Hi! I switched from iPhone to GrapheneOS recently and happy I did so. I have a question about update / patch management.

I'm using multiple sources to install / update apps in 2 different profiles. (private and work profile).
Google Apps, Aurora, F-Droid, Obtanium, and I might even have installed one or 2 apk's directly form the suppliers website.

Because of this, compared to my iPhone with its appstore, updating is becoming a bit of a mess and I'm not sure if all my apps are up to date.

2 questions;

In case of using google play store (in my work profile), does it still make sense to also use Aurora, since play store is installed anyway? Or should I just get rid of Aurora? (I need play store because of Android Auto).

2nd question; is there a way to centralize the update management from all these apps? Ideally I would only have to use obtanium and only use direct sources but.. Unfortunately the landscape is not setup like this. I've been able to eliminate a lot of apps or find foss alternatives but still like banks or supplier apps, its difficult to not use the official route. How do you make sure you are still being secure and not creating a mess of install sources becoming a new risk on its own?

    You don t need Aurora when you have the Playstore.

    The 2nd question is a bit tricky :-) Use less apps? I think tere s no solution.

    • Meph replied to this.

      Meph personally I would stick to Play Store and get rid of Aurora Store as the Play Store is more reliable and secure. And I would also use Obtainium, did you know you can use Obtainium to get F-Droid updates too - just search for the app on f-droid.org and put it into obtanium? As well as 3rd party repositories and even suppliers websites also, just put the link in obtanium, it's getting better and better at just working. So you most likely only need the Play Store and Obtainium

      EDIT: also remember, when you update an app in one profile, it updates in all profiles. So you can centralise updates in your main profile if you want, but that's just an extra tip

        Meph In case of using google play store (in my work profile), does it still make sense to also use Aurora

        Not really. Aurora Store has some security issues (more on that here). I personally don't really see the privacy advantages of using Aurora Store compared to using an anonymously created Google account with the Play Store. F-Droid also has its own share of security issues.

        You can find a lot of threads on the forum about this topic. Of special note is the GrapheneOS account's write-ups on the topic of app stores. Here's an example, and I'll quote it here because Twitter annoyingly doesn't allow reading replies without an account:

        For getting apps from the Play Store, it's better to use the sandboxed Play Store with a purpose-specific account instead of Aurora Store. Aurora Store doesn't verify signatures proving apps came from the Play Store and trusts every Certificate Authority for HTTPS connections.

        There are a lot of choices for getting apps from outside the Play Store. We recommend https://accrescent.app for the small number of apps available in it including Molly. Accrescent needs more contributors and funding to substantially expand. We're going to try to support that.

        We don't recommend manually downloading app releases from GitHub, etc. mainly because you won't have automatic updates. You can solve that issue with the Obtainium app. However, unlike a proper app store, it won't secure the initial download beyond the HTTPS connection security.

        F-Droid has far too many security and trust issues for us to recommend it. The vast majority of apps in the official F-Droid repository are built on their sketchy infrastructure and signed with their own keys. We're concerned about a future mass compromise of F-Droid users.

        People who work on F-Droid have demonstrated a lack of trustworthiness including engaging in harassment towards security researchers and covering up vulnerabilities/weaknesses in the app. Lead developer has repeatedly claimed app sandboxes aren't useful or a good approach...

        Major app/server and build infrastructure security improvements along with anti-security and untrustworthy people leaving the project would be a prerequisite to us considering even packaging F-Droid in our app repository. That's very unlikely, so we want Accrescent to replace it.

          xxx Thank you, this helps. Will playstore pickup the updates if I remove aurora, or do I need to reinstall the apps that have been installed from Aurora?

          Thank you all, i will try to move to a combo with just playstore sanboxed and obtanium. This makes things a lot easier.

              Meph Thank you, this helps. Will playstore pickup the updates if I remove aurora,

              Yes I think so. Perhaps keep an eye open the first time.

                Meph
                Play Store should be able to update as Aurora uses the same APKs from the Play Store. You might have to do the same that this user says though.

                • Meph replied to this.

                    Dumdum

                    Thanks, tested. 2 apps i wasnt able to update from Play store and have to remove and reinstall. with the netflix app it worked good.

                    So i guess some apps can, and some cant ;)