Hello everyone! I know questions like this come up a lot but from my searching I have not been able to get a clear picture. I am setting up my new install and am curious if you fine folks could answer some questions and confirm or correct my current understanding of app repositories and the nuances associated with them. For reference I am trying to determine how to set up my main user profile and my threat model is simply not wanting big tech or data miners to track and collect info about me as much as possible. I plan on having a banking profile and a ride share profile that DO have the three sandboxed google apps, but my main profile will have basic things like signal, proton apps, authenticator, vpn, navigation (magic earth), and weather to name a few. So here is my understanding and questions for each of the named options:

TLDR: Trying to figure out which app repositories to use for my main user account and gather information on the possibilities.

Google Play Store

  • Standard way to install/update apps and the most secure of the available app stores (even though there are plenty of apps with malicious aspects and sometimes just straight malware on there)
  • Requires a google account
  • Requires Google Services Framework and Google Play Services apps to be downloaded
  • Google will be able to log/associate the apps downloaded with the account used but not necessarily see what the apps do
  • Apps downloaded via google may be able to communicate and share data with each other if the developers added mutual consent access (which could potentially mean app A with no permissions can communicate with app B with network permissions, which can send app A's mined data out of the device if in the same profile).

Questions:

  1. I believe Google Play Store needs network permissions for all this to work properly but is that the only permission needed for the three google play apps?
  2. What permissions other than battery optimization do those google apps need to enable updates and push notifications for things like proton mail? Do these permissions allow google to get identifying information about the device like phone number, IMEI, or track the device based on cellular tower proximity?
  3. If the play store (or any of the other google apps) have network access does that mean other apps with consent coded in could send data out via the play store app?

Aurora Store

  • Anonymous Google Play Store front end
  • Requires a user account to use, but fetches apps and updates using their own google accounts to obfuscate users
  • May have security risks due to multiple individuals fetching apps using the same google account
  • The googles apps listed above will possibly need to be installed for apps from Aurora to work properly
  • Slower updates vs Google Play Store

Questions:

  1. What are the actual security risks associated with using Aurora, from either their many users to few google accounts approach or any other issues they may have?
  2. Does Google Play Store need network permission for Aurora fetched apps to work?
  3. Is the only benefit that Aurora provides over Google Play Store the ability to not use a google account?

FDroid

  • Open source app store
  • Has serious security risks. I haven't read too far into the report on this, but I think it revolves around not being able to authenticate the signing keys as FDroid signs all apps. So there is a real potential to download an adulterated app with malicious components
  • Good place for finding open source apps, but maybe not the best "app store" from a security perspective

Question: Is my understanding of the security issue correct and are there other issues?

Apks

  • Can be downloaded directly from the app source
  • May not update automatically and require an RSS feed to stay notified of updates
  • Some apps (like Proton Mail) wont get push notifications
  • Can theoretically be used free of any Google dependencies

Questions:

  1. How prevalent is the lack of push notifications for apps that offer an apk?
  2. How difficult is it to set up an RSS feed? (Is this similar to a shell script or something?)
  3. With an RSS feed, do apps update automatically or is that simply a notification system for when an update or change has been made?

General Questions

  1. Is there any benefit in mixing these options on the same profile from a privacy and security perspective?
  2. Am I missing any other good app repositories and what are their pros/cons?

If you managed to read this far, you are awesome!

    HypnoSloth I believe Google Play Store needs network permissions for all this to work properly but is that the only permission needed for the three google play apps?

    For most apps, the Google apps only need the network permission, yes. Some apps will require giving Play Services the phone permission, and if you want to pair a smartwatch you might need to give Play Services the nearby devices permission, for example, but the majority of apps work fine with play services just having access to the netwokr.

    HypnoSloth What permissions other than battery optimization do those google apps need to enable updates and push notifications for things like proton mail? Do these permissions allow google to get identifying information about the device like phone number, IMEI, or track the device based on cellular tower proximity?

