Hey guys! I'm really enjoying my experience on GrapheneOS so far. Was wondering, though, why there wasn't an option to add F-Droid and Aurora from the App Store like you can with the Play Store? I think would make the experience a lot easier for people who have never been on GrapheneOS before. It would also make the App Store feel a bit more like a store and less like a manager (which is, I think, what it really is).

Any case, I like the OS so far and would happily donate to the cause if I don't run into any major problems.

    TiggyTheTerrible If there was such an option, it could/would imply GOS 'recommends' it in a way. Since GOS is a security focused project, and either f-droid and aurora have (severe) security issues, this likely wont happen.

    A quick forum search should bring up above mentioned security issues with f-droid and aurora.

        Both Aurora and F-Droid have security and usability issues which prevents them from being included on the App Store. Nitter

        In general the most secure ways of installing apps on GrapheneOS goes App Store > Accrescent > Google Play (with a throw away Google Account if desired) > getting the app directly from the developer preferably using Obtanium and AppVerifier (the latter is on Accrescent).

        SgtSurehand Obtainium doesn't make more secure. It is just better for privacy. Apps are directly fetched from developers(github, gitlab, forgejo etc) instead of play store.

            Tubeless2720 I only mention it because there is a whole bunch of users who use Obtainium and its
            questionable security is never discussed while troublemakers always pick on Aurora.

              SgtSurehand It's more that Aurora introduces security issues than Obtanium being particularly secure. Particularly if you use the shared account feature. https://xcancel.com/GrapheneOS/status/1844534513663185124#m

              And if you're logging in to Aurora, why not just use the much more secure Google Play app?

              The one main use case for Aurora is if an app artificially does not allow itself to be listed on Google Play for GrapheneOS, but if installed can still run. Netflix used to be an example of that, although I now believe you can install it via Google Play.

                  Obtainium isnt really an app store, it is mostly a tool to update apps/ notify you of update for apps.

                  It is just "safer" than downloading from github (or wherever) yourself, because it makes you not forget to update an app.

                  This is also archivable by using an rss reader instead, as far as i know.

                  kopolee11 Netflix used to be an example of that, although I now believe you can install it via Google Play

                  yes it is possible

                      kopolee11 when you buy your bowl of porridge whether it's in the supermarket or in a local store, do you always verify that it comes from legitimate source? You look at the packaging and put it in the basket. When it comes from Google, it must be Google. What sort of interest would they have in hosting malware?

                          kopolee11 the difference between me and Google is that I will admit to wrongdoing. They will only when they are caught in the act. Good luck into the future.

                            kopolee11 nothing personal, but I see this all the time in this forum. Someone from the project account posts something here in the forum/on their socials and everyone starts parroting that information without any understanding of what it means. This also has the nasty side effect of outdated information because people keep reciting these posts like Gospel.

                            I have yet to see clarification about:

                            1. The danger of using shared accounts, what exact risks or attack vectors are opened by using these.
                            2. "Other security issues" that are often brought up but never elaborated on.
                            3. I understand the technical flaws in F-Droids implementation but I fail to see the same issues due to a lack of reproducible builds, 3rd party repos and different (outdated) client apps for the frontend of F-Droid. Aurora Store is not even remotely comparable to that and I fail to see the often mentioned "other security issues". Literally the only thing I can think of, is that updates are sometimes delayed for apps by a day or two. At the same time, I also fail to see how these app updates would be so mission critical. I can't recall any such cases where "urgent app updates" were needed.

                            So indulge me - I simply want to know what "other security issues" means. In the most technical terms possible, please.

                                I'm not sure about the security thing, but I understand the endorsement issue. Perhaps Graphene needs its own way to scrape the play store and F-Droid? Since F-Droid is open source, it could probably be forked. Aurora I'm less sure of. I hear good and bad stuff about it. It sounds fairly secure, if imperfect.

                                Are there any better alternatives? I notice Obtainium doesn't seem to be a store per say.

                                TiggyTheTerrible
                                sorry i think you misunderstood

                                Open source apps can normally be downloaded directly as apk file from either their github/gitlab etc. repository or from their website.
                                Some other apps, like whatsapp, can also be downloaded directly from the whatsapp website.

                                These app version normally use the developers signing key (relevant for app verifier) and were build by the developers.

                                You give obtainium basically a link to a source (usually a github repository) and tell it how the release version is called. Obtainium then downloads it, installs it and checks/ can be used to check, for updates.
                                (Which basically means it looks at the provided source link if a new release version exists)

                                sometimes you can download fdroid versions of apps on the website of the developers, i am not sure but i belive these use the fdroid signing keys.

                                Obtainium can not be used to download apps that are only avaible in play store (which is the case for most apps that are not open source) (and i would not recommend to like use something like apkmirror)

                                Also, while obtainium has a search function, one should first look for the repository yourself (since the names can be different than one exspects)

                                So it is just a downloader and update checker, using obtainium basically means downloading and installing apks yourself, and includes whatever this usually implies.