What is the most reliable way to install apps on graphene OS?

Richo

I have installed some apps using Aurora store, but its hit and miss, sometimes it doesnt work sometimes it does, but now i cant even update apps that have been installed, it keeps giving the error "There was a problem while parsing the package" then it will say "app not installed because its not compatible with your device"

Ive seen suggestions to use "sandboxed google play" which i have for apps on a separate profile that wont install without good play services, but that now means i have to switch to that profile to see any notifications. Ive also noticed notifications are not even working on some apps which is becoming a problem

I want a privacy focused phone but its becoming too difficult to use, Im not that tech savvy and dont have the time to spend hours trying to figure out why an app wont update, installing google play seems kind of stupid on a degoogled phone. I dont need to use any google products but it seems like a lot of apps need it which is unfortunate. Ive only recently started to use graphene, I was using lineage for a few years prior and never had these kinds of issues, it seems like graphene is really locked down, to the point its a pain to use.

Perhaps graphene is not for me?

IS there a guide on reliably installing apps on graphene? Or is this just the nature of the beast.

Elgoog

It is an unfortunate fact that many apps rely on Google services for notifications. That has nothing to do with GrapheneOS.

If using multiple profiles, you can choose for notifications to be sent to the active profile.

As a general guide, I do as Side Of Burritos suggests in this video, though it was made before private spaces came on the scene. I've had few serious problems installing apps, though setting apps up in Obtanium can be a little finicky. I don't use the Aurora store, so I can't help there.

If it's all too much trouble, why not just use a single profile and install the Play Store and Google services. Between the sandboxing of Google services and Graphene's other features, you'll still have significantly better privacy than on stock Android. Then experiment with private spaces or multiple profiles and evolve your setup from there. Privacy is a journey, not a destination.

barding

I'm actually not really grasping the exact extent of the sandboxing: my threat model isn't particularly severe, so I don't mind that a store knows I bought something there. My issue has always been with them knowing MORE. So let's say I download like a weather app from sandboxed play store using my own profile... I don't mind the store knowing I downloaded the app, and I don't mind the app knowing where I am/where I want to know about the weather, but I mind the store knowing where I want to know about the weather. Does the sandboxed store generally prevent this kind of info leakage, or should I expect that play store in general still gets quite a bit of info from apps I install through it?

DirtyDan

barding Play Store should not have access to in-app data unless an app is sharing data. Read each app's privacy policy. This is why open-source apps with short and sweet privacy policies are recommended for privacy.

Location (in a weather app) can come from multiple sources. If you just plug in a location manually without location services, then no tracking outside of what that app shares should take place.

If you enable location permission, location data by default comes from GrapheneOS location proxy. Location is only sent when you allow it for each app such as Ask every time, Only while using the app, or All the Time. Just keep in mind that an app with unrestricted battery and data access n the background may be able to bypass the "only while in use" since it's technically always in use. Nevertheless, you will see a green light pop up next to your camera when location is being shared in the background.

Go to Settings -> Location to see which service is handling your location services. You have the option to select Google location services, which will send location data to Google for apps that have location permission enabled. If you're happy with GrapheneOS proxy, there's no reason to switch. Google location services are usually only needed for specific Google location services such as find my device and potentially some Google maps features (I'm not sure).

Apps can still infer locstion by other means such as your ip address and other sensors. GrapheneOS provides a Sensors permission toggle for every app including sandboxed play services. You have the option to deny this permission for all new installed apps by default in your Security & Privacy settings menu. You can also use a trusted VPN to mask your ip address if this is a concern.

Apps can still communicate with each other, regardless of privacy sandbox, through explicit mutual consent (interprocess communication). Again, read the privacy policy and stick to open source apps if this is a concern. If an app decides to share data with Google this way, the only way to stop that is to install it on a separate profile or private space.

For some open source apps, they will provide a "libre" fork without Google proprietary blobs if you source the app from F-Droid or their github. KeePassDX and Aves Gallery are two such examples. Usually, the Google stuff is only there to provide additional features such as Google maps integration, Google drive integration, or to allow you to make purchases using your Google account, etc. Every app is different though.

This IPC is also the reason why if you login to one Google app, you get logged in on other Google apps, despite the sandbox.

DirtyDan

Most PUSH notifications use Google's FCM protocol in the background, which means you need some sort of Google or Google spoofing layer to receive them. That's just the nature of current Android since most people use stock and most developers assume you're using stock.

Though, this doesn't apply to non-push notifications such as alarms, reminders, pull notifications (supported by some email clients, RSS readers), etc.

There are also some apps that use alternative push notifications such as UnifiedPush, but you need to set this up yourself (worth looking into if interested). Some apps support their own notifications by opening up a websocket that maintains a persistent connection to the app"s server rather than using Google as an intermediary, though this will be worse for battery than just running sandboxed play services if you require push notifications for more than 1-2 apps. Most people that do this will use it for Signal/Molly. (Molly notifications are much better for battery life) and only if they're insistent on not having sandboxed play services since Signal supports FCM by default.

Ultimately, you have a few choices.

Live without push notifications on certain apps.
Use sandboxed play services
Use alternatives to fill the gap, like Thunderbird/Fairemail for pull notifications, You've got mail (found on F-droid), Unified push, websockets
Compartmentalize your apps to multiple profiles/private spaces so you can separate out the apps that require play service notifications and those that don't (always running multiple profiles in the background will usually be worse for battery life than a single profile running play services).

