- Edited
Hello everyone! I know questions like this come up a lot but from my searching I have not been able to get a clear picture. I am setting up my new install and am curious if you fine folks could answer some questions and confirm or correct my current understanding of app repositories and the nuances associated with them. For reference I am trying to determine how to set up my main user profile and my threat model is simply not wanting big tech or data miners to track and collect info about me as much as possible. I plan on having a banking profile and a ride share profile that DO have the three sandboxed google apps, but my main profile will have basic things like signal, proton apps, authenticator, vpn, navigation (magic earth), and weather to name a few. So here is my understanding and questions for each of the named options:
TLDR: Trying to figure out which app repositories to use for my main user account and gather information on the possibilities.
Google Play Store
- Standard way to install/update apps and the most secure of the available app stores (even though there are plenty of apps with malicious aspects and sometimes just straight malware on there)
- Requires a google account
- Requires Google Services Framework and Google Play Services apps to be downloaded
- Google will be able to log/associate the apps downloaded with the account used but not necessarily see what the apps do
- Apps downloaded via google may be able to communicate and share data with each other if the developers added mutual consent access (which could potentially mean app A with no permissions can communicate with app B with network permissions, which can send app A's mined data out of the device if in the same profile).
Questions:
- I believe Google Play Store needs network permissions for all this to work properly but is that the only permission needed for the three google play apps?
- What permissions other than battery optimization do those google apps need to enable updates and push notifications for things like proton mail? Do these permissions allow google to get identifying information about the device like phone number, IMEI, or track the device based on cellular tower proximity?
- If the play store (or any of the other google apps) have network access does that mean other apps with consent coded in could send data out via the play store app?
Aurora Store
- Anonymous Google Play Store front end
- Requires a user account to use, but fetches apps and updates using their own google accounts to obfuscate users
- May have security risks due to multiple individuals fetching apps using the same google account
- The googles apps listed above will possibly need to be installed for apps from Aurora to work properly
- Slower updates vs Google Play Store
Questions:
- What are the actual security risks associated with using Aurora, from either their many users to few google accounts approach or any other issues they may have?
- Does Google Play Store need network permission for Aurora fetched apps to work?
- Is the only benefit that Aurora provides over Google Play Store the ability to not use a google account?
FDroid
- Open source app store
- Has serious security risks. I haven't read too far into the report on this, but I think it revolves around not being able to authenticate the signing keys as FDroid signs all apps. So there is a real potential to download an adulterated app with malicious components
- Good place for finding open source apps, but maybe not the best "app store" from a security perspective
Question: Is my understanding of the security issue correct and are there other issues?
Apks
- Can be downloaded directly from the app source
- May not update automatically and require an RSS feed to stay notified of updates
- Some apps (like Proton Mail) wont get push notifications
- Can theoretically be used free of any Google dependencies
Questions:
- How prevalent is the lack of push notifications for apps that offer an apk?
- How difficult is it to set up an RSS feed? (Is this similar to a shell script or something?)
- With an RSS feed, do apps update automatically or is that simply a notification system for when an update or change has been made?
General Questions
- Is there any benefit in mixing these options on the same profile from a privacy and security perspective?
- Am I missing any other good app repositories and what are their pros/cons?
If you managed to read this far, you are awesome!