• GeneralPixel 9

  • Specific Scenario - Best Security Practices for Installing Apps on a Pixel 9

XOS55

Generally, sideloading should be avoided where possible, as it is the least secure method of installing apps. The recommended way is through Stores implementing proper safety checks and auto-updates. Aligning with this, the current recommendations are Accrescent and the official Google Play Store via sandboxed Play Services.

Aurora Store or F-Droid are generally not recommended, due to partly rather severe security issues and broken auto-updates.

Having sandboxed Play Services installed does not reduce security whatsoever and is probably the better way of obtaining those apps, security-wise.
The privacy impact of sandboxed Play Services is also minimal, due to (how the name suggests) its sandboxed and unprivileged nature, being confined to the normal app sandbox without any dangerous permissions out of the box, no privileged system integration or elevated access.

Hence I would recommend to obtain the apps from the official Play Store, as being the most secure way.

      Alternatively regarding Signal, you could use Molly, a hardened fork of Signal, which is available on Accrescent.

        Graphene1 Graphene1 quick question - for the RSS reader I got this instructions from chatgpt "Subscribe to Signal’s APK update RSS feed using an RSS reader like Feeder (available in F-Droid)." Is there another that is more secure than F-droid - but maybe not too advanced? Thank you!

              XOS55 You can get it off of Github, under Releases

              Caveat: The F-Droid variants fingerprint is included in the AppVerifier database, the "Play" Store one isn't.
              I believe it should still be signed by the author themself, though?

              However, my personal recommendation would be to go with either Read You (Releases) or Capy Reader (Releases).
              The former of which is listed in the AppVerifier database, while the latter is already using the latest API-target to compile for (in comparison to Read You).
              Both of them are smaller in size, including less (native) libraries, than the Feeder one, which lately (from my pov) added some unnecessary stuff like "Nostr" support.

              I feel like they're also quite simple in their interface and options, just personally recommend to set a longer (~6-12 hours) refresh rate for feeds and enable notifications.

              You can add the Proton apps (and your feed reader) to the feed-reader by adding the "releases" url from github with a .atom suffix:

              https://github.com/ProtonVPN/android-app/releases.atom
https://github.com/ProtonMail/android-mail/releases.atom

                  XOS55 to track Signal updates

                  Fupira yep, simply add ".atom" at the end of the GitHub releases link for the app your looking to track and to your RSS reader (ReadYou is my preference)

                        XOS55
                        Fupira
                        Graphene1

                        The community generally recommends Obtainium as a feed reader to automatically update apps from something like GitHub releases, many other sources are supported as well. But please still be aware, that as to my first message this counts as sideloading and should be avoided wherever possible with an app store available as an alternative.

                        Also XOS55 please do not use AI for advise, instructions, evaluations or anything of that matter, especially if related to needs of security and privacy. It does not know, it does not think and it spews misinformation and dangerous/misguided advise. It is not a reliable source. It will make stuff up on the spot and claim very wrong things as being commonly accepted and right.
                        The project also has a guideline on usage of AI here:
                        https://discuss.grapheneos.org/d/11951-ai-generated-text-is-forbidden-with-the-exception-of-automated-translation

                        Please get either Signal from the Play Store, or Molly from Accrescent. Really no reason to sideload these.

                                  Fupira I believe it should still be signed by the author themself, though?

                                  F-Droid releases are usually signed by F-Droid, which is one of the issues with it.

                                    pxlkng ok thank you! well since I'm not very advanced on coding and this is the second time I heard that downloading (signal, proton vpn and proton mail) from sandbox google play store would NOT weaken my device security against zero click exploit spyware I will go in this route. I will take a look at how to do this the right and maybe ask to follow up questions. Because while I am allowing the google play, I don't not want to grant some permission that I shouldn't and evade big mistakes.
                                    And I also I understand that by downloading from the google play store I do not need to worry about signature verification nor updates (which would happen automatically).
                                    Again Thank you very much!

                                      pxlkng U know I was thinking on ways of doing life easier and I came up with this plan (maybe you could provide some feedback - it is a simple plan) (1)instead of getting signal, since molly is already on Accrescent app I could get it from there and wouldnt need to worry about updates, nor veryfing signatures. Is that first part correct? Also, (2)with Molly I could talk with signal users without any problem and just as with signal - Molly is less suscepctible to zero click exploit spyware?
                                      Then (3) for mail I would need to download proton mail and worry about that since I could just log in the graphene os browser? And lastly, (4) for VPN I could simply use one that is available on the Accrescent app? Any recomendation or suggestions? Thanks!

                                        Molly is pretty seamless in messaging with standard Signal users. I use Molly, and most my secure messaging contacts are using standard Signal, and I haven't had any issues.

                                        I find the Accrescent store convenient, and appreciate the security, but find it lacking regarding the app descriptions. Trying to get clear and fulsome information on individual app features, and the developers behind the apps is next to impossible. a lot of the apps don't even bother with a website, which I find a bit strange. I installed SoupSlurpr's apps only after finding his postings here, and figuring he was legit. It's early days, I suppose, so Accrescent should become more noob-information friendly eventually.

                                        I use Tuta for email, no problems with notifications. I did sideload the app apk, successfully verified the hash with AppVerifier, though you can certainly install via Sandboxed Google. Tuta is already post quantum resistant, and includes a basic encrypted calendar, if you wish to use that.

                                        I installed and paid for IVPN from Accrescent, and an generally happy with it, but sometimes it loses connection in my main user (not owner) profile, and I have to either toggle it to a different server, or switch the protocol. Mulvad might be a smoother experience, based on information from GrapheneOS that it's the most compatible with it.