything from the admin profile mainly from google play and a couple of apps through Obtanium.
That's all I use the admin profile for.
In the daily profile I have forbidden install of any apps and I use this one for everything else.
I have play store fully set up in both for notifications, but signed in ONLY in admin profile. My logic is to get a bit more privacy (because I'm not signed in in the daily profile), while using the apps installed through playstore (widely considered the more secure method as far as my understanding goes). Worth mentioning that i don's see any additional battery drain because in admin profile i set up connection through vpn only and i kill it every time i switch do 'daily'.
The approach works with no problem and separation is quite clear to me, the downside that i have in my mind is how easy it is to delete the daily profile (because it asks for no confirmation or anything if you press delete and just wipes the whole thing.) I understand that from security this is a feature, but in my use-case lets just say - it's not the best.
My main question is - do I actually get any advantages privacy wise (from big G) using this approach, or is it all in my head like the fsb agents out there trying to get me?
And a hail marry rather than a question - any chance there is a way to make 'daily' less 'deletable', be it with an extra prompt or even a password input?