F-droid and Google play

grapheneosbeginner

I read an article that said that a sandboxed google play is better than f-droid, but there was too much jargon for me to understand.

Could you please explain it simply so that even a child can understand it?

Toasty

grapheneosbeginner Basically, everything on f-droid is opensource - meaning that you can read all the code for any application on it.
They are two separate different things.
Google play on the other hand, you cannot read the code and therefore you don't actually know if the applications do something hidden without you knowing.
sandboxed Google Play on the other hand is basically a GrapheneOS tech/software that basically attempts to isolate google play - not the software you installed from it - from the rest of the system.
On normal Android Google Play - and related software like Google Play Services - have extreme high permission (they can view all your photos, your contacts etc.) and sandboxed GP is the solution GrapheneOS presents aiming to isolate and thus not allowing GP to see those things while being still working

These are my understandings correct me if im wrong

User2288

grapheneosbeginner ould you please explain it simply so that even a child can understand it?

I strongly recommend you have a look at these 2 threads:
https://discuss.grapheneos.org/d/2962-app-repositories-google-vs-aurora-vs-apk-vs-fdroid
https://discuss.grapheneos.org/d/2299-install-apps-from-gplay-rep-fdoid-rep-or-githubwebsite

Pociwo

grapheneosbeginner I would suggest you to avoid F-Droid. You have other better options:

Play Store
Aurora Store
Obtaining apps directly from developer from github/gitlab or their site

abcZ

With gplay, you have to trust the application developer to not include nasty scary surprises. With F-Droid everything is open source, and built and signed by F-Droid, including a source archive that is an exact match for what was built, this means that you have the ability to audit the exact built application's source code.

BluishHumility

F-Droid is always my first choice, and if an app I want is not available in F-Droid I will get it from Aurora. I do not use the Google Play store for anything.

It should be noted that F-Droid has some security shortcomings; depending on your threat model this may be a relevant detail. https://privsec.dev/posts/android/f-droid-security-issues/

Pociwo

Toasty It's irrelevant if app is on F-Froid or Play Store if it's FOSS. Play Store is more secure tho. F-Droid only seems to care about apps being FOSS but they don't seem to care about security.

MetropleX

Toasty sandboxed Google Play on the other hand is basically a GrapheneOS tech/software that basically attempts to isolate google play - not the software you installed from it - from the rest of the system.

Just to clarify that the compatibility layer for sandboxed Play Services DOES isolate Play Services as regular user apps within the standard app sandbox.

abcZ

Pociwo It's irrelevant if app is on F-Froid or Play Store if it's FOSS. Play Store is more secure tho. F-Droid only seems to care about apps being FOSS but they don't seem to care about security.

That's actually untrue.
F-Droid provides an exact source code archive for the compiled binaries, so you know exactly what is in them. From google store on the other hand, it may be fundamentally an open source program, and they may even link to a source code repository, but you don't have any way of knowing exactly what was used to build it, you can't tell what revision was built, and you can't tell if they slipped in some dangerous extras.

Google does NOT audit the security of applications it hosts, could be absolutely anything going on. You have no way to know.

abcZ

Pociwo I would suggest you to avoid F-Droid. You have other better options:
Play Store
Aurora Store
Obtaining apps directly from developer from github/gitlab or their site

Those are dangerous options. Even with gitlab/github "releases", the author can still stick in something secret. F-Droid is the only option where you can find the exact code that it was built from.

unwat

I'm not sure if @grapheneosbeginner 's question was about the difference between open and closed source apps, but rather about the two "stores". I'm also wondering if OP's question is about the link @BluishHumility posted.

@grapheneosbeginner maybe this video (https://www.youtube.com/watch?v=lAbgeJau3eE) will clarify things. It's about the article that was linked earlier. This YouTuber's videos are frequently shared here on the forum and on the GrapheneOS's Matrix. You can check out some of their other videos if you're curious.

Toasty

Personally I'd disagree with Pociwo.