GPlay + Obtainium. Can anyone explain how both work in the Owner profile?

charly

Hello everyone!

So, I will try to explain the title of the thread. Some context first. Recently I've changed some things in my GOS flow:

Owner profile -> Only for install and update apps and then "push" them to other profiles. I use Obtainium and GPlay.
My main "store" is GitHub + Obtainium. If an app has GitHub releases, then I download the apk and then I track the apk with Obtainium. I know that I can install the apk directly in Obtainium, but when I started my journey with GOS about 8 months ago, I read somewhere that it was better for security reasons installing the app by yourself and then track the app with Obtainium. Maybe I'm doing this wrong. Don't know.
Then, I use GPlay for the rest of the apps I can only obtain there.
User profile -> Here I push all the FOSS and day to day apps that has nothing to do with GPlay either. So 100% clean of Google.
Other profiles -> Then I have several profiles with especific topic related apps (banking, social media, drive stuff, etc). Here I push either FOSS or GPlay apps if necessary.

Well, today I was keeping an eye to the updates I could have in GPlay when I see 3 apps that I did not install with GPlay (just via apk) ready to be updated by them. Then I checked the apps that GPlay tracks from my profile and I found that there's more. I think that all the apps that basically GPlay has in the store are a target for them to be updated by them, regardless the way it was installed.

I immediately checked if the updates in GPlay settings were in automatic, and there was but only with wify. I think none of my no-GPlay apps were updated by GPlay, but I'm left with the doubt.... and with questions.

So why all this "panic"? As I said, in my main user I want a total-free apps from Google. There I have everything FOSS and all Proton apps (VPN is in all my profiles). And I have the idea (probably wrong idea) that even GPlay is sandboxed and there is no communication between profiles, if I install an app from GPlay in my Owner profile and use them in other, even if I don't have and don't use Google Services, it could be some harm/junk/shit from Google (again, I read something similar to this somewhere, I think in this forum, but I don't recall it well, so maybe I was wrong and misinformed), and I don't want that possible "contamination" in my main profile.

So, questions. Is there any reason to be worry about if in my main profile I use apps installed from GPlay even if they are FOSS, safe and known as privacy respecting apps?
If in fact I should be concerned about this, if I installed an apk manually and get tracked by Obtainium and accidentally get updated by GPlay, should I be worry?
Am I complicated things here and worrying about nothing? If an app is in GPlay, should I go by the route of install that app from GPlay and use them without fear in other profiles and use Obtainium only for apps that I don't find in GPlay?
Should I install the apps directly with Obtainium or my approach (installing manually, tracking with Obtainium) is fine?

I hope you guys can help to clear my mind because I'm a bit confused with this.

ryrona

Hi. I hope I will be able to clear things up a little bit.

Many app developers just upload the same APK that is on Google Play onto their GitHub repository, to allow people who do not have and do not want to have Google Play to still install their apps. These apps are still likely signed by Google, and still likely include proprietary Google components, it is the same APK file signed with the same signing keys used for the version of the app in Google Play. That is why Google Play is even able to update these packages.

Now, if the app developer built a fully FOSS version of their app themselves, and signed it themselves using their own signing keys, then Google Play cannot update the package in any way at all. Google Play may still think it can, because the app developer might have used the same package ID for both versions of the app, but any update attempts will fail due to signature mismatch.

I cannot tell which is the case in your case. It is pretty common that app developers just take their app APK from Google Play and upload it to GitHub, so they are identical.

So, what can you do about the situation?

You should always install an app in a way that the app developer themselves are supporting. Most app developers might say something like "Get it on Google Play", "Get it on F-Droid", "Download APK" for example, if they support those three ways. Just check their official website or official GitHub repository, they almost always tell.

If you want to be certain there are no proprietary Google blobs in the app, and you do not trust the app developer to be truthful to you about whether their self-published APK file has that or not, installing the app from F-Droid is probably the best way. F-Droid build all apps themselves, and also has an extra scan to ensure no known proprietary components, such as the Google ones, are included. If such a proprietary component is detected, they will not publish the app. This is what I am doing for my privacy sensitive profile. But still only if the app's official website list F-Droid as a supported way to get the app.

The truth is, you never know what is in the APK files published on GitHub, and it often is exactly the same APK that is installed from Google Play. F-Droid gives guarantees here.

