I only want to install three apps on a new Pixel 9 running GrapheneOS: Signal, Proton Mail, and Proton VPN.
My main concern is minimizing the risk of zero-click exploit spyware attacks. Given this, would manually downloading the APKs from the official websites and verifying their signatures be the most secure method?
If I take this approach, how should I handle updates securely? Would using the Aurora Store be a better alternative, or does it pose security risks due to the permissions it requests?
Also, would I need to enable Google Play Services for any of these apps? If so, would that weaken my device’s security?
I’d really appreciate any guidance, including best practices—what to do and what to avoid. Thank you!
Specific Scenario - Best Security Practices for Installing Apps on a Pixel 9
- Edited
XOS55 download the apps from the source, check the hash in AppVerifier, track subsequent updates with an RSS reader and manually download and update each app when available would remove as much third-party risk as possible.
You do not need Google Play for these apps but you will need to set Signal to unrestricted battery for notifications. Proton Mail however you will not be notified for new emails without Google Play Services however the app functions fine.
Generally, sideloading should be avoided where possible, as it is the least secure method of installing apps. The recommended way is through Stores implementing proper safety checks and auto-updates. Aligning with this, the current recommendations are Accrescent and the official Google Play Store via sandboxed Play Services.
Aurora Store or F-Droid are generally not recommended, due to partly rather severe security issues and broken auto-updates.
Having sandboxed Play Services installed does not reduce security whatsoever and is probably the better way of obtaining those apps, security-wise.
The privacy impact of sandboxed Play Services is also minimal, due to (how the name suggests) its sandboxed and unprivileged nature, being confined to the normal app sandbox without any dangerous permissions out of the box, no privileged system integration or elevated access.
Hence I would recommend to obtain the apps from the official Play Store, as being the most secure way.
Alternatively regarding Signal, you could use Molly, a hardened fork of Signal, which is available on Accrescent.
- Edited
XOS55 You can get it off of Github, under Releases
Caveat: The F-Droid variants fingerprint is included in the AppVerifier database, the "Play" Store one isn't.
I believe it should still be signed by the author themself, though?
However, my personal recommendation would be to go with either Read You (Releases) or Capy Reader (Releases).
The former of which is listed in the AppVerifier database, while the latter is already using the latest API-target to compile for (in comparison to Read You).
Both of them are smaller in size, including less (native) libraries, than the Feeder one, which lately (from my pov) added some unnecessary stuff like "Nostr" support.
I feel like they're also quite simple in their interface and options, just personally recommend to set a longer (~6-12 hours) refresh rate for feeds and enable notifications.
You can add the Proton apps (and your feed reader) to the feed-reader by adding the "releases" url from github with a .atom suffix:
https://github.com/ProtonVPN/android-app/releases.atom
https://github.com/ProtonMail/android-mail/releases.atom- Edited
The community generally recommends Obtainium as a feed reader to automatically update apps from something like GitHub releases, many other sources are supported as well. But please still be aware, that as to my first message this counts as sideloading and should be avoided wherever possible with an app store available as an alternative.
Also XOS55 please do not use AI for advise, instructions, evaluations or anything of that matter, especially if related to needs of security and privacy. It does not know, it does not think and it spews misinformation and dangerous/misguided advise. It is not a reliable source. It will make stuff up on the spot and claim very wrong things as being commonly accepted and right.
The project also has a guideline on usage of AI here:
https://discuss.grapheneos.org/d/11951-ai-generated-text-is-forbidden-with-the-exception-of-automated-translation
Please get either Signal from the Play Store, or Molly from Accrescent. Really no reason to sideload these.
pxlkng ok thank you! well since I'm not very advanced on coding and this is the second time I heard that downloading (signal, proton vpn and proton mail) from sandbox google play store would NOT weaken my device security against zero click exploit spyware I will go in this route. I will take a look at how to do this the right and maybe ask to follow up questions. Because while I am allowing the google play, I don't not want to grant some permission that I shouldn't and evade big mistakes.
And I also I understand that by downloading from the google play store I do not need to worry about signature verification nor updates (which would happen automatically).
Again Thank you very much!
pxlkng U know I was thinking on ways of doing life easier and I came up with this plan (maybe you could provide some feedback - it is a simple plan) (1)instead of getting signal, since molly is already on Accrescent app I could get it from there and wouldnt need to worry about updates, nor veryfing signatures. Is that first part correct? Also, (2)with Molly I could talk with signal users without any problem and just as with signal - Molly is less suscepctible to zero click exploit spyware?
Then (3) for mail I would need to download proton mail and worry about that since I could just log in the graphene os browser? And lastly, (4) for VPN I could simply use one that is available on the Accrescent app? Any recomendation or suggestions? Thanks!