Which APK build is best? N00b Perspective

looped_around

Which APK build is best?
N00b Perspective: GitHub Repo (Obtainium) v Izzy Repo v F-Droid Repo

Please correct where I'm wrong; gently, I'm trying to learn to fish.

With the posts about the signing issues and delays via F-Droid Repo app versions, I went with Obtainium which primarily pulled apk from websites or GitHub. Get it right from the source.

It was great. Many of the common apps successfully passed AppVerifier (all installed apps should be checksum verified; by store or you).
Play Store kept trying to update an app from github because the package name and the signing key matched.

Its only registering in my understanding now. If Play Store can update the app, it was Signed by Google. To be in Play Store, devs hand over their signing key, and Google can muck about. Do they? Unsure.
This means tho that play store version has the Google signing block (I think seen marked on Izzy repo), and Google crash analytics, and potentially other Google requirements.

I thought that I don't want a Google play store version in my degoogled profiles, however I'm learning its not as simple. Tuta and Proton mail are two examples. We trust them to be private and secure. Is there a privacy or security issue from a play store version without Play Services? Unsure.

I re evaluate how I install my apps:
1) App Store and 2) Acrescent are said to be priority trust installs. I'm unsure why we implicitly trust Acrescent tho?

3) IzzyDroid Repo because they validate the dev signature for me, less trying to find it, and break down any concerning features. IzzyDroid Repo can be pulled by Droidify or Neo Store; store and repo are different entities.

4) GitHub or Website version that doesn't match the Play Store's verification checksum in AppVerifier. It wasn't obvious for me, but installing AppVerifier on stock Android and comparing was helpful.

5) I'm still hazy if I should prefer the Google Play Store version or the F-Droid Repo version.
While F-Droid checks for open-source/free aspects, I don't see that it focuses on privacy, security or safety. Not all source codes have signed commits or signed directories.
While play store will check on integrity and for maliciousness, with F-Droid you rely on the community to suss it out.

Rules of thumb we see:

Install from devs you trust; most put their apps in playstore or in dual Izzy/F-droid Repo.
Only install apps recently updated with thousands of stars.

I am writing this because I just installed an F-Droid Repo App with 3 stars last update last year, because I couldn't find a better solution.
During that journey I read many github pages, lost a lot of sleep trying to verify app checksums before installing and watching my marbles roll out the door because it shouldn't be so hard.

other8026

looped_around If Play Store can update the app, it was Signed by Google.

Not really. Many apps are still signed by the developers.

looped_around Do they?

Unlikely. They can be caught messing with things if they did if developers use code transparency. Also, if they did that and were actually caught doing so, then we'd know. So far, I don't know of any case where Google has messed with an app.

looped_around Google crash analytics, and potentially other Google requirements.

What requirements? I have heard of Google not allowing apps on Play Store because they break certain rules (like requesting permissions without good reason), but I've never heard of apps having to have certain libraries included.

looped_around Is there a privacy or security issue from a play store version without Play Services? Unsure.

Hard to answer this. Apps can have Google Play libraries included in them. Some libraries rely on Google Play Services to be installed, others have fallback code, so they work just fine without Google Play + Google Play Services installed. Apps downloaded from places other than Google Play may have Google libraries included.

looped_around I'm unsure why we implicitly trust Acrescent tho?

We don't. It's my understanding that GrapheneOS developers follow the project, so there's no blind trust in anything.

looped_around I'm still hazy if I should prefer the Google Play Store version or the F-Droid Repo version.

Up to you of course, but either way you end up trusting the developers. F-Droid says they scan code, but it's very simple scanning and malicious developers could publish malicious code either way. Sure, the F-Droid versions might not have certain libraries included in them, but then that means the apps were built by them, and I personally don't if I can avoid it: https://discuss.grapheneos.org/d/18731-f-droid-vulnerability-allows-bypassing-certificate-pinning/21

looped_around most put their apps in playstore or in dual Izzy/F-droid Repo.

I'd think you'd find that most developers put their apps on Google Play. Developers who don't but instead publish to F-Droid are probably doing so because it's the most popular for a certain group of people.

looped_around

other8026 This is fabulous! Thank you. The issue with reading public boards is sometimes I misunderstand or take as fact something inaccurate.

The link to that huge post is what has steered me away from f-droid Builds when I began GOS process. I found myself trapped between Degoogling but not F-droid.
You have narrowed my dilemma down to how to judge and trust software with Google libraries or play services but still work without it.

One thing I see frequently on Izzy repo is an anti-feature of Google Signing Block. I thought it was bad?