APK Sources and Compartmentalisation

QemuQat

(I believe the general tag applies rather than off-topic as it pertains to my GrapheneOS setup, although adjacent subjects are also mentioned)

There is a particular proprietary apk I need (the Starlink app for initial activation, as to evade terrestrial ISPs and use in remote locations) and it has kind of brought me to a brickwall with my intended system, and I'm facing a bit of decision paralysis as to how I should proceed.

I want to keep my main phone secure from corporate threat models and passive surveillance, so I figured there was two options, which is either I sideload the Starlink apk from a mirror, or I buy a second hand secondary Pixel phone and flash GrapheneOS on it and use Google and a prepaid eSIM there (for Google account setup and maybe some OTPs) - both of these raise further questions.

In the first case, while I'm aware sites like apk mirror exist and I can verify with high confidence the integriy of the apk via AppVerifier, I wanted to be more confident about this and prod for anything I have not accounted for - if anyone could attest to the reputability or suggest alternatives to apk mirror, that would be appreciated, and of course it will be in its own user profile after disabling it in the main user. In the second case, I'd ideally want to verify the integrity of the device before purchasing it (probably a Pixel 7 or Pixel 8) and would like to know the extent the auditor app attests firmware generally after reflashing the hypothetical secondary device.

The first option seems cheaper and would mean no cell links neccessary, no IMEIs leaked, however the second option would account for updates, include Google's security infrastructure and cover most potential changes to how Starlink makes their apk available, while still being isolated.

Which seems most secure, and is there anything I'm missing?

NoahRaketic

QemuQat You should install the Starlink app via the official Play Store. That will be your most secure way to install it. This guarantees the app has not been tampered and lets you have automatic updates.

All APKs hosted online--including on official websites for apps as well as on GitHub--are inherently untrustworthy. You absolutely must verify the app via Appverifier and obtain its certificate hash from a trustworthy source. In your case, you will want to get the hash by installing from the Play Store and recording the app's hash, and then make sure whatever APK you've downloaded matches.

If you are certain that the Appverifier certificate hash is correct, then it is guaranteed that the app is not tampered with (but it could still be genuine but outdated; check version number). I must reiterate, though, the official Play Store is where you should be installing this, nowhere else.

QemuQat I want to keep my main phone secure from corporate threat models and passive surveillance

You will still be secure from surveillance threats, and it's perfectly fine to keep this app in your main profile.

QemuQat Which seems most secure, and is there anything I'm missing?

There is no inherent security advantage to moving the app to a second device, or even a secondary profile. You'll just be wasting money and creating e-waste for very little privacy benefit (if any).

It would be helpful to be clearer about what kinds of threats you're concerned about. "Passive surveillance" is very broad.

QemuQat

NoahRaketic I already understand that getting the hash of an app is security best practice in all cases already. The issue I am having though with the Play Store is that in order to get a google account, I need a phone number that I have to send a message through now, and in order to use that phone number I'd either have to use a VoIP service that is likely blocked anyway, or I'd need to use a real phone number - how do I prevent IMEI exposure?

Edit: to clarify, I'd like at least one device to be effectively away from the vast majority of bulk data collection and profiling in my jurisdiction. Sorry that I did not specify - that is what I mean by passive surveillance. I can use metadata obfuscation and regard the US metadata collection as a lesser evil, in the case of Starlink, with minimal impact on my digital life. A phone with a number would be exposed to this.