• Off Topic
  • Michael Bazzel recommends F-Droid and Aurora Store, "Insecure?"

  • [deleted]

fria I guess it just really depends on how one wants to setup their GOS device.

Michael Bazzell's setup seems more simple for a lot of users.

And he made another couple points about using just these 2 stores.

He says at least once a week that he gets an angry email saying that he shouldn't be recommending these stores, and receives a link to an article (the same one we see everywhere from almost 3 years ago), about a "Confusing UX" and so on.

He states that he doesn't trust anything fully, and he knows there can be malicious acts with any store.
And that for a setup that allows you to move on wirh your life from your mobile device without much tinkering, F-Droid and Aurora are optimal for him and his clients.

I understand a couple of his points, I was curious about what the community thought of it all.

I may send him an email about it, let's see if I can find his details lol.

[deleted] there’s a lot of quacks that scam lots of people, amazon reviews don’t matter.

fid02
I haven’t tried this method yet, since I read one of your comments last month, but what about pseudonymous non-burner accounts, that is, accounts to buy apps?
Are you able to buy apps?

I’ve been successful in redeeming Google Play Cards and buying apps, but that involves asking Google support to redeem it for me, which is less than ideal, to say the least.

    leafnose Are you able to buy apps?

    I haven't heard of anyone having issues with buying apps with a credit card through Play Store? If you're wondering if buying apps requires providing a phone number, then I haven't heard reports of that, although I haven't tried myself.

      fid02
      It’s just that I don’t know how to get anonymous prepaid cards for my country, that’s why I took the Play cards paid with cash route.

      • [deleted]

      I don't understand why lots of you worry about providing your phone number rather than worrying about systemic surveillance related to the use of Google Play Services. Protecting yourselves from tracking is hard enough already even without their use.

        [deleted]
        Why not worry about both? Those are not mutually exclusive.
        A phone number tends to end in the phone contacts of more people than you gave it to, and… I already know that if I give my phone number to a family member, my officially registered phone number will be siphoned by WhatsApp – and Google or Apple – in the following minute, and people tend to use real names in the contact list.
        That seems to me to be quite pervasive and systematic.

        Giving my phone number to Google would only make things worse, especially since it would be bound to a device.

        Our own App Store, Accrescent and App Verifier are highly recommended by GrapheneOS.

        For apps in the Play Store, sandboxed Google Play Store is the most secure way to obtain them and many of them depend on sandboxed Google Play anyway. Making a purpose-specific Google account for this is very useful. If you're obtaining apps from the Play Store, you're trusting the Play Store to package and sign those apps regardless and many of those apps choose to include the Google Play SDK and libraries anyway.

        We cannot recommend Aurora Store at the moment due to security issues. There is some initial work on addressing it but the main issue of not verifying signatures. The default account sharing is a potential problem but not the main issue, and it's likely to stop working at some point anyway.

        We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds. You do not truly avoid trusting the app developers since they build whatever is released with near zero scrutiny and even serious review would not realistically catch issues.

          GrapheneOS

          Perhapse more Apps (Mirrors) in the App Store would help? Just a thought.

          • [deleted]

          GrapheneOS thanks heaps for the explanation, I'll keep it in mind!

          GrapheneOS We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds. You do not truly avoid trusting the app developers since they build whatever is released with near zero scrutiny and even serious review would not realistically catch issues.

          gplay doesn't scrutinize application developers either. And as far as trustworthiness goes, F-Droid packages a source code archive that matches the builds. That is a heck of a lot more trustworthy than the unreproducable crap you get elsewhere.

            GrapheneOS

            So what is the recommended way to download and obtain apps if google isn't an option, and it is not on Accrescent?

              kebab_definite So what is the recommended way to download and obtain apps if google isn't an option, and it is not on Accrescent?

              I believe the recommendation in that case would be to get it from where you need to. The developer's website or GitHub would be the next best option.

              We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds

              Not all developers publish their builds though. If you must have an app that is only available on F-Droid, then I guess you'll have to get it from there. But maybe consider if another app would work just as well.

              You can also use App Verifier to verify the app's signature (only necessary on the initial installation - and doesn't really mitigate the risk of F-Droid, since they're signing the builds anyway).

              Our own App Store, Accrescent and App Verifier are highly recommended by GrapheneOS.

              secrec Do you know what percentage of F-Droid apps are currently Reproducible Builds though? Last time I looked into it, apparently only a small percentage of apps were actually Reproducible/Deterministic Builds, and that was according to F-Droid themselves.

              That was a while ago though, so maybe they have made some good progress there? I like the concept of those at least, as you don't have to trust the app developer and F-Droid like you do with the rest of the apps in the F-Droid repository.

              I've personally got nothing against F-Droid and would like them to improve in all the areas where their security is weak. The more secure and private App stores, the better for everyone after all

              secrec

              I agree. Personally, I trust the F-Droid team more than random developers and for me they're like a second pair of eyes. A recent example was when "Simple Apps" was sold to some adware company and F-Droid immediately stopped updates and then replaced them with the clean fork "Fossify Apps". Meanwhile, those who had installed the apps from Play Store received the "bad" closed source updates with ads & tracking included.