Still, you have to ask yourself, who do you trust the most to keep you safe? Google? F-Droid? The app developer through their self-published APK files? It depends on your threat model. F-Droid is being criticized a lot too, so it isn't the answer for everyone. GrapheneOS' recommendation unless you have a specific threat model that says otherwise, is to get all your apps from Google Play or Accrescent. They do not recommend neither F-Droid nor Obtainium nor direct downloads of APK files from GitHub or elsewhere.

charly

Hello ryrona,

First of all, thank you for your thorough response. Now things are clearer to me.

I think I will follow the GOS's team recommendations and I will use GPlay to install and update apps that are in that store, and I will use Obtainium for the rest.

Nevertheless, I still have a couple of doubts about all of this.

Right now, the apps that I have installed directly through their GitHub apks that GPlay is tracking are all Proton apps and AnkiDroid. So I'm guessing that these apks that I downladed directly from their respectives GitHub pages are signed by Google. Should I uninstall them and install them again from GPlay or it doesn't matter if I installed them via apks and now I update them through GPlay? Is it make any difference in a security standpoint (taking into account that I think that GOS's team recommend to use GPlay to install the apps because is more secure)?

However, there are other apps in my Obtainium environment that are in GPlay store but GPlay is not tracking them, so I assume that these apks were signed without Google being involved right? Althought I guess is not certain.
In this case, I don't know if I should stick with the way I did things or whether the potential privacy benefit is sufficient to choose a perhaps less secure option (install and update directly from the GitHub page).
For example, Aegis. His GitHub page says it can be downloaded from GPlay and F-Droid. Doesn't recommend either. So, if I don't want to use F-Droid, I have two choises: one, what I did (even when they didn't state that was an option, but it is), and two, GPlay. If I assume that in this case the apk has nothing Googled, but the GPlay has... But again, it's not even sure that's the case.

Lastly, and related to the previous question, I am still in doubt as to what the implications are (if there are any implications), in this case privacy wise, if I install apks directly (assuming there is not Google junk in them), or if I install them from GPlay or the apks could potentially be pulled directly from GPlay, and then those apps are used on other profiles that don't even have Google Services on them.
Basically, if even if I am very careful, in one profile I have 10 fully FOSS apps and there is one that is FOSS but signed by Google or directly installed from GPlay, is there really any privacy implications?

Again, maybe I'm overthinking everything too much and I'm complicating everything and things are simpler.

Dumdum

charly So I'm guessing that these apks that I downladed directly from their respectives GitHub pages are signed by Google.

Shouldn't be.

there are other apps in my Obtainium environment that are in GPlay store but GPlay is not tracking them, so I assume that these apks were signed without Google being involved right?

As far as I'm aware, the difference is app IDs. Some apps will (unfortunately) keep app IDs between Github/GPlay the same, while others will (rightfully) use a separate GPlay-specific app ID. Could be wrong though.

am still in doubt as to what the implications are (if there are any implications), in this case privacy wise, if I install apks directly (assuming there is not Google junk in them), or if I install them from GPlay or the apks could potentially be pulled directly from GPlay, and then those apps are used on other profiles that don't even have Google Services on them.

To my knowledge, apps can have "Google junk" (libraries) in them regardless, even in a Github APK. Unless they specifically provide a libre/Google-free version, that is.

even if I am very careful, in one profile I have 10 fully FOSS apps and there is one that is FOSS but signed by Google or directly installed from GPlay, is there really any privacy implications?

Apps communicate via IPC. But its mutual so only if the FOSS apps are designed to communicate is there a concern.

All-in-all, I personally use Obtainium for all of my FOSS apps and use GPlay exclusively just for closed source stuff, simply because I trust developer APKs more and I don't want to depend on Google (especially if they remove an app for any reason, also apps like Newpipe aren't allowed on GPlay anyway).

ryrona

charly Right now, the apps that I have installed directly through their GitHub apks that GPlay is tracking are all Proton apps and AnkiDroid. So I'm guessing that these apks that I downladed directly from their respectives GitHub pages are signed by Google. Should I uninstall them and install them again from GPlay or it doesn't matter if I installed them via apks and now I update them through GPlay?

I would have uninstalled and reinstalled them in that case, just to be certain Google Play actually can update those apps. That is, be certain the installed version actually are signed such that Google Play can update them.

charly However, there are other apps in my Obtainium environment that are in GPlay store but GPlay is not tracking them, so I assume that these apks were signed without Google being involved right?