As for installing apps, here are some helpful pieces of knowledge to help you strategize.

Play Store is more secure and more reliable than the Aurora Store. You can attempt to create an "anonymous* Google account and only use this on a profile with an always-on-VPN if concerned about privacy.
There are alternatives like Obtainium, Accrescemt, and F-Droid, though many on here discourage F-Droid due to security concerns (such as F-Droid apps sharing the same F-Droid signing key instead of being uniquely signed by the developer - this is why they recommend the play store or getting apps directly from the developer's repo via obtainium).
Sandboxed play services is significantly more privacy friendly and secure than normal play services running on stock, GApps, microg, etc. Unlike those, GrapheneOS' implementation of sandboxed play services does not have system level privileges to do whatever it wants on your phone. It's contained like every other app which means it only has access to the permissions you give it and it has the ability to communicate with apps that have explicitly agreed to communicate with it (via interprocess communication - such as Google logging you in across Google apps or apps choosing to support FCM). To get reliable FCM notifications on GrapheneOS, play services only requires 2 permissions: network and notifications as well as setting it to have unrestricted battery usage in the background. You can use an always on VPN if you're adamant about not sending your ip address to google.
Android security features do not allow you to downgrade an app to an older version without first uninstalling the app. The signing key must also match for each update. As long as the signing key matches, you can update from any source you want.
If you do not install from an app store that verifies the signing keys for you, such as play store and accresscent, you need to verify it yourself manually. This means using App Verifier if it's logged on their database or hunting down the keys yourself and either using app Verifier or adb to manually confirm the app you're trying to install matches the signing key from the developer. GrapheneOS doesn't expect new users to do this which is why they recommend the play store. Developers also often don't make their keys easily accessible. As far as the Aurora store, from my understanding, it's considered less secure since it does not provide play protect and it uses a shared Google login for its "anonymous" login option, which is a security concern. Again, it's not that it can't be used, but grapheneOS cares more about security than questionable privacy benefits.
Apps are installed only once on the device regardless of how many profiles or private spaces it's installed on. But each profile only has access to the apps that you allow them to have access to and the apps can only see that profile versions' app data.This is important to understand since it directly ties into the previous bullet point. Meaning:
If you update an app on one profile, it updates it on all profiles.
If the signing key does not match the signing key of the app on another profile, you'll be blocked from installing/updating it. This happens frequently when switching between F-Droid apps and developer signed apps as explained previously.
You cannot downgrade an app without first uninstalling it from ALL profiles.
You can update an app even if it's disabled.
You can install apps to other profiles if the app is installed on the owner. You can similarly install apps to a private space if the app is installed on that private space's profile.

With this information, you can get creative.

So for example, some people will choose to use the Owner as an app installer/updater. Install the app from play store or other source, disable permissions, disable the app, and then push it to another profile from the multiple profiles settings menu. You can simultaneously remove unrestricted battery usage on play services on that profile or even disable it temporarily if you're comfortable with manually checking for updates.

This also means that if for some reason you're having an issue updating an app, you can get around this by installing the newest version on another profile.

You can also use a private space to update previously installed apps as well, though installing apps for the first time would still need to be done in the Owner if you want to push it to multiple profiles without having to manually install it on each profile.

Having said all of this, the simplest strategy especially for new users is to just use a single profile with sandboxed play services. All of this stuff is very cool (well, I think it's cool), but it's pretty overkill for the average person's threat model who are just looking to minimize unnecessary data collection.

And this ties back to something else you said: degoogle. GrapheneOS is a security focused operating system with privacy benefits. It's technically degoogle by default, but its goal is not strictly to degoogle. Too many people fall into the trap of thinking they need to completely remove Google, which is a very narrow and impractical focus. There are so many privacy and security threats out there and Google is not even the worst player out there, which degoogling not only does nothing to protect against, but also may cause further issues by setting you up with insecure tech in the name of degoogling. You're also still not going to successfully degoogle even if you have a degoogled phone - Google (and other privacy concerning companies) control the internet regardless of which phone OS you use.

GrapheneOS, at least according to how I see it, gives you the ability to take advantage of things Google offers (like Pixel hardware security features, play services, camera quality, chromium performance and security, android itself) while at the same time significantly improving security and significantly limiting the scope of Google's control over your phone and data.

simplenot

DirtyDan This is hands down the best answer I have found so far on what GOS is, how you can use it and what for it can be used.

Great job!

fernlike

DirtyDan GrapheneOS is a security focused operating system with privacy benefits.

Just a wee correction on this.

GrapheneOS is a privacy project above everything else. Our work on security is to protect privacy, so it's not a separate thing.

barding

Nice, thanks! So basically, a google service has access to my notifications, but let's say every notification is just "(app name): new message" (as opposed to containing the content of the message or the sender), then it doesn't necessarily know more than I am comfortable with it knowing. I mean, I might try setting up an alternative notification system, but it isn't immediately imperative for me. I also have a plan to use obtainium for some apps that work well with it (just as much out of curiosity as out of privacy concerns), but for some apps I really don't have the choice anyway.

I was actually drawn to Graphene exactly because of this kind of "we impose the minimum, not the maximum" attitude. It's the same reason I use Arch (btw): There's no manifesto to absolutely reject every closed source software, but it leaves it up to me. I just found that the descriptions of the sandbox in the faq didn't quite get me to an answer to "how re-googled will it be able to make me if let's say I add another permission because some apps requires it for a bit?"