Graphite I don't like the fdroid app, I use the droid-ify app. Its the same repository and IMO its better than the fdroid app and also the Neo Store app. So I do have droidify installed always because there are still apps that are best gotten from fdroid (ex: OsmAnd+) and droidify makes updates easy for those apps. It also helps with searching fdroid for fdroid apps when necessary.

If you want a complete "store" experience on your degoogled phone you should have all three of Aurora, Droidify, and Obtanium.

  • Aurora for apps you want to or "have to" get from playstore (ex: brave).
  • Droidify for apps you have to get from fdroid,
  • Obtanium for direct download apps (so you can easily update them).

Also in my opinion, if you are getting apps from aurora store, get them using their anonymous system (don't login with your own account), unless absolutely necessary for the particular app to have a unique google account.

    HypnoSloth May have security risks due to multiple individuals fetching apps using the same google account

    Honestly, I think not really, unless for specific apps. If there is a security risk I'd like to hear it, beyond some general theoretical extremely niche scenarios.

    The security risk of Fdroid also IMO is a bit overblown. Its just not true for all apps. Its a very niche threat in practical terms for the average person, in my opinion.

    • [deleted]

    One of the main maintainers of F-Droid states that target sdk is only relevant to proprietary apps, which are untrustworthy.

    https://twitter.com/PrivSec_Dev/status/1609199867179442179

    It's enough to run away. It's impossible to trust a set of good security practices when you start from there.

      User2288 Can you get away with using only aurora without any or all of the sandboxed google play apps? I assume push notifications wont work and some apps may not function properly but is it a hard dependency for all apps from Aurora (which would be play store)? Currently have a couple privacy respecting apps installed from play store via a fake account but a concern I have for other apps I have to have installed from play store (slack) is that they may have mutual consent with the Google Play Services and Google Play Store app which require network permissions (GSF seems to run fine with no permissions so not a big concern there). I'd love to be completely as google free or google anonymous as I can.

        • [deleted]

        User2288 The Aurora Store does not pin the certificates which is a big problem. With aurora in anonymous mode you share your connection token with others... It's very anonymous ! Fdroid has its own application signature keys stored on debian server not even updated. All these systems have big security holes documented and known but if you have an opinion it's cool... On the other hand go share them elsewhere with other uneducated people like you. Thanks

          • [deleted]

          HypnoSloth You will never be anonymous with a sim card, and yet... Even without you would not be anonymous

            [deleted] I am fully aware, but google is not my carrier and Grapheneos prevents apps from seeing the hardware identifiers. I am also aware my carrier can sell my data attached/associated with my sim that they have access to, which can be bought and aggregated with data from other sources to fingerprint me. I am merely trying to limit that data exposure where possible and make it harder for data collection operations to connect all the dots.

            [deleted] It's enough to run away. It's impossible to trust a set of good security practices when you start from there.

            Do you have an explanation or citation for this very strong statement? I'd like to understand the "why", as an increasing number of new GrapheneOS users are also trying to understand this.

            All I see in the twatter you linked to is complaining in response to a simple question. What am I missing?

              • [deleted]

              ve3jlg
              Google imposes an SDK level on the playstore, because each new version requires improvements, on security, on privacy, for apps.
              Using apps that aim for a low SDK level means that they don't benefit from the latest security improvements.

              Imposing a lower SDK level than google's, can be understood. But, explaining that an app, doesn't need to meet security (and privacy) standards under the pretext that it's open source and that a human will read the code (partially, because no one fully audits the code and all the dependencies of an open source application, except to be paid to do a full audit) is totally ridiculous.
              Open source applications have flaws, and they are more important on f-droid because updates are very often deployed late compared to github.

              App's security shouldn't be based on ideology. All applications on a phone should be in a proper sandbox, have limited access to files, to the system, etc, etc, etc because there can always be a flaw.
              The f-droid logic relies entirely on the skills and goodwill of the developer and the person who will review his code. This is not enough.

              The F-droid application itself has a sdktarget of 25: This is for android 7, while we are on android 13, with the SDK 33 and google will soon impose the SDK 31 on its store.
              Since android 7, there have been improvements that are beneficial to everyone, and to all applications.

              And this is only one of the many bad points of f-droid

                HypnoSloth Can you get away with using only aurora without any or all of the sandboxed google play apps?

                Depends on the apps. Some apps absolutely require the presence of google components. More explanation below.

                HypnoSloth I assume push notifications wont work and some apps may not function properly but is it a hard dependency for all apps?

                No, not at all. Each app is different, its really a case by case here. a lot of apps don't need notifications at all and can even be blocked from the internet completely, even if they are from play store. You can even install apps that have ads and trackers, like a chess game, and block it from the internet permanently (assuming it still works, many do). You can even update the app without it ever regaining access to the internet. Apps that need push notifications are generally mostly chat/communication apps (signal, whatsapp, facebook, etc), and some "internet service" like email. But even then I don't always "need" the notification and the app still works. For example I don't need to know that I have an email "right now" for example. I can just check it manually when I want to. So it really depends on the app.

