Hey everyone, I've just installed GrapheneOS and want to get started on the right foot with installing apps.

It seems the conventional approach is to install F-Droid, download the Aurora Store, and install apps from either of those. Alternatively using a throwaway Google account with the Play Store would be similar to using the Aurora Store.

However, it seems F-Droid has security issues and I've seen recommendations to avoid it where possible? Other approaches seem to hinge on using the Play Store as much as possible, using apps like Obtanium, or building apps directly from source.

As a non Google-services user who's looking for a pretty minimal GOS setup, what is my best path forward here? I don't mind looking into advanced approaches but I don't have a developer skillset.

These are the main apps I want to install:

  • Signal
  • Session
  • Tutanota
  • BitWarden
  • iVPN

I appreciate any help, thank you!

    • [deleted]

    • Edited

    Signal apk is available on the official website
    All others are on github, you can find all the releases, like this : https://github.com/oxen-io/session-android/releases
    Just use an RSS feed to be notified of the next updates afterwards, or Obtanium yes.

    Thats a good choice of apps imo. I am also a new user and still havent started fully using my GOS phone yet as I want to make sure I get it right. I have learned so much on here just by reading through the forum and typing into the search bar any queries. There are so many helpful people on here that know their stuff which is great.

    Personally i prefer to get the apps either directly from the developers website or Github and just manually check for updates. It really is a personal choice though and plenty from what I can see use Google Play or Aurora also. Maybe for someone who wants lots of different apps the store option is prob the way to go. Thats just my opinion though and hope it helps at least a bit!

    matchboxbananasynergy

    How do I validate apps?

    In an attempt to get Accrescent, I came across this:
    https://github.com/accrescent/accrescent
    which simply validates the apk via SHA-256 signing certificate hash.
    1) O.K..... which hashing program is recommended for this?
    2) Is it included somewhere with GrapheneOS?

    PGP/GPG was the standard for validating checksums on some OS's. This article suggests an approach:

    https://www.privacyguides.org/android/?h=hash#verifying-apk-fingerprints

    3) So what are folks around here doing?

    TIA

      dirksche It is in early alpha. Currently, only whitelisted developers can submit their apps in order to iron out the kinks, but once it's out of alpha, a lot more apps will make it in. Currently, it's more of a "have it installed and use it as apps you want are made available through it" rather than a "install it and get all your apps from there" situation.

      I like the idea of downloading APKs directly and using an RSS reader to manually update.

      Question - how would you thoroughly search for an APK file if it wasn't in the assets in a GitHub repository? All I can think of is looking at the software's website (if applicable) and doing a search for the APK from official sources. Is there any other way to find APKs without an app store?

        FreshStart for projects that don't provide their own APK in the repo, I usually track them anyway and grab them from F-droid once available. I would prefer to build them myself, but I don't have the time to deal with that right now. Too many projects on the go and too little time.

        newbie24689

        which hashing program is recommended for this?

        apkverifier works, although there are some Android apps that can do the same. apkverifier is what Accrescent officially recommends.

        Is it included somewhere with GrapheneOS?

        No, but signing certificate information is planned to be included under the app info in Settings.

        That article shows you how to verify the certificate hashes with apkverifier.

        There's this article that has more details on this topic.

        https://privsec.dev/posts/android/android-tips/#where-to-get-your-applications

        Particularly want to point out this part

        That being said, [Aurora Store] lacks security features like certificate pinning and does not support Play Asset Delivery.

        Curious does anyone know whether downloading apks directly from Github also lacks certificate pinning? Is this an important security vulnerability?

          kopolee11

          Certificate pinning is a way to let an app know the remote server's expected certificate, basically. You can read about it here: https://developer.android.com/training/articles/security-ssl. I've read somewhere that Google doesn't really suggest devs use certificate pinning for a number of reasons. One big reason is OSs and apps already have a list of CAs (certificate authorities) that are trustworthy and help verify the authenticity of a website's own certificate.

          Browsers check certificates to make sure they're legit. So, if someone tried to stage a man in the middle attack to get you to install a malicious apk, you'd still see very obvious warnings in your browser.

          Internally, apps will throw errors if they try to access a website and something about the certificate is off, so Aurora doesn't really need certificate pinning. It also doesn't make sense for them to use certificate pinning. Why? Because they're not Google and won't know ahead of time if Google plans on making a change that'll break their app.

          So, no, using Aurora and installing apps from Github aren't really dangerous.

          FreshStart

          As a noob, for me this one was useful and easy to understand.
          Go to the big brother video site and search for the channel Side Of Burritos, then the video "You should use this instead of F-Droid | How to use app RSS feed", he is a 100% "add on" for this forum and original side GrapheneOs, he explain with video context a lot of info.

          11 days later

          Hello!

          I read a lot about Obtanium app as a replacement for F-Droid. In your opinion/experience - is that app trustworthy enough to use it with GOS? Also, the app description says that installs happen asynchronously. What does that mean exactly and did you run into problems with GOS?

            wojon is that app trustworthy enough to use it with GOS?

            Quickly looking at the app's Github repository, it does appear they're really getting releases from Github. I didn't check other app sources.

            I haven't actually used Obtainium, but I plan to eventually. Based on the code I checked it looks trustworthy to me.

            wojon Also, the app description says that installs happen asynchronously. What does that mean exactly and did you run into problems with GOS?

            Based on what they said in the readme and a comment in the code it just means that they can't follow the status of the install. Looking at the Flutter plugin they're using it's true there's no code to wait and see if the app installs successfully, just if the OS accepts the install request and prompts the user.

            This shouldn't cause anyone any problems as far as I can tell. If there's a problem, the app just won't install and the OS will notify you of the reason. When you relaunch Obtanium, it'll scan your installed apps again so if the install failed, you can try again.

            a year later

            If you install apps in User Profile. Will that app then be available in Owner Profile too? How to activate and install that app?

              PMUSR If you install apps in User Profile. Will that app then be available in Owner Profile too?

              It would not be "installed' in the owner profile.

              PMUSR How to activate and install that app?

              The easiest way would be to install the app again in the Owner profile.

              Or it would probably be easier to install first in the Owner profile then push the app from the owner profile to the other secondary user in Settings > System > Multiple users > *profile name* > Install available apps.

              a year later

              Not much activity in here recently, but I feel this is the best place to ask another noob question.
              I started installing apps inconsistently, (some APKs from developers websites, some from github, others through Accrescent, f-droid, or aurora). Now as I get more into it, I start realizing that hasn't been the smartest idea, as it makes it difficult to track what apps are up to date and which arent. Is there any fast way to see what is the source of an installed app? If not, any recommendation what would be the fastest way to set up such an overview?

                aop without 3rd party tools, you can find out the source in the app info of an app (long press on an icon and tap "App Info") at the bottom of the page, just above the version tag.