• Edited

lberrymage

Right: It works with the back gesture. But a back button like in GrapheneOS Store would help/make sense.

Thanks both, but I'm still a bit confused, at the moment, the whole point is to install Apps from Google?
I don't see other ways if I keep using Accrescent, unless I use other repos like Aurora.

Though is not clear to me how this protects me, I see that the GServices in GrapheneOS are sandboxed, does it mean that every app requesting GServices will be sandboxed too?
I just need to avoid Google collecting info from my phone.

    • Edited

    steve66th does it mean that every app requesting GServices will be sandboxed too?

    Every app is sandboxed, period. If its requesting GServices, then its using IPC to communicate past the sandbox with mutual consent. If this is a concern, isolate the app(s) in a separate profile from GPlay or avoid the app altogether. An IPC restriction (app communication) feature is being worked on that will allow concerning / troublesome apps to still exist in the same profile as GPlay.

      App Developer says: regarding accrescent store, it has privacy issue where it asks for email address from GitHub, so that's why SimpleX Chat has not been added yet.

      Out of curiosity, is it a good idea to install packages manually and the verify from GrapheneOS with Appverify??

      I don't use many apps as of today so it may suit my needs, though it always says that is present as a signature but not verified, I guess that it takes a lot of time to verify all the developers out there, right?
      Anyway, so far so good.

      Dumdum thank you for that, most of apps also run with containers, which in theory are isolated...
      I wonder how a VPN app could work, I guess that at least they don't use containers, but a process in user-space, sad that there is no console/terminal stock app :D .

        steve66th If the apps you use are open source, I would advertise Obtainium to install them. Obtainium will install them, but also take care of updating them.

        steve66th I believe Obtanium works well with AppVerifier, you can share from Obtanium straight to it before installation, if I'm not mistaken.

        I am not sure if the devs of AppVerifier are concentrating their efforts on adding every single app to the internal database and keeping that updated (not that the hashes change that often but it does happen occasionally), I may be wrong though.

        You can obtain the hashes for apps from other places too, like from the developer or from a friend who has the app installed already, or even from this forum. I would be happy to give you the SHA-256 hashes of any app that you want to install, if I already have it installed. Though I don't think it would be appropriate to do that in this thread as that is pretty far off-topic from OP's original question.

        Out of interest though, would you mind explaining what you meant about apps running with containers and wondering how a VPN app could work? Not sure what you meant there. Sounds like you're used to how desktop OSes run. If you want a terminal app, there are some options, with the closest to a desktop experience being Termux, though there are some very big security issues with that one so I wouldn't recommend it unfortunately. I know there are others, but I'm not sure which is the best in terms of security.

          roamer4223 I was just wondering how VPNs work on Android, considering that most of the apps are containers, and unless you configure the VPN in the VPN software provided by the OS, it would be a just a container and it would suffer all sort of problems, like leaks.

          In theory, you need admin priviledges on a desktop to configure a VPN usually, and if you don't, you may expose yourself to leaks, especially in a multi-user environment, which is very common when using a smartphone, though this goes beyond the thread.

          • de0u replied to this.
            • Edited

            steve66th I was just wondering how VPNs work on Android, considering that most of the apps are containers [...]

            For many people the term "container" has one or another specific technical meaning which does not apply to Android systems. Android apps are not run in LXC or LXD containers, for example. It is unclear how using that term in this context adds clarity.

            Manna It's up to devs to add their apps on accrescent, and to maintain them.

            So if a developer decides to stop maintaining his app on accrescent I'll be stuck with an outdated app and not even realize it?

              Hb1hf

              That' s always the case regardless from were you get the app.

                xxx That' s always the case regardless from were you get the app.

                Of course I agree it is possible in all cases. But is it equally probable? Are devs equally likely to give up on maintaining their apps on a store with 3 billion users, one with 200 thousand users or one with 1000 users?

                duck1 If I understanding correctly, apps that go without updates for over a year or so will be deleted from the store. But how does that change the scenario I asked about? If the app is be removed from the store, the user will not be notified, they will just be stuck with an app that won't get updated. Right?