    Play Services needs unrestricted battery usage, and of course the network permission as stated above. No apps get access to the IMEI etc. I recommend reading this section of the docs:

    https://grapheneos.org/faq#hardware-identifiers
    https://grapheneos.org/faq#non-hardware-identifiers

    HypnoSloth What are the actual security risks associated with using Aurora, from either their many users to few google accounts approach or any other issues they may have?

    From https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do

    If you don’t have Play services installed, you can use a third-party Play Store client called Aurora Store. Aurora Store has some issues of its own, and some of them overlap in fact with F-Droid. Aurora Store somehow still requires the legacy storage permission, has yet to implement certificate pinning, has been known to sometimes retrieve wrong versions of apps, and distributed account tokens over cleartext HTTP until fairly recently; not that it matters much since tokens were designed to be shared between users, which is already concerning. I’d recommend against using the shared “anonymous” accounts feature: you should make your own throwaway account with minimal information.

    HypnoSloth Does Google Play Store need network permission for Aurora fetched apps to work?

    If you use Sandboxed Google Play, the proper setup for it is to have the 3 apps with network permission and unrestricted battery for play services. Play Services and Play Store play off each other, and denying network to either will screw things up.

    HypnoSloth Is the only benefit that Aurora provides over Google Play Store the ability to not use a google account?

    Pretty much, yeah. Aurora Store can be a good choice if you're not using Sandboxed Google Play in general or a specific profile, but not something I'd recommend as the first choice or in all circumstances.

    HypnoSloth Question: Is my understanding of the security issue correct and are there other issues?

    https://privsec.dev/posts/android/f-droid-security-issues/ is a good starting point on the issues with F-Droid, but this article doesn't include everything. There are security and UX issues with F-Droid. I can't recommend F-Droid at this point, but if you insist on using it, at least use a relatively modern F-Droid client to interact with the F-Droid repo like Neo Store or Droid-ify.

    How prevalent is the lack of push notifications for apps that offer an apk?

    That depends entirely on the app. If an app provides a non-play version of getting notifications, that'll most likely be available in the GitHub APK, or the version with FCM might be available there. It highly depends so it's not a question that one can easily address.

    HypnoSloth How difficult is it to set up and RSS feed? (Is this similar to a shell script or something?)

    It's pretty simple. Process is explained here: https://www.youtube.com/watch?v=FFz57zNR_M0

    HypnoSloth With an RSS feed, do apps update automatically or is that simply a notification system for when an update or change has been made?

    The apps don't update automatically. You're just notified and can then go to the website to get the newest version.

    There's also Obtainium which makes the process a little bit smoother from what I hear, but it also doesn't do automatic/unattended updates either.

    HypnoSloth Is there any benefit in mixing these options on the same profile from a privacy and security perspective?

    In my opinion, if you're using play store on a profile for some apps, use it for all.

    HypnoSloth Am I missing any other good app repositories and what are their pros/cons?

    Accrescent is very promising. You can think of it like a much better Play Store. The con of it is that it is still very new, so it's in alpha, and doesn't currently have many apps in it, as devs have to be whitelisted to submit their app at this point to make sure the kinks are ironed out before it goes fully public. Definitely something to keep an eye out for you, I definitely am.

    I hope this helps!

      Graphite I don't like the fdroid app, I use the droid-ify app. Its the same repository and IMO its better than the fdroid app and also the Neo Store app. So I do have droidify installed always because there are still apps that are best gotten from fdroid (ex: OsmAnd+) and droidify makes updates easy for those apps. It also helps with searching fdroid for fdroid apps when necessary.

      If you want a complete "store" experience on your degoogled phone you should have all three of Aurora, Droidify, and Obtanium.

      • Aurora for apps you want to or "have to" get from playstore (ex: brave).
      • Droidify for apps you have to get from fdroid,
      • Obtanium for direct download apps (so you can easily update them).

      Also in my opinion, if you are getting apps from aurora store, get them using their anonymous system (don't login with your own account), unless absolutely necessary for the particular app to have a unique google account.

        HypnoSloth May have security risks due to multiple individuals fetching apps using the same google account

        Honestly, I think not really, unless for specific apps. If there is a security risk I'd like to hear it, beyond some general theoretical extremely niche scenarios.

