FreshStart Hi! Personally, I currently use Aurora Store for most of my apps, and then use Read You (an RSS feed reader) to track updates for the rest of my apps via GitHub/GitLab. Finally, I've also started using Accrescent, through which I hope to be able to get the majority of my apps in the future.
Best way to install apps?
matchboxbananasynergy Accrescent has 4 apps without any description. Is this an early alpha or am I to stupid to use the app?
How do I validate apps?
In an attempt to get Accrescent, I came across this:
https://github.com/accrescent/accrescent
which simply validates the apk via SHA-256 signing certificate hash.
1) O.K..... which hashing program is recommended for this?
2) Is it included somewhere with GrapheneOS?
PGP/GPG was the standard for validating checksums on some OS's. This article suggests an approach:
https://www.privacyguides.org/android/?h=hash#verifying-apk-fingerprints
3) So what are folks around here doing?
TIA
dirksche It is in early alpha. Currently, only whitelisted developers can submit their apps in order to iron out the kinks, but once it's out of alpha, a lot more apps will make it in. Currently, it's more of a "have it installed and use it as apps you want are made available through it" rather than a "install it and get all your apps from there" situation.
I like the idea of downloading APKs directly and using an RSS reader to manually update.
Question - how would you thoroughly search for an APK file if it wasn't in the assets in a GitHub repository? All I can think of is looking at the software's website (if applicable) and doing a search for the APK from official sources. Is there any other way to find APKs without an app store?
FreshStart for projects that don't provide their own APK in the repo, I usually track them anyway and grab them from F-droid once available. I would prefer to build them myself, but I don't have the time to deal with that right now. Too many projects on the go and too little time.
- Edited
which hashing program is recommended for this?
apkverifier works, although there are some Android apps that can do the same. apkverifier is what Accrescent officially recommends.
Is it included somewhere with GrapheneOS?
No, but signing certificate information is planned to be included under the app info in Settings.
That article shows you how to verify the certificate hashes with apkverifier.
There's this article that has more details on this topic.
https://privsec.dev/posts/android/android-tips/#where-to-get-your-applications
Particularly want to point out this part
That being said, [Aurora Store] lacks security features like certificate pinning and does not support Play Asset Delivery.
Curious does anyone know whether downloading apks directly from Github also lacks certificate pinning? Is this an important security vulnerability?
Certificate pinning is a way to let an app know the remote server's expected certificate, basically. You can read about it here: https://developer.android.com/training/articles/security-ssl. I've read somewhere that Google doesn't really suggest devs use certificate pinning for a number of reasons. One big reason is OSs and apps already have a list of CAs (certificate authorities) that are trustworthy and help verify the authenticity of a website's own certificate.
Browsers check certificates to make sure they're legit. So, if someone tried to stage a man in the middle attack to get you to install a malicious apk, you'd still see very obvious warnings in your browser.
Internally, apps will throw errors if they try to access a website and something about the certificate is off, so Aurora doesn't really need certificate pinning. It also doesn't make sense for them to use certificate pinning. Why? Because they're not Google and won't know ahead of time if Google plans on making a change that'll break their app.
So, no, using Aurora and installing apps from Github aren't really dangerous.
As a noob, for me this one was useful and easy to understand.
Go to the big brother video site and search for the channel Side Of Burritos, then the video "You should use this instead of F-Droid | How to use app RSS feed", he is a 100% "add on" for this forum and original side GrapheneOs, he explain with video context a lot of info.
Hello!
I read a lot about Obtanium app as a replacement for F-Droid. In your opinion/experience - is that app trustworthy enough to use it with GOS? Also, the app description says that installs happen asynchronously. What does that mean exactly and did you run into problems with GOS?
- Edited
wojon is that app trustworthy enough to use it with GOS?
Quickly looking at the app's Github repository, it does appear they're really getting releases from Github. I didn't check other app sources.
I haven't actually used Obtainium, but I plan to eventually. Based on the code I checked it looks trustworthy to me.
wojon Also, the app description says that installs happen asynchronously. What does that mean exactly and did you run into problems with GOS?
Based on what they said in the readme and a comment in the code it just means that they can't follow the status of the install. Looking at the Flutter plugin they're using it's true there's no code to wait and see if the app installs successfully, just if the OS accepts the install request and prompts the user.
This shouldn't cause anyone any problems as far as I can tell. If there's a problem, the app just won't install and the OS will notify you of the reason. When you relaunch Obtanium, it'll scan your installed apps again so if the install failed, you can try again.
If you install apps in User Profile. Will that app then be available in Owner Profile too? How to activate and install that app?
PMUSR If you install apps in User Profile. Will that app then be available in Owner Profile too?
It would not be "installed' in the owner profile.
PMUSR How to activate and install that app?
The easiest way would be to install the app again in the Owner profile.
Or it would probably be easier to install first in the Owner profile then push the app from the owner profile to the other secondary user in Settings > System > Multiple users > *profile name* > Install available apps
.
Not much activity in here recently, but I feel this is the best place to ask another noob question.
I started installing apps inconsistently, (some APKs from developers websites, some from github, others through Accrescent, f-droid, or aurora). Now as I get more into it, I start realizing that hasn't been the smartest idea, as it makes it difficult to track what apps are up to date and which arent. Is there any fast way to see what is the source of an installed app? If not, any recommendation what would be the fastest way to set up such an overview?
aop without 3rd party tools, you can find out the source in the app info of an app (long press on an icon and tap "App Info") at the bottom of the page, just above the version tag.
aop f not, any recommendation what would be the fastest way to set up such an overview?
Obtainium exists to solve exactly this problem, but it will take some work for you to setup initially.
Probably9857 - as I understand the use case for obtainium, it is aiming to show you about updates to run from apps that are installed through a source that does not provide auto updates (like e.g. f-droid or aurora). so for this to be useful, i first would have to go down the path splattergames mentioned in his last comment and sort out for what apps I can rely on the app stores (f-droid, aurora) and for what I would have to set obtainium. am I right?
thank you both for your input :-)
This video from Side Of Burritos explains Obtanium very well
aop as I understand the use case for obtainium, it is aiming to show you about updates to run from apps that are installed through a source that does not provide auto updates
Right. It would be mainly for apps that don't have some other way of auto-updating or notifying you.
You would still need to review everything you have already installed to identify which apps to configure in Obtainium.