                  Hb1hf But how does that change the scenario I asked about? If the app is be removed from the store, the user will not be notified, they will just be stuck with an app that won't get updated. Right?

                  I guess yeah. Devs wouldn't have any reason to not maintain on a specific app store though. Don't know when that has ever happened.

                    Hb1hf "Are devs equally likely to give up on maintaining their apps on a store with 3 billion users, one with 200 thousand users or one with 1000 users?"

                    To me, this question could be argued in all sorts of ways with absolutely no way of answering clearly. For example, I could argue that devs who publish their app on Accrescent, are more likely to keep up the maintenance needed for Accrescent, rather than for the Play Store. Because I would say, devs who wish to publish on Accrescent are more likely to be invested in this app store and the goals of the team behind it. Not just the security and privacy enhancements for users, but for the devs that publish there too. Even the fact that Accrescent is far less well known than the Play Store implies that the devs who publish there are invested in it as they were either searching for a store that would meet their needs, or probably heard of it because they are involved with, or following, projects with similar aims, such as increasing privacy and freedom for users etc, etc...

                    Since both mine, and your, points are pretty much based on assumptions about the motivations of the devs who publish on both app stores, I reckon... Well basically, it's pointless to speculate on.

                    As to your main question, I have personally had apps that were installed by the play store, decide to no longer allow installations on devices that don't pass Play Integrity, despite remaining compatible.

                    In these instances I do not recall being notified, but when I went to the app page in the Play Store, it did say, underneath the uninstall button, that "this app is no longer compatible" (I can't remember for sure, but I think it might have said it was no longer compatible with my device by choice of the developer, or something similar).

                    In one case, the app in question was Netflix, and I decided to install Aurora Store to check if they were actually enforcing the Play Integrity, and they weren't. Ridiculously, the app worked absolutely fine when installed by Aurora (by spoofing the device as a Pixel with the stock OS).

                    I don't know if it would be different if the app was abandoned by the dev. Perhaps Google would respond differently. I mean, isn't that what "Play Protect" is for?

                    I would also be interested to know if Accrescent would have some way of notifying the user if an app was abandoned/stopped being compatible etc...

                      roamer4223 I should add for clarity, in the cases with apps, like Netflix, no longer allowing installations through the Play Store without the device passing Play Integrity - the app also stopped receiving updates.

                      Netflix ended up reversing that decision by the way, though as I don't use it anymore, I can't say for sure that they currently allow installations/updates on GrapheneOS via the Play Store. I hope they do, as not doing so is a stupid and pointless decision for so many reasons

                      duck1

                      Don't know when that has ever happened.

                      "Contact you" left accrescent after they stopped updating on it.
                      They'd also changed the app's signature, so updates wouldn't have worked.

                      There's no magic solution here.
                      It's up to developers to assume their responsibilities and not leave users without any information. The trust we give them is not limited to the app's code.

                        Manna "Contact you" left accrescent after they stopped updating on it.

                        Did they stop maintaining it in general or just publishing on Accrescent?

                        Manna There's no magic solution here.
                        It's up to developers to assume their responsibilities and not leave users without any information. The trust we give them is not limited to the app's code.

                        I agree

                          5 days later

                          treequell existing Play Store alternatives are fatally flawed.

                          How so?

                          I don't really understand the logic to implement Accrescent either - yes it's good to have a chain of trust from the OS to other apps, but helpful is it if there's only like ten of those other apps in total?

                          Why not have F-Droid in the Graphene App Store? It's massively well-established, mature in its own app development, and trusted by millions. (If the security issue is that users can add 3rd-party repos, well, that's a user decision just like using Play Store, isn't it? What is F-Droid's "fatal flaw"?)