        The security risk of Fdroid also IMO is a bit overblown. Its just not true for all apps. Its a very niche threat in practical terms for the average person, in my opinion.

        • [deleted]

        One of the main maintainers of F-Droid states that target sdk is only relevant to proprietary apps, which are untrustworthy.

        https://twitter.com/PrivSec_Dev/status/1609199867179442179

        It's enough to run away. It's impossible to trust a set of good security practices when you start from there.

          User2288 Can you get away with using only aurora without any or all of the sandboxed google play apps? I assume push notifications wont work and some apps may not function properly but is it a hard dependency for all apps from Aurora (which would be play store)? Currently have a couple privacy respecting apps installed from play store via a fake account but a concern I have for other apps I have to have installed from play store (slack) is that they may have mutual consent with the Google Play Services and Google Play Store app which require network permissions (GSF seems to run fine with no permissions so not a big concern there). I'd love to be completely as google free or google anonymous as I can.

            • [deleted]

            User2288 The Aurora Store does not pin the certificates which is a big problem. With aurora in anonymous mode you share your connection token with others... It's very anonymous ! Fdroid has its own application signature keys stored on debian server not even updated. All these systems have big security holes documented and known but if you have an opinion it's cool... On the other hand go share them elsewhere with other uneducated people like you. Thanks

              • [deleted]

              HypnoSloth You will never be anonymous with a sim card, and yet... Even without you would not be anonymous

                [deleted] I am fully aware, but google is not my carrier and Grapheneos prevents apps from seeing the hardware identifiers. I am also aware my carrier can sell my data attached/associated with my sim that they have access to, which can be bought and aggregated with data from other sources to fingerprint me. I am merely trying to limit that data exposure where possible and make it harder for data collection operations to connect all the dots.

                [deleted] It's enough to run away. It's impossible to trust a set of good security practices when you start from there.

                Do you have an explanation or citation for this very strong statement? I'd like to understand the "why", as an increasing number of new GrapheneOS users are also trying to understand this.

                All I see in the twatter you linked to is complaining in response to a simple question. What am I missing?

                  • [deleted]

                  ve3jlg
                  Google imposes an SDK level on the playstore, because each new version requires improvements, on security, on privacy, for apps.
                  Using apps that aim for a low SDK level means that they don't benefit from the latest security improvements.

                  Imposing a lower SDK level than google's, can be understood. But, explaining that an app, doesn't need to meet security (and privacy) standards under the pretext that it's open source and that a human will read the code (partially, because no one fully audits the code and all the dependencies of an open source application, except to be paid to do a full audit) is totally ridiculous.
                  Open source applications have flaws, and they are more important on f-droid because updates are very often deployed late compared to github.

                  App's security shouldn't be based on ideology. All applications on a phone should be in a proper sandbox, have limited access to files, to the system, etc, etc, etc because there can always be a flaw.
                  The f-droid logic relies entirely on the skills and goodwill of the developer and the person who will review his code. This is not enough.

                  The F-droid application itself has a sdktarget of 25: This is for android 7, while we are on android 13, with the SDK 33 and google will soon impose the SDK 31 on its store.
                  Since android 7, there have been improvements that are beneficial to everyone, and to all applications.

                  And this is only one of the many bad points of f-droid

                    HypnoSloth Can you get away with using only aurora without any or all of the sandboxed google play apps?

                    Depends on the apps. Some apps absolutely require the presence of google components. More explanation below.

                    HypnoSloth I assume push notifications wont work and some apps may not function properly but is it a hard dependency for all apps?

                    No, not at all. Each app is different, its really a case by case here. a lot of apps don't need notifications at all and can even be blocked from the internet completely, even if they are from play store. You can even install apps that have ads and trackers, like a chess game, and block it from the internet permanently (assuming it still works, many do). You can even update the app without it ever regaining access to the internet. Apps that need push notifications are generally mostly chat/communication apps (signal, whatsapp, facebook, etc), and some "internet service" like email. But even then I don't always "need" the notification and the app still works. For example I don't need to know that I have an email "right now" for example. I can just check it manually when I want to. So it really depends on the app.

