Which stores are recommended by GOS developer ?

Blank

Hello everyone,

First I apology because the topics must have been discussed a lot of times... But because I am discovering the forum... Still don't find those post.

So there's my question : which stores are recommended for downloading apos on GOS ? I used to believe f-droid was the best way on custom ROM... BUT I saw some users saying GOS doesn't recommend fdroid as a good apps store. So, which one ? Accrescent is good but doesn't provide enough app. Aurora store ? Or Obtenium ? Which one do you use or are recommended by GOS ?

Thanks and still apology for the rebarbative topic.

nandohyphen1

__Blank__ I personally use F Droid and Aurora Store. Yes, some say that F Droid isn't great, but I like it, so it just comes down to personal preference if you want to use it or not. But I've been able to find any app that I need (or a similar one) from either F Droid or Aurora Store.

Dumdum

__Blank__ Which one do you use or are recommended by GOS ?

https://grapheneos.org/features#sandboxed-google-play
If not Play Store, then Accrescent or Obtainium with AppVerifier.

Mystified3527

__Blank__
The developers recommend accrescent, play store then obtainium in that order, obtainium is sort of a stopgap measure untill accrescent is fully developed, so it's better than the alternatives but not the best. If you use obtainium you would need to install app verifier from accrescent (so that app verifier itself is verified and installed from a verified app store), and use it to verify any obtainium apps.

The reason they suggest play store is because their play sandboxing removes all special privileges, turning it into a normal app, and at https://grapheneos.org/usage#sandboxed-google-play they say that

The Play Store app is also the most secure way to install and update apps from the Play Store.

If you want to isolate the play store better, see some of the suggestions in the first article linked here: https://discuss.grapheneos.org/d/21487-seprand-articles-and-guides-about-grapheneos-by-the-community

About F-Droid and Aurora, the developers said:

GrapheneOS Our own App Store, Accrescent and App Verifier are highly recommended by GrapheneOS.

For apps in the Play Store, sandboxed Google Play Store is the most secure way to obtain them and many of them depend on sandboxed Google Play anyway. Making a purpose-specific Google account for this is very useful. If you're obtaining apps from the Play Store, you're trusting the Play Store to package and sign those apps regardless and many of those apps choose to include the Google Play SDK and libraries anyway.

We cannot recommend Aurora Store at the moment due to security issues. There is some initial work on addressing it but the main issue of not verifying signatures. The default account sharing is a potential problem but not the main issue, and it's likely to stop working at some point anyway.

We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds. You do not truly avoid trusting the app developers since they build whatever is released with near zero scrutiny and even serious review would not realistically catch issues

~~They have said this many times recently, I just wasn't able to find the more recent threads discussing it.~~
Here is one of the more recent threads about f-droid: https://discuss.grapheneos.org/d/23666-response-to-misinformation-about-our-sensors-permission-from-f-droid

raccoondad

__Blank__ the only ones recommended by GOS are:

Accrescent, the GOS app store, and google play store

Blank

Mystified3527 thanks you. So I'll delete those app stores

Mystified3527

Also, I forgot to mention, there is a niche use of Aurora store; sometimes google play claims that an app is not compatible with your device despite it being already installed/working on a stock pixel. I believe this is due to the play integrity API, and in this case, aurora is the only way to install the app.
I do use aurora to update an app that I installed with google play but then refused to update because it was "incompatible," though this is the only thing I use it for.

Blank

Mystified3527 but do you think

Mystified3527 but do you think Aurora and F-droid, although risky are very unsafe ? I wonder because I have installed a few critical app from them...such as my password manager... That would bother me if because I've install it from those sources it's compromised...

I used to use appverifier to check their integrity...but perhaps it isn't enough.

Mystified3527

__Blank__

Sorry if this is intrusive, but what is you password manager? Depending on what it is, you can uninstall then reinstall it from a better source (preferably google play).

Also, can you clarify what you mean by

__Blank__ but do you think Aurora and F-droid, although risky are very unsafe ?

This is an incomplete statement.

Blank

Mystified3527 I use proton pass, which on their official website links the f-droid as alternative from google play store.

Ah sorry, I meant although those store aren't recommended regarding of what the community says, do you think that critical data from critical apps can be compromised because I have downloaded them from Aurora or F-droid ?

harp

__Blank__ You can download all Proton apps from protonapps.com directly, e.g. Proton Pass: https://protonapps.com/protonpass-android. Next to the Google Play Option you'll find "Download APK" for every Android app on that site. You also find the SHA256 fingerprint for every app for verification with AppVerifier. Some download links (like Proton VPN) refer you to their Github project side, which you can add to Obtanium as source.

Mystified3527

__Blank__

I am not an expert, so this is probably something you want a response from one of the mods/devs.

Proton pass is cloud synced, so reinstalling it through play should be fine, just make sure everything is synced with the cloud/works on another device.
If google play allows you to update the aurora/f-droid apps, from my understanding of how certificate pinning on android works, this should mean the apps are fine, as google play's uncompromised update image would have to match the certificate of the app you already have.
For using app verifier, not all apps are in its database, so https://discuss.grapheneos.org/d/15368-lets-compare-hashes-for-apps-not-in-appverifiers-database might be helpful.

Blank

Mystified3527 thanks for your help. Greatly appreciate