Which App-/Play-Store?

Graphity

New to GrapheneOS;
After installation I found that I have to install a store to get the (small count) needed apps. Which store is recommended?

teezeh

Graphity Which store is recommended?

Play Store via sandboxed Play Services.

Twix

Graphity I've only been using fdroid for 6 years, no worries for me. I would never go back to Google, I don't even have a Google account anymore.

Brainrot

Fdroid to search for Foss apps
Github to download foss apk
Play store to download proprietary apps
Obtanium to update Foss apps
Accrscent to download apps

SgtSurehand

research possible alternatives that do not contain Google and other tracking libraries if your threat model calls for it. There is nothing that you "have to" install as if your life depended on it.

charles25565

Use Accrescent when possible, but there is very few apps in there as of now. If you need more, use the Play Store. Both are accessible in the App Store app.

Pocketstar

From best to worse: (As far as I could tell, I am no expert on the matter, so take it with a grain of salt)

1: Accrescent and GrapheneOS's build-in App Store.
2: Play Store (Be careful only to download safe apps, most apps are proprietairy black boxes, but there is also FOSS)
3: Obtainium. (For updating sources from sites like GitHub and more)
4: F-droid. (Has FOSS, but has issues, see https://discuss.grapheneos.org/d/18731-f-droid-vulnerability-allows-bypassing-certificate-pinning for a discussion about this subject, F-Droid is just another additional party to trust)

Don't forget to use AppVerifier in conjunction with the solutions mentioned above. (You can download it through Accrescent)

For my personal use I utilize Accrescent and Obtainium and the app Droid-ify to search for new apps and sources for them (not to install them) I use Obtainium after aquiring the sources through Droid-ify.
As for the Play Store; I just want to be as Google-free as possible, even though GrapheneOS provides a fantastic solution through the sandboxed Play Store, it is just me being... Me)

pxlkng

Pocketstar most apps are proprietairy black boxes

This is not correct. Proprietary is absolutely not a black box. You can audit it just fine. You can see what it does just fine. It is code like any other you execute. The licensing doesn't change any of that. If the system can execute instructions, those instructions can be read, and those instructions tell you what the program does.

You don't need the source.

Also, FOSS doesn't equal better or more secure/private. In practice, it is probably rather the opposite and proprietary code is likely more secure due to being backed up by corporations that can afford proper audits and regular maintenance.

Pocketstar F-droid

F-Droid has severe security issues and shouldn't be used.
https://xcancel.com/GrapheneOS/status/1883895255142932816#m
https://gitlab.com/ironfox-oss/IronFox/-/issues/7
https://privsec.dev/posts/android/f-droid-security-issues/

Generally, app stores should be preferred. The recommended ones are Accrescent and Google Play Store.
Sideloading should only be done if absolutely necessary, with Obtainium+AppVerifier to verify the authenticity of the downloaded apks. AppVerifier is only needed if you sideload, if you use a proper store like Play Store or Accrescent, you don't need to manually verify with AppVerifier.

SgtSurehand

pxlkng AppVerifier needs to extend its database if it's to be properly used as this glorified verification tool, half of my foss apps are not covered by it, which I already pointed out some weeks ago.

Pocketstar

pxlkng This is not correct. Proprietary is absolutely not a black box. You can audit it just fine. You can see what it does just fine. It is code like any other you execute. The licensing doesn't change any of that. If the system can execute instructions, those instructions can be read, and those instructions tell you what the program does.

You don't need the source.

Also, FOSS doesn't equal better or more secure/private. In practice, it is probably rather the opposite and proprietary code is likely more secure due to being backed up by corporations that can afford proper audits and regular maintenance.

Perhaps it is best for me not to mention F-Droid at all anymore as an option because even though it is a "possibility," it is not a safe one and there are alternatives that do it better, and it will only spread confusion, my apologies for that.

Also, it is indeed true what you said about proprietairy apps, I was wrong about that generalized "black box" statement.
Yet I still want people to know that there are alot of malicious apps on the Play Store (wheter it be FOSS or proprietairy) that people are not aware of and that should be avoided. (The same thing could apply to other app stores as well)
For example;
-Apps that let you sign an agreement that intrude on your rights.
-Apps that have tons of tracking involving personal identifyable information of users.
-Apps that use lots of unnecessary permissions like using the phone number, along other things. (It depends on the app, apps like dialers should have access to the dialer permission)
I guess it is best if people gather some intel on each app before installing it from both Play Store or another source/store.

One more thing;

Even though GrapheneOS is very accessible to beginners like myself, what people have to do afterwards to maximize security can still be very confusing to many.
Perhaps someone can point to a good guide (or create one) on the recommended steps to take after installing GrapheneOS, because there are so many questions about it on the forum, yet a simple link could be sufficient to inform people properly instead of having conflicting advices.
Perhaps that guide could be made as an app for GrapheneOS? (Or an extra section within the "Info" app)

pxlkng

SgtSurehand

AppVerifier is only meant as a tool for viewing/comparing the hash, its database probably will not be extended anymore and may even be removed in the future, it was only meant as a little nicety, afaik. You are supposed to manually get the correct hash from the developer, the github, website, or by asking other community members that already have the app.

