• Edited

I know this has been asked a lot, but I wouldn't be asking if I was able to find the answer already.

I've read a lot of forum posts both here and elsewhere, watched youtube videos from privacy people, and tried to make sense of some of the documentation that people provided. I still have no idea, which is a bit troubling since I've been using this OS for several months and installing apps is the first thing a user is expected to do after their initial setup.

Outside of the apps that GrapheneOS provides directly, here are the alternative installation methods I'm familiar with in no particular order:

  • Accrescent

  • Play Store + Play Services (same profile)

  • Play Store + Play Services on Owner profile, push installed apps to user profile(s) without play services installed, disable apps on owner.

  • Aurora Store (anonymous) without google play services.

  • Aurora Store (anonymous) with play services for when you want push notifications but don't want to login.

  • F-Droid. No clue. This used to be the go-to. There are still some GOS guides on youtube that recommend F-Droid as if they're completely oblivious to the recent drama. Nonetheless, people bash F-Droid nowadays, but I never know if they mean the official F-Droid client app, the main F-Droid repo, all F-Droid client apps, all F-Droid repos including IzzyonDroid, and/or all third-party developer repos. If F-Droid (in any capacity) is recommended, what's the recommended client app and recommended repo(s)?

  • IzzyonDroid vs Obtainium?

  • Should I be using Obtainium? Which sources should I be using? Just Github/Gitlab or should I be fetching from other sources too such as the developer's website or from an F-Droid repo? I've seen at least one comment that made it seem like using Obtainium to pull from F-Droid repos was better than using an F-Droid client., but they didn't explain why.

  • If apps have multiple APK versions, which should I be using? For example, Aves, Organic Maps, FUTO apps, Catima, Feeder, Bitwarden, etc have multiple variants. Sometimes they distinguish these as F-Droid variants and Play Store variants, but they make both available on their github or elsewhere.

  • Do I have to verify every app on my own? Most apps don't show up on the AppVerifier app's database. People then say you have to verify it manually on the desktop after installing android studio. But I can't find the SHA-256 file more half the time.

In general, if I have the option, which installation method and APK variant should I choose first? If that's not available, what next? And so forth. And if it's a tie, perhaps explain a specific use case for why I should use one installation method over another.

I care most about security (i.e. I want to make sure my apps are safe to use and haven't been maliciously tampered with). At the minimum, it's got to be as secure as installing apps on the Play Store on stock as if I was a normal android user. After that, I'd prefer as much privacy as possible (without it sacrificing security).

Do any of these orders change if I'm using play services in a profile vs a degoogled profile? Are there any reasons for why it would be better to install apps from somewhere other than the Play Store in a profile that already has the Play Store installed while logged into a google account? Wouldn't Google still see which apps I have installed regardless?

    Sbpr At the minimum, it's got to be as secure as installing apps on the Play Store on stock as if I was a normal android user.

    If that's the primary goal then:
    1) Accrescent once it's stable
    2) Sandboxed Play Store using a Google account dedicated just for that purpose

    Play Store (when you need to download/update, the app itself should be in a disabled state otherwise)
    Obtainium with the Github source of the developer (it can usually figure it for you) with fallback to F-Droid repo
    for apps that are only provide an F-Droid repo.

    Those are probably the most secure options, also the most practical to look like stock user since some apps will refuse to run if they were not installed from Play. Aurora if you are ok with downtimes and rate limits, it's not very
    a very stable solution and only recommended if you absolutely have to avoid Play Services.
    Generally if you register a fresh Google account just to download/update apps I see no privacy issues, they know
    the list of the apps, not the data inside them or if you even use them.

      23Sha-ger Second this setup basically. I have play store (throwaway account) on the Owner profile which pushes play store apps to my various profiles (some of which have play services, some of which don't). I then disable those apps on owner profile.

      Obtainium for apps that I can get directly from the developer (github, etc)

      I'm excited for Accrescent, but it doesn't address all my needs yet.

      I tried Aurora and having everything completely degoogled, but it just wasn't smooth.

      I feel like what I have now is a pretty secure setup while still being reasonably private.

      Sbpr Oh, in answer to your last two questions (multiple apk versions and verification)...

      This might not be the best approach, but if Obtainium isn't super straightforward (if there are multiple apks, if it isn't clear the app comes directly from the developer, etc.), then I just use the play store (assuming the app is also available there).

      I'm not super technically proficient and I also don't have a ton of time/energy to figure every single thing out. A little bit of convenience in an otherwise good system (separate profiles, the OS in general) saves me from privacy fatigue and keeps me on graphene.

      Sbpr
      Which sources should I be using? Just Github/Gitlab or should I be fetching from other sources too such as the developer's website or from an F-Droid repo

      I'd say most of the sources in Obtainium. I would imagine that sources like APKPure / Aptoide / Uptodown might not be safe / reliable to use. But in general, the purpose of Obtainium is to be as source-agnostic as possible, so people have a convenient app installer to use. Being able to use multiple sources is the point.

      I've seen at least one comment that made it seem like using Obtainium to pull from F-Droid repos was better than using an F-Droid client., but they didn't explain why.

      I think you're referring to my comment? Being honest, not sure what in my comment "made it seem like using Obtainium to pull from Fdroid reos was better". That particular comment was just listing ways to install the app. With that said though, Obtainium is better than using Fdroid.

      Obtainium allows you to install apps directly from Github APKs which (IMO) is better than installing from Fdroid. Not only that, but you can still use Obtainium to install apps from Fdroid repos (for apps that don't have Github APKs) so you don't have to have both Obtainium and [insert Fdroid client of choice]. Its a matter of convenience and using Obtainium as a central "all-in-one" hub for my (non-GPlay) apps.

      which installation method and APK variant should I choose first?