                However some apps simply refuse to open without the presence of GSF or play services. Like perhaps facebook, or doordash, or maybe slack. In these cases if you want the app, you will have to install play services and in some cases both the app and play components can be internet blocked and in other cases one or both have to have internet access. So with uber for example you might have to give internet access to both. But profiles could help a bit here here to reduce data exposure.

                An app like Slack is very likely a privacy invasive app; not to the extent of facebook, but still. And likely you need to be internet connected and "need" notifications for sure as my guess is that you likely need it for communication with colleagues and need to respond with immediacy. In such a case, depending on how much you use it, installing on a second profile might be a bit of a hassle (if you use it constantly), but might also be ok and might solve your issue. Worst case is you install all on the same profile.

                The main problem here is that if Slack has your "Identity" then that Identity will be connected to the installed instance of google services of the current profile. This instance has access to your IP address and slack, but beyond that it doesn't know much else about your phone, unless you have installed other "google co-operating" apps in the same profile, in which case they'll share data (I think).

                The best way to deal with this is to write a list of all the "privacy problematic" apps that you "have to have" and build your strategy around that. You may be able to get away with creating one or two extra profiles and that might solve your problem. And then you can try to utilize foss apps for your other needs.

                Lastly the question "Can you get away with using only aurora apps" , I think this might have been a question. Answer is yes but again depends on the app. For example a particular banking app might not work if its not strictly locked to an exclusive google account (detects account sharing and refuses to work).
                Also some great apps are not available in play store at all (NewPipe, Bromite, adblockers), so you'd still benefit from diversifying your sources. My previous post explained that.

                [deleted] The Aurora Store does not pin the certificates which is a big problem.

                I actually didn't know that. But here is the thing, how is it a "big problem". I'd really like to hear how exactly this is a "big problem". and I bet if and once you do give the correct explanation, it will demonstrate a very narrow attack surface and an "extremely niche scenarios" which exactly makes my point.

                [deleted] With aurora in anonymous mode you share your connection token with others... It's very anonymous!

                So?
                whats is the MASSIVE threat that I am facing? Do please enlighten me, I'm all ears.

                [deleted] Fdroid has its own application signature keys stored on debian server not even updated.

                Yeah, and its air gapped. Even if the key was compromised (which only can be done by physical attack or their own staff), can you explain to me how its gonna affect my internet blocked AND sandboxed app that I don't even update cause there is no need? And how thats gonna poke a hole in my "security" to the extent that would "outrageously" compromise me?
                Please, ...I'm all ears. And I hope your answer doesn't demonstrate the "extremely niche scenarios" that I was referring to.

                [deleted] All these systems have big security holes documented and known

                Great. Tell me one.

                Please go ahead, I'm all ears, I'd LOVE to be educated on this. Educate me.

                [deleted] ut if you have an opinion it's cool... On the other hand go share them elsewhere with other uneducated people like you.

                Look in the mirror.

                BTW, please do tell us your education. I'm now interested to know.

                  [deleted]

                  Here is the thing Mello non of that matters from a user perspective such as me (and many others). Its entirely dependent on which apps you are installing. I for example have only 5 apps from Fdroid. All of them have higher SDK conformity than google play store requirements itself. Three of those apps are networked blocked (they dont even use it in fact) and don't even need to be updated (no key pinning threat). (VLC, metro, ImagePipe).

                  Everything you said may be absolutely true, and it is true, but the point is, it does not equate to a security or privacy problem for "me".

                  My issue with these blanket "fdroid - BAD" statements is that they are just not "categorically" true. They are "situationally" true. So the categorical alarmist attitude is I think incorrect. That's all.

                  6 months later
                  • [deleted]

                  • Edited

                  User2288 If you want a complete "store" experience on your degoogled phone

                  BTW They never said they want a "degoogled" phone.

                  User2288 (don't login with your own account), unless absolutely necessary for the particular app to have a unique google account.

                  No app will somehow access the Google account token/cookie from Aurora store. Android doesn't allow apps to read each other's internal private data (data/user/0/<package_name>) without mutual consent.

                    • [deleted]

                    • Edited

                    User2288 whats is the MASSIVE threat that I am facing?

                    Random persons can know what apps you have installed, your device model, etc. Its not MASSIVE though, but you dont want Strangers knowing which apps you install on your phone.

                    User2288 how exactly this is a "big problem"

                    Certificate pinning is a feature that reduces the risk of a man-in-the-middle attack, compromise of certificate authorities, mis-issuance of a certificate. Not implementing Certificate pinning in Aurora store actually makes sense, since We can't expect Aurora store developers to decompile every new Google Play store version and Check Its NetworkSecurityConfig to check whether Google has added or removed an certificate.

                    • [deleted]

                    [deleted] Small correction: Even with mutual consent an app can't access other app's internal private data (data/user/0/<package_name>). However, the other app can itself share its internal private data with any app.

                    I just use Obtainium for everything these days. If a specific app is only available on Google Play I look for an alternative or use the PWA.

                    Might not work for everyone but works for me.

                    I used to use Aurora before the rate limiting issue, then I tried a Google burner account but didn't sit right with me seeing the Google apps on my phone so I started a fresh and went back to basics.

                      10 months later