Kindkey4468

I use Aurora in stead of Google Playstore and Droid-ify in stead of Fdroid (just for finding apps which Install via Obtainium). Is there Amy reason why I shouldn't ?

pxlkng

Kindkey4468

Yes, Aurora Store should not be used as it is insecure, dangerous and has no privacy benefit over sandboxed Play Services on GrapheneOS.

It does only cripple your security:
It doesn't properly verify downloaded apps and it doesn't have working or reliable auto-updates, potentially leaving you without critical security updates to apps.

It does not have a privacy benefit over sandboxed Play Services, as it does not avoid Google or any of its tracking and data collection, it is only a less secure "feel-good" placebo.
Apps from the Play Store bundle Google libraries with them. Those run completely independently and don't need Play Services to work. This gives Google the same access it would have if you had Play Services installed, which is not much in any way to begin with, due to the strong app sandbox.
But combined with the fact that you now also have less security and security being a prerequisite to privacy, you have even less privacy using Aurora Store than if you would just be using sandboxed Play Services.

You can do so with an anonymous Google account, created without a phone number or any PII. To do this, create it from a non-suspicious IP address, meaning no Tor or VPN, for example a public WiFi.

There are some niche valid use cases for Aurora, for example bypassing Play Integrity on app listings, to get apps that you otherwise couldn't download, but normal usage is not one of those cases and you should uninstall it and switch to sandboxed Play Services.

pxlkng

Kindkey4468

Droid-ify seems to just be an F-Droid client. If that's the case, my previous message about F-Droid still applies.

F-Droid should be avoided as a whole, meaning not only the main client but also its whole infrastructure, repositories and structures.

Twix

pxlkng I have a doubt about the security of Google play services in sandbox since they communicate with other applications via IPC. This means that the play store scans your installed applications by default, if you have contacts it can synchronize them, if you have YouTube your playback history will be saved in your Google account by default... ect. Aurora is only there to install applications.

Pocketstar

pxlkng Droid-ify seems to just be an F-Droid client. If that's the case, my previous message about F-Droid still applies.

F-Droid should be avoided as a whole, meaning not only the main client but also its whole infrastructure, repositories and structures

Agreed, but the app Droid-ify does support other repositories than F-Droid as well, F-droid can be disabled as a repository within Droid-ify.
Furthermore, they do have a link to the source website of all apps (other than F-Droid, F-Droid is indeed insecure and should not be used) which I use for reference with Obtainium as well. (Specifically the link)
But I am no expert on the matter, I merely state what I observe, so please correct me if I'm wrong.

Elgoog

IWhat is it exactly that makes Accrescent safer than other sources aside from the GOS app store?

pxlkng

Elgoog

App Stores are usually safer because they (ideally, this is the case for the recommended ones) properly verify downloaded apks to be authentic, provide reliable automatic updates and often have policies and moderation that combats malicious apps or invasive permissions better than possibly in other places.

pxlkng

Twix I would never go back to Google

You are (I suppose) using a Google device, running Google firmware and software.

There is no issue with creating an anonymous Google account and using that with sandboxed Play Services and this is arguably the better approach in every way.

pxlkng

Twix

This is not true. IPC is not exclusive to sandboxed Play Services and has nothing to do with the Play Store. Apps can do IPC based on mutual consent, this is part of the app sandbox.

As I explained, apps from the Play Store bundle Google libraries that run independently and can collect data or do IPC on their own without the Play Store or Play Services installed.

Aurora Store does not avoid anything of what you mentioned and it has no privacy benefit. Aurora Store does not avoid any tracking or data collection. Aurora Store does not avoid IPC. There is still IPC, apps can still talk to each other.

Twix This means that the play store scans your installed applications by default

It can only see which apps are installed in the same profile. It cannot access any data in them.

Twix if you have contacts it can synchronize them

This is simply not true, as long as you don't grant an app the Contacts permission, it cannot access them.

Twix I have a doubt about the security of Google play services in sandbox

There is no doubt to have, it is better than Aurora Store.

Twix

pxlkng Does Aurora have access to contacts, calendar and others? I can guarantee you that the contacts on my wife's pixel are synchronized in her Google account "sandbox" and the applications installed via fdroid are scanned and appear in the play store. It's factual, I have his phone in front of my eyes right now.

pxlkng

Twix

Please carefully re-read my previous message.

No app has arbitrary or out-of-the-box access to "contacts, calendar and others", unless your grant the specific permissions.
This applies to Play Services and Play Store as well, because those are just regular apps on GrapheneOS. They do not have access to this data unless you give them that access manually.

You or your wife probably granted contacts or phone permission to Play Services at some point, or this is something completely different that you are misinterpreting.
There is nothing factual with that.

Aurora Store also doesn't avoid Google seeing which apps you have installed.
Every app can see other apps installed in the same profile. This is not specific to the Play Store.

Also like mentioned previously, F-Droid is not recommended and shouldn't be used.

Twix

pxlkng If you have examples of attack or compromise on fdroid since 2010 I am listening to you.