Both Aurora and F-Droid have security and usability issues which prevents them from being included on the App Store. Nitter

In general the most secure ways of installing apps on GrapheneOS goes App Store > Accrescent > Google Play (with a throw away Google Account if desired) > getting the app directly from the developer preferably using Obtanium and AppVerifier (the latter is on Accrescent).

SgtSurehand Obtainium doesn't make more secure. It is just better for privacy. Apps are directly fetched from developers(github, gitlab, forgejo etc) instead of play store.

      Tubeless2720 I only mention it because there is a whole bunch of users who use Obtainium and its
      questionable security is never discussed while troublemakers always pick on Aurora.

        SgtSurehand It's more that Aurora introduces security issues than Obtanium being particularly secure. Particularly if you use the shared account feature. https://xcancel.com/GrapheneOS/status/1844534513663185124#m

        And if you're logging in to Aurora, why not just use the much more secure Google Play app?

        The one main use case for Aurora is if an app artificially does not allow itself to be listed on Google Play for GrapheneOS, but if installed can still run. Netflix used to be an example of that, although I now believe you can install it via Google Play.

            Obtainium isnt really an app store, it is mostly a tool to update apps/ notify you of update for apps.

            It is just "safer" than downloading from github (or wherever) yourself, because it makes you not forget to update an app.

            This is also archivable by using an rss reader instead, as far as i know.

            kopolee11 Netflix used to be an example of that, although I now believe you can install it via Google Play

            yes it is possible

                kopolee11 when you buy your bowl of porridge whether it's in the supermarket or in a local store, do you always verify that it comes from legitimate source? You look at the packaging and put it in the basket. When it comes from Google, it must be Google. What sort of interest would they have in hosting malware?

                    kopolee11 the difference between me and Google is that I will admit to wrongdoing. They will only when they are caught in the act. Good luck into the future.

                      kopolee11 nothing personal, but I see this all the time in this forum. Someone from the project account posts something here in the forum/on their socials and everyone starts parroting that information without any understanding of what it means. This also has the nasty side effect of outdated information because people keep reciting these posts like Gospel.

                      I have yet to see clarification about:

                      1. The danger of using shared accounts, what exact risks or attack vectors are opened by using these.
                      2. "Other security issues" that are often brought up but never elaborated on.
                      3. I understand the technical flaws in F-Droids implementation but I fail to see the same issues due to a lack of reproducible builds, 3rd party repos and different (outdated) client apps for the frontend of F-Droid. Aurora Store is not even remotely comparable to that and I fail to see the often mentioned "other security issues". Literally the only thing I can think of, is that updates are sometimes delayed for apps by a day or two. At the same time, I also fail to see how these app updates would be so mission critical. I can't recall any such cases where "urgent app updates" were needed.

                      So indulge me - I simply want to know what "other security issues" means. In the most technical terms possible, please.

                          I'm not sure about the security thing, but I understand the endorsement issue. Perhaps Graphene needs its own way to scrape the play store and F-Droid? Since F-Droid is open source, it could probably be forked. Aurora I'm less sure of. I hear good and bad stuff about it. It sounds fairly secure, if imperfect.

                          Are there any better alternatives? I notice Obtainium doesn't seem to be a store per say.

                          TiggyTheTerrible
                          sorry i think you misunderstood

                          Open source apps can normally be downloaded directly as apk file from either their github/gitlab etc. repository or from their website.
                          Some other apps, like whatsapp, can also be downloaded directly from the whatsapp website.

                          These app version normally use the developers signing key (relevant for app verifier) and were build by the developers.

                          You give obtainium basically a link to a source (usually a github repository) and tell it how the release version is called. Obtainium then downloads it, installs it and checks/ can be used to check, for updates.
                          (Which basically means it looks at the provided source link if a new release version exists)

                          sometimes you can download fdroid versions of apps on the website of the developers, i am not sure but i belive these use the fdroid signing keys.

                          Obtainium can not be used to download apps that are only avaible in play store (which is the case for most apps that are not open source) (and i would not recommend to like use something like apkmirror)

                          Also, while obtainium has a search function, one should first look for the repository yourself (since the names can be different than one exspects)

                          So it is just a downloader and update checker, using obtainium basically means downloading and installing apks yourself, and includes whatever this usually implies.

                            SgtSurehand Aurora store is insecure because its secure connection and signature verification are less hardened than Googles Play Store. Attempting to use it with your own account makes you look like a bot and Google might suspend your account for spam.

                            This is why GOS doesn't recommend it.

                            Specifically, metadata verification is not done, its been known to grab wrong app versions, and no certificate pinning.

                            People don't criticize obtainium because obtainium only attempts to pull apk files from github, its security is sort of already apparent. The Google Play Store is trying to do something completely different in terms of security.

                            Your analogy on "checking if the item you bought was really from the store" is a fundamental misunderstanding of how network security functions.

                                raccoondad Aurora is in no way less secure than getting apps with Obtainium, F-Droid repositories, direct APK downloads from such as Github, developer websites and other third party aggregators like ApkMirror for example. This practice is widespread.

                                What makes it more secure than them is that it gets packages directly from Google infrastructure according to your spoof manager, after authentication that is not directly linked to you (only through your device hardware, software, performance and network connection characteristics). Why would I want to use my own account to do that, even a throwaway when one is already provided and to everyone's confusion used in a mixnet with multiple other users?

                                I already know opinion of GrapheneOS development team and heard it from multiple sources so why not cite someone else for change?

                                Hang on, I know, creative thinking and independent opinions are not very well received here. Let me ask Naomi. Or perhaps the despised one might chip in.

                                I never claimed GrapheneOS devs are in Google's pocket, this was totally uncalled for. And I actually think that thanks to the hardening and controls GrapheneOS provides, using Play Store is a brilliant way to go about their lives but it won't cater for those who wish to get their privacy expectations to next level, albeit at a minor security compromise.