      As others have said here, either Google Play or Obtainium for installation method (eventually Accrescent).
      For apps with multiple APK variants, almost always ARM64-v8a. If there isn't one, then either the APK with "aarch" in it or the "universal" one if they are available. If by "variant" you mean APKs with "Fdroid" / "Gplay" or "FOSS" / "Full" or something similar, then its up to you to look into the differences of the particular app and decide which version you want.

      Are there any reasons for why it would be better to install apps from somewhere other than the Play Store in a profile that already has the Play Store installed while logged into a google account?

      Certain apps aren't allowed on Google Play (e.g. Newpipe). Its also possible (albeit unlikely?) that, for whatever reason, apps installed on Google Play could be removed from the Store in the future. Imagine the Fossify apps potentially being dropped from GPlay. In this situation, you can still rely on their Github APKs (or Fdroid if you wish) to install / update the apps. Personally I only use Google Play for a few apps (less than 10 apps, one of which is my banking app) that I can only get from Google Play.

      Marcus
      That is FUD. The apk you get from Play Store and Aurora are exactly the same.
      When you login to an app downloaded via Play Store using your real details (such as a bank app)
      Google doesn't have access to that data. Apps that chose to have trackers inside them have nothing
      to do with the source of where you obtained them from. Even apps on F-Droid can have trackers in them.

      Really like the replies so far.

      One should keep in mind that people have different threat models, and depending on the threat model the answer to your question is different: there is no "objectively best" answer.

      For example, people give different amounts of importance to:

      • threats from app developers themselves,
      • threats from proprietary software,
      • threats from the hosting infrastructure,
      • threats from repo maintainers...

      There is no way to install an app that provides perfect security against all these threats, so it is expected that people will prefer different configurations.

      If you gave us your threat model, we could try to find out what would be the most secure way to install apps for you.

        leo I don't much agree with that splitting of threat models. I think most of the natural persons who care about privacy (which is a minor share of the population) face major threats either with law enforcement or with surveillance capitalism. This distinction, and the details of the threat model (someone who fears the Iranian milice might very well trust Google and Apple) are much more relevant than the distinction according to the role in the software industry.
        Of course this dinstinction itself is an over simplification, the immense majority of the natural persons caring about their partner/familiars or their employer, ... not knowing about one aspect of their life.

          Eirikr70 This was just an example. I agree with you that there are many possible distinctions between potential threats, and that formulating a threat model is a complex question that is not easy to answer.

          Marcus removed your comment because some of it is just incorrect. Installing an app from Aurora doesn't mean that trackers in the app are somehow associated with the anonymous account on Aurora. It's totally possible for an app on Google Play to have no trackers at all. Yes, Google would know that an account installed a specific app, but that's about it on GrapheneOS.

          As for you saying that people who install apps using Google Play, then they shouldn't bother with GrapheneOS, I literally just told you four days ago to please stop saying stuff like that. People who use Google apps absolutely benefit from using GrapheneOS. People who use Google apps are welcome to use GrapheneOS. I really don't want to have to keep repeating myself.

            • Edited

            other8026 Regarding the Google Play store, people should be aware that since 2021, all new apps on Google Play must agree to give Google the right to modify them to optimize their performance, security and/or size. This is done by giving the app signing key to Google: https://play.google/play-app-signing-terms/

            If somebody's threat model would consider that Google could abuse this power to compromise APKs, it could make sense for them to consider apps downloaded Google Play to be less secure than when downloaded directly from their developer.

              leo From what I understand, if Google did do something to apps, then they'd be caught doing so. There's no evidence that they are, and just because they sign apps doesn't mean they're messing with them.

              Also, it should be obvious that if this were happening, apps installed via Aurora would be affected too.

              Also, Google's answer to this issue is code transparency: https://developer.android.com/guide/app-bundle/code-transparency

                • Edited

                other8026 Thanks a lot for the link! I wasn't aware of the code transparency feature. I agree that if Google would actually use their right to modify an APK, they would be caught sooner or later. Here is a short summary of the feature for anyone interested:

                How does code transparency for app bundles work?
                Code transparency is an optional feature that makes it possible to hold an app store distributing your app to account for the code it delivers. To use code transparency, at build time you generate a code transparency file in your app that represents your code (specifically it's a file that contains hashes of your app's code). You sign it with your own private code transparency key that only you hold. You never have to provide your code transparency key to Google. Then, on a device, you can inspect an installed APK and verify that the code transparency file you signed still matches the APK's code. This gives you assurance that, even if the APK itself was re-signed during distribution, the code verified by code transparency hasn't been modified. If there is a mismatch, then that's evidence that the code was changed during distribution. Code transparency doesn't replace APK signatures and is not part of the Android platform.

                Taken from https://developer.android.com/guide/app-bundle/faq

                Unfortunately this is not integrated in the Android OS. So in theory, an app store could modify an APK it distributes at any specific moment/for any specific user and the Android OS would still update the app, as long as it has a correct signing key, even if it suddenly fails code transparency. It's still worth taking this aspect into consideration depending on one's threat model.

                • Edited

                I wrote earlier that since 2021, new apps must give Google their signing key to use Google Play.

                It turns out that apps created before 2021 must also give Google their signing key if they want to support Android TV, and with no possibility to rotate the key if they want to support versions of Android below Android 11. This is the case for VLC for Android for example:

                https://dev.to/npomepuy/vlc-for-android-updates-on-the-play-store-179j