- Edited
I know this has been asked a lot, but I wouldn't be asking if I was able to find the answer already.
I've read a lot of forum posts both here and elsewhere, watched youtube videos from privacy people, and tried to make sense of some of the documentation that people provided. I still have no idea, which is a bit troubling since I've been using this OS for several months and installing apps is the first thing a user is expected to do after their initial setup.
Outside of the apps that GrapheneOS provides directly, here are the alternative installation methods I'm familiar with in no particular order:
Accrescent
Play Store + Play Services (same profile)
Play Store + Play Services on Owner profile, push installed apps to user profile(s) without play services installed, disable apps on owner.
Aurora Store (anonymous) without google play services.
Aurora Store (anonymous) with play services for when you want push notifications but don't want to login.
F-Droid. No clue. This used to be the go-to. There are still some GOS guides on youtube that recommend F-Droid as if they're completely oblivious to the recent drama. Nonetheless, people bash F-Droid nowadays, but I never know if they mean the official F-Droid client app, the main F-Droid repo, all F-Droid client apps, all F-Droid repos including IzzyonDroid, and/or all third-party developer repos. If F-Droid (in any capacity) is recommended, what's the recommended client app and recommended repo(s)?
IzzyonDroid vs Obtainium?
Should I be using Obtainium? Which sources should I be using? Just Github/Gitlab or should I be fetching from other sources too such as the developer's website or from an F-Droid repo? I've seen at least one comment that made it seem like using Obtainium to pull from F-Droid repos was better than using an F-Droid client., but they didn't explain why.
If apps have multiple APK versions, which should I be using? For example, Aves, Organic Maps, FUTO apps, Catima, Feeder, Bitwarden, etc have multiple variants. Sometimes they distinguish these as F-Droid variants and Play Store variants, but they make both available on their github or elsewhere.
Do I have to verify every app on my own? Most apps don't show up on the AppVerifier app's database. People then say you have to verify it manually on the desktop after installing android studio. But I can't find the SHA-256 file more half the time.
In general, if I have the option, which installation method and APK variant should I choose first? If that's not available, what next? And so forth. And if it's a tie, perhaps explain a specific use case for why I should use one installation method over another.
I care most about security (i.e. I want to make sure my apps are safe to use and haven't been maliciously tampered with). At the minimum, it's got to be as secure as installing apps on the Play Store on stock as if I was a normal android user. After that, I'd prefer as much privacy as possible (without it sacrificing security).
Do any of these orders change if I'm using play services in a profile vs a degoogled profile? Are there any reasons for why it would be better to install apps from somewhere other than the Play Store in a profile that already has the Play Store installed while logged into a google account? Wouldn't Google still see which apps I have installed regardless?