Explain it like I'm 5 (please): Making sense of getting apps in trustworthy ways

DeletedGravy

I have Graphene up and running as of today. I'm a dummy, here, and in sifting through past threads, I have just gotten more confused. This is really not my world, and I don't want this to become a time-suck hobby. I just like privacy and reducing internet bloat, and I wanted the phone to get as close as I can to that, so here I am. If anyone feels willing to indulge my newness to this, I'd greatly appreciate it.

If I missed threads that explain what I'm asking here, below, in plain language, my apologies, and please feel free to redirect me to them. I got bogged down in it all, and probably missed useful bits of non-techie noob-friendly insight.

Accrescent is clearly tacitly endorsed by Graphene, and it seems like a good idea for me to get the AppVerifier, and maybe Molly and Organic Maps from there -- the only familiar names, to me. Should be fine, right? They shouldn't talk to Google, should update via Accrescent, and should generally be trustworthy? (No, none of how to verify the trustworthiness of an app has yet made sense to me, and I see endless arguing about the drawbacks of F-droid, Obtainium, Aurora, going straight to Github, and Play Store, and which ones win at being the worst, so I'm at square one)
The rest there... I don't know how to trust it. Yes, that seems to be the kind of thing that's been talked about at length here. It's all jargon and lost on me. Apps on there, like: ExifEraser? Qlango? DNSNet? Transcribro? Easy Notes? RiPlay? Those all sound potentially useful to me, but I have no sense, looking at this, what to make of them or their privacy and security. Hunting down their Githubs isn't something I know what to do with, either, once I get there.
If I want any of the Proton apps (besides mail), am I truly stuck using Play Services to update, etc. if I want the best handling of them, or is Obtainium "good enough?"
For anything with a web app, e.g. banking, Protonmail itself, and such, Vanadium is safe enough to not bother with an app, right? I can just bookmark what I need without it being an unnecessary risk?
I see extensive discussion on profiles and optimal setups, but I'm coming from iPhone, and I have struggled to understand the discussions directional flow of privilege and information between profiles

Thank you to anyone willing to explain any part of this to me like I'm five.

dhhdjbd

DeletedGravy

just get the apps from play store if they are not in accressant

do the owner profile install and user profile for use, setup. Or just all in one profile.

And stop thinking about it, if you are not intrested in it.

Consider alternatives if you have a reason to. Like the app not beeing on playstore, or you needing a more recent version.

Also dont get apps just because they sound usefull to you. I would suggest if you discover you need an app, then start looking for a fitting one, not the other way around.

ofc if you want to spend more time in this, there are a lot of things about privacy and security one can consider ^^

(the thing that matters the most for privacy these days, is what you use (apps / website) )

theyycmonk

DeletedGravy the only drawback I experience with my Proton apps is no new mail notification in mail. Other apps all seem to deliver notifications just fine without Play installed.

I take EVERY opportunity to nag Proton to address the issue (especially in light of the partnership with Motorola and the huge number of new GOS users that will mean), and I encourage everyone to also contact Proton often to ask them to "fix" their dependency on google.

Aeon

I am not sure I can explain it sufficiently for but I can explain my setup and my thoughts behind it.

I use GrapheneOS with one Profile adn with Google Services and Playstore installed.

I pretty much use it similar to a normal Phone just without the vast majority of google apps and other bloat that normally comes preinstalled on Android Phones.

GrapheneOS by its own design already reduces the invasiveness of Google playstore and services as they dont run with elevated permissions like in Stock Android.

GrapheneOS gives me the option to remove network permissions from an App, use Storage and Contact scopes to prevent Apps accessing data it should not have access to.

GrapheneOS increases security of the OS with memory tagging (prevents whole classes of exploits)

My thread model is fairly moderate as I live in a stable country with due process. I dont have to fear over reaching police brutality. I want to have a secure phone for communication, sat nav, banking and occasional looking things up on the internet when I am out of the house.

I can recommend you reading the GrapheneOS Usage guide and faq on https://grapheneos.org/ they are very well written and explain why specific design decissions where made and how GrapheneOS works.

Everyone uses their phone in a different manor, there is not really a right or wrong. GrapheneOS gives you a secure and private base system you can start from.

DeletedGravy

Aeon Thank you Aeon. I have the FAQ in front of me. They (very understandably) don't really dive into the third party stuff, though, aside from a few passing mentions. It's the third party stuff where I'm bogged down. In my personal case, I'm particularly _un_interested in logging in to Google. Even with a dummy Google account, it would have a pile of specific apps used in a particular way at particular times, in particular places, and that feels very fingerprinty, and that's a thing I'm hoping to avoid.

Aeon

DeletedGravy

thats perfectly understandable :-) I use Google Playstore because of my Banking Apps (Playstore is the secure way to get those apps) I have to use those apps as they are the banks method of 2fa for login and transaction authorisation.

The other source of installing apps I use is Obtanium to get Apps directly from the developers Github/website.

I use a couple apps from the Fossify Suit, KOReader, CoMaps and LocalSend. those I have installed with Obtanium.

Banking Apps, Signal, Whatsapp, Bitwarden, Aegis Auth, Ente Auth K9-Mail and Firefox I have installed with Playstore.

This is also the sum of Apps I have installed on my Phone.

Your way of reducing reliance on google playstore is also perfectly viable course of action. :-)

DeletedGravy

I went with Play Store (promptly deleted) and Play Services (not deleted) in a separate profile for Proton apps. The app verification thing baffles me, though. AppVerifier seems to not be able to verify all the (handful) of apps on Accrescent, and tells me to go do so myself. Well, I went to the app in question's Github, and none of the "checksums" I see there (also a big ? for me) match the alphanumeric string with colons that AppVerifier gives me for the app in question (is this a SHA-256?). Is that a red flag?

soupslurpr

DeletedGravy Yes, AppVerifier shows the SHA-256 of the signing certificate(s). It shows it with colons for more readability but it does accept a hash without colons.

DeletedGravy

That was for the app called Easy Notes. Meanwhile, same goes for ExifEraser, except that the SHA-256 (right?) Accrescent gives for it does indeed match one on the GitHub for that app. These are both apps downloaded from Accrescent. Is this an issue?