Quick background: First time GoS user. My focus is privacy and I want to avoid installing apps that could contain spy-blob-codes as much as possible unless absolutely necessary. I have read the Fdroid vulnerability writeup.
First off, from the bottom of my heart I thank you for your OS. You have done valiantly and saved me from the abyss of the world we live in. I can't thank you enough for your work and hope you will be around forever. My donations are on the way.
Given that an app might be available on all these sources, I am constantly unsure of which source I should install from for better privacy. The issue comes from my lack of knowledge about playstore apps, which I'm hoping you can clarify for me.
Installing from Aurora (Playstore rep) should be theoretically the best option because:
worry-free security assurance
However, I've heard that even if an app is totally foss and privacy respecting, the process of publishing the app on Play Store adds extra google binaries to the apk package and these binaries could then do things you and I may not want. Is this true? this is the source of all my concerns. Is this something that adds privacy concerns and should I be worried about it? Or have I been misinformed?
Installing from Fdroid rep has the benefits of:
guarantee from Fdroid of no binary blobs/spyware
no google store blob fear
Problems with fdroid are that the updates might rollout slower, and the whole sdk and security keys thing. Although, in my eyes these are not deal breakers, but annoyances.
Installing from github (or website) has the benefits of:
no google blob concerns
no fdroid annoyances
However, no automatic updates, and most importantly there is no guarantee that the code from github (or website) is actually corporate-blob-free and doesn't have privacy issues. Yes it's open source but who's checking?
Examples: Geometric Weather - quote from its github page:
There are 3 build variants now. Specifically, the fdroid variant dose not contain any closed source 3rd-party SDK, such as Baidu Location Service and Bugly. The gplay variant integrated the Google Play Service to improve accuracy of location. And finally, the public variant contains all closed source 3rd-party SDK which is not exist in fdroid version except the Google Play Service.
My preferred choice is to go with a store because of the convenience of auto updates and security assurances.
If it wasn't for fear of apps from playstore having an added layer of privacy issues I would just go with playstore/aurora. But if its a real concern then I'd go with fdroid/github.
I don't want to have false fears and want to get my facts straight.
So I'm asking to see if any of you experts here can clarify,: when downloading apps like the Simple Apps Suite, OsmAnd, Organic Maps, etc (available both on Gplay and fdoid/github/website), should I download from aurora without concern, or should I go with the second option for fear of google apks?
Thanks you kindly, and sorry for long post,