GraphyGraphy The main issue is that if F-Droid's signing keys are compromised, then every single app installed through the store can be compromised since any update would appear to come from the original legitimate source. [deleted] Pointed out that since August 2021 Google now stores developer keys in their own cloud. So, theoretically, a flaw in Google's security could lead to those developer keys being compromised too. Imo, this seems far less likely.
Standardwaste Links to a post that does a good job explaining these issues and more, definitely worth a read if you're curious to know more.
Aurora Store instead of F-Droid
- Edited
I have moved away from f-droid and actually use a little known app called 'obtanium' it is basically a front end where you can add direct links for apps, be it from fdroid, github, mullvad, gitlab. It will track them as they update via those links and advise when there is updates, taking out fdroid as the middleman and running directly from github for those apps that work through releases (or similar with gitlab)
Check it out here - https://github.com/ImranR98/Obtainium
I was using aurora store on my LOS device, however now that it is sandboxed (and quite cool, i might add, on GrapheneOS on my P7Pro) I still use google play as I have a few crucial apps that I use that i have paid for long ago that I can't give up... Maybe when my pinephone pro is fully up to speed i could, but for now it is what it is.
- Edited
I also use Obtainium. Seems to be doing the job fine. Strange thing is all my stores seem to "think" that they have installed all my apps.
Thank you all! Obtainium sounds also very interesting! And for sure, droid-ify or Neo-Store, too.
AtriumCompound Thank you very much, so the problem would be, that many of the installed Apps could become problematic at the same time. And as I understand, from case to case, this could be more problematic with one app than another. Apps without network permission are less problematic I think?
Could that lead to a workaround in which one uses F-Droid for example for Apps without network permission only?
Another thing: F-Droid is criticized because updates do not alwayd come in time. But my experience is, that this is althoug right for Aurora Store at least with anonymous login. While on one phone, the Play Store updates an App, sometimes the update is shown on another phone in the Aurora Store several days later. Than sometimes it helps to restart Aurora a few times what also means to login with different anonymous accounts until there is one, that already gets the update.
Because of that, I assume, updates via Play Store are not rolled out to all users at the same time. Is this right? If so, Play Store would not really be better in this aspect!?
Thank you all very much!
- Edited
Eirikr70 well, it seems that Droid-ify shows "Installed", if you remove them and reinstall with Optainium than Droid-ify will shows
" Suggested"
italian_job Right !
- Edited
If you go into aurora store into the updates section and click and hold the particular app, you should be able to add that app to the 'blacklist' this will stop telling you that they have installed the app and that it needs to update. You can do the same in fdroid, I believe it's a little checkbox and I imagine similar in other fdroid apps. I did this and left obtanium as the only updater for those particular apps managed through obtanium, saves getting the notifications multiple times from all the other apps
- Edited
ah, ok but I don't have aurora store...
in drod-ify you can add ignore to a new version of an app but the few I can't add to Obtainium is because on github there are only source codes, others they have original repos on droid-ify
notifications are not a problem since I check updates manually
thanks to mention Obtainium, I was not knowing it, interesting app 😀
[deleted]
abcZ "With app signing by Play, Google manages and protects your app's signing key for you, and uses it to sign the optimized distribution APK files that are generated from your app collections."
abcZ The way that reads, they are signed by Google on behalf of the developer using the developer's key.
mythodical Which is effectively NOT SIGNED. When you sign something with a key that you do not control, it is effectively unsigned.
[deleted]
abcZ Everything is written in the google blog. The developer signs the apk before sending it to the playstore, google resigns the apk and manages the security key
[deleted]
This is the reason why I don't use the playstore and I would like very much if grapheneos would allow to use the bank applications without the playstore installation
Obtainium is a great app and I use it myself as it fits my needs best. However, I've also used an RSS reader to manually track developers' repositories for updates, and download the versions directly from there as they become available. Furthermore, I want to mention the app OSS Release Tracker by @jroddev
Here's a thread where the dev explains the main differences between his app and Obtainium. I've tried OSS Release Tracker and found it to simple, minimalistic, and easy to use. IMHO it's best suited for those seeking a more minimal approach to downloading and updating apps; those who like the simplicity of using an RSS reader but wish it was more tailored to tracking new releases of apps will appreciate OSS Release Tracker.
- Edited
Secure!? If you are talking about uncompromised apps from the author, then I'd guess Googlestore is the place to go - understanding that the code/application could be hacked on the author's site after hand off to Google (e.g. source code says one thing, executable says something else). To guard against this, you could download the source, inspect it, and compile it yourself (e.g. As routinely done in "source distribution" used in some Linux distributions).
IIUC, F-droid inspects and re-compiles the source, removing nasties in the process.
- Naturally there would be a delay in getting an F-droid app when compared with either Gstore or Github (or Aurora).
- F-droid tweaked and then compiled it; of course they should sign it.
So if by Secure, you're referring to an app more likely to be Trojan free, I'd go with Fdroid, in spite of the signing criticism.