Most likely, yes. I think those apps aren't tracked because they have a different package ID.

charly So, if I don't want to use F-Droid, I have two choises: one, what I did (even when they didn't state that was an option, but it is), and two, GPlay. If I assume that in this case the apk has nothing Googled, but the GPlay has... But again, it's not even sure that's the case.

I wouldn't know either. In the end, you would have to pick who makes more sense to trust in your specific threat model.

charly Basically, if even if I am very careful, in one profile I have 10 fully FOSS apps and there is one that is FOSS but signed by Google or directly installed from GPlay, is there really any privacy implications?

I don't know your threat model. What is it you worry about Google might do through their proprietary blobs, that mustn't happen?

For me, that worry would be spying on my end-to-end encrypted chat conversations, through pretenses like "scanning for unsafe content" or the like. Or accessing local files through apps I have granted such permissions to, under similar pretenses. So in my case F-Droid makes sense, to ensure there is only open source code in the app, as open source code tend to be resistant to getting such privacy invasive technologies added.

But you might worry about something totally different, where using Google Play or Obtainium/GitHub releases make far more sense.

Each app is sandboxed, so that one app cannot interact with those other apps or access their data, unless those other apps specifically allow it. Which is unlikely if they don't have the same binary blobs in them. Most likely, the proprietary Google components will do absolutely nothing, unless Google Play Services is also installed in the profile, as that is how communication typically happen.

charly Again, maybe I'm overthinking everything too much and I'm complicating everything and things are simpler.

I think the first you have to ask yourself is, what is it really you worry Google would do, that mustn't happen? Is Google even your enemy at all? Is Google really the greater enemy compared to who you would put your trust in instead?

charly

Thanks both of you for the anwsers.

About my worries, it's kind similar to what you said. I'm worried about Google picking where they shouldn't. I don't have anything to hide or anything that would put me in danger, I just don't want Google or another big tech to have the possibility to stick their noses into my business and create detailed profiles about me that allow them to know me even better than my girlfriend and make tones of money doing that. It's just a no-no for my at this point.

Having said that, I don't want to sacrifice security if I can have both of worlds. I know that total privacy is impossible right now (unless you sacrifice all the convenience down the road, and even then...).
F-Droid sounds great, but I read a while ago some things that worried me about security and make me choose to install the apk by myself from GitHub and use Obtainium (I don't recall what I read, sorry).

Right now, what I'm doubting is if I should install my Proton apps from GPlay directly. I mean, they are Proton apps, they are not private source code with clearly evil intentions. They are supposed to protect my privacy. Or even the AnkiDroid one, which is a FOSS app. I'm talking about these ones because they are the ones being tracked by GPlay. And I don't know anymore if they are updated because GPlay still remains complaining that there is an update. I think the apps are updated throught Obtainium but...
In my main profile there is no Google Play Services either. I mean, in the only one I have that is in my banking profile. In the rest, even if I have apps that are not FOSS, I don't have GPlay or GServices installed. So I don't what harm really could do.

ryrona

charly I remember the thing that took me away from F-Droid the most. The delay in the updates. Is this still a thing?

Yes. There are significant delays, sometimes up to a few weeks, from an update to an app is available through other sources until it is available in the official F-Droid repositories.

charly F-Droid sounds great, but I read a while ago some things that worried me about security and make me choose to install the apk by myself from GitHub and use Obtainium (I don't recall what I read, sorry).

One thing with F-Droid many have remarked on is that they don't seem to follow best security practices regarding their build infrastructure. Some worry, it is possible their build infrastructure might more easily get compromised than that of other app stores, and that such a compromise would have more far reaching consequences than if a single app developer have their own build infrastructure compromised, as all apps on F-Droid would be compromised if F-Droid build infrastructure gets compromised.

F-Droid also prioritizes maximum device compatibility for their apps, which often means newer security features gets disabled since older devices do not support them.

All on all, there are good reasons to stay away from F-Droid, but in some cases, such as mine, F-Droid is still, despite all of that, what makes the most sense. You will have to try to figure out what makes the most sense in your case.

In my dreams GrapheneOS would start their own app store for generic open source apps, where they build apps similar to how they build the bundled ones today.

charly

I was reflecting about F-Droid and this stuff. I think one the issues I had is that they compile the apps or something like that.
Nevertheless, I was thinking, in the way I'm doing it right now, if I have 20 apps, I have to trust in 20 different devs, whereas if I would install them from F-Droid, I only should trust in F-Droid. IDK.

EDIT to add that I remember the thing that took me away from F-Droid the most. The delay in the updates. Is this still a thing?