                    However some apps simply refuse to open without the presence of GSF or play services. Like perhaps facebook, or doordash, or maybe slack. In these cases if you want the app, you will have to install play services and in some cases both the app and play components can be internet blocked and in other cases one or both have to have internet access. So with uber for example you might have to give internet access to both. But profiles could help a bit here here to reduce data exposure.

                    An app like Slack is very likely a privacy invasive app; not to the extent of facebook, but still. And likely you need to be internet connected and "need" notifications for sure as my guess is that you likely need it for communication with colleagues and need to respond with immediacy. In such a case, depending on how much you use it, installing on a second profile might be a bit of a hassle (if you use it constantly), but might also be ok and might solve your issue. Worst case is you install all on the same profile.

                    The main problem here is that if Slack has your "Identity" then that Identity will be connected to the installed instance of google services of the current profile. This instance has access to your IP address and slack, but beyond that it doesn't know much else about your phone, unless you have installed other "google co-operating" apps in the same profile, in which case they'll share data (I think).

                    The best way to deal with this is to write a list of all the "privacy problematic" apps that you "have to have" and build your strategy around that. You may be able to get away with creating one or two extra profiles and that might solve your problem. And then you can try to utilize foss apps for your other needs.

                    Lastly the question "Can you get away with using only aurora apps" , I think this might have been a question. Answer is yes but again depends on the app. For example a particular banking app might not work if its not strictly locked to an exclusive google account (detects account sharing and refuses to work).
                    Also some great apps are not available in play store at all (NewPipe, Bromite, adblockers), so you'd still benefit from diversifying your sources. My previous post explained that.

                    [deleted] The Aurora Store does not pin the certificates which is a big problem.

                    I actually didn't know that. But here is the thing, how is it a "big problem". I'd really like to hear how exactly this is a "big problem". and I bet if and once you do give the correct explanation, it will demonstrate a very narrow attack surface and an "extremely niche scenarios" which exactly makes my point.

                    [deleted] With aurora in anonymous mode you share your connection token with others... It's very anonymous!

                    So?
                    whats is the MASSIVE threat that I am facing? Do please enlighten me, I'm all ears.

                    [deleted] Fdroid has its own application signature keys stored on debian server not even updated.

                    Yeah, and its air gapped. Even if the key was compromised (which only can be done by physical attack or their own staff), can you explain to me how its gonna affect my internet blocked AND sandboxed app that I don't even update cause there is no need? And how thats gonna poke a hole in my "security" to the extent that would "outrageously" compromise me?
                    Please, ...I'm all ears. And I hope your answer doesn't demonstrate the "extremely niche scenarios" that I was referring to.

                    [deleted] All these systems have big security holes documented and known

                    Great. Tell me one.

                    Please go ahead, I'm all ears, I'd LOVE to be educated on this. Educate me.

                    [deleted] ut if you have an opinion it's cool... On the other hand go share them elsewhere with other uneducated people like you.

                    Look in the mirror.

                    BTW, please do tell us your education. I'm now interested to know.

                      [deleted]

                      Here is the thing Mello non of that matters from a user perspective such as me (and many others). Its entirely dependent on which apps you are installing. I for example have only 5 apps from Fdroid. All of them have higher SDK conformity than google play store requirements itself. Three of those apps are networked blocked (they dont even use it in fact) and don't even need to be updated (no key pinning threat). (VLC, metro, ImagePipe).

                      Everything you said may be absolutely true, and it is true, but the point is, it does not equate to a security or privacy problem for "me".

                      My issue with these blanket "fdroid - BAD" statements is that they are just not "categorically" true. They are "situationally" true. So the categorical alarmist attitude is I think incorrect. That's all.

                      6 months later
                      • [deleted]

                      • Edited

                      User2288 If you want a complete "store" experience on your degoogled phone

                      BTW They never said they want a "degoogled" phone.

                      User2288 (don't login with your own account), unless absolutely necessary for the particular app to have a unique google account.

                      No app will somehow access the Google account token/cookie from Aurora store. Android doesn't allow apps to read each other's internal private data (data/user/0/<package_name>) without mutual consent.