• General
  • An idea for secure, private and comfortable app acquisition

Hi all,

I want to redo my GrapheneOS setup. I think the main issue with extensive real-world use scenarios is how to install and update your apps. Personally, I strive for a maximum of security, privacy and comfort. In this particular order. I know it is asked a lot ;)

I spend a good amount of time in this forum to understand the pro’s and con’s of all the different methods of app acquisition out there. While I think, getting the apk’s directly - build and signed by the developers - via github or their personal repos and verifying the signature on the first install is the most private and secure option, it lacks a lot of comfort – and if you are a bit lazy, like me, also lacks some security in the sense of not getting the updates automatically. I know there is Obtanium, which comes in pretty handy, but unfortunately also lacks an auto-update feature and does not make sense for apps which only release their apps directly through F-Droid official repo or play store.

The alternative is to use the Sandboxed Google Play Services + Store. While this option provides a good amount of security and comfort, it is not as private as some people would like. Sure, you can use a fake account but as discussed many times in this forum, other apps, especially the proprietary apps could communicate with Play Services, even if you deny them network access and link their data to your IP and profile. Unfortunately there is no option to use the Playstore without PlayServices, so right now I see two promising options to minimize the privacy problem and enjoy the security and comfort of getting apps through play store.

  1. Deny network access to Play Services – You will lose FCM (push notifications), as far as I understand even for services with alternate implementation like websocket (Signal, Tutanota, etc..), because they see that PlayServices are installed. Is that correct? Or will these apps try to communicate with FCM, and if it fails the first time, they will switch to websocket?

  2. I think this could be a pretty sweet solution: Installing Sandboxed Google Play in the owner profile, installing apps there, creating another user profile and share the apps from the owner profile via the “install available apps” option. I could update the apps through the owner profile and use them in the second user profile, since the apps are installed system-wide and can be made accessible to different users (isolating all the data and communication)

In essence, this would enable us to install and update apps through a fake account, or if you want even through an account with billing information, if you need some paid apps via play store, but to use them in a profile where no play-services/google apps are present whatsoever. This would have the following effects:

  • apps cannot see or communicate with Google Apps when used from the second user profile (which I would at this point use as my standard everyday-use profile)
  • apps with an alternate push implementation to FCM will use it (notifications for the other apps will not work tho, if that is important to you..)
  • paid apps will work in the second user profile, if they do not check their status through play services

Do you think one of these options, especially the second one, could be a feasible alternative to getting apps from the developers repo’s directly? What is your personal opinion on balancing security, privacy and comfort?

disclaimer:
I already heard about Accrescent, I use it, I like it, but for now it is still in alpha and since there are not all the apps I want available yet, I have to rely on another app source.
F-Droid and its alternative front-ends are not considered due to their infrastructure flaws regarding their signing and building of apps (reproducible builds and custom repos of the app maintainer are somewhat better tho, I think.). Aurora Store is not considered because it lacks certificate pinning and has no auto-update feature.

Have a nice day,
forumo

So I thought about it again, and I see 3 main issues with the approach I proposed in my second point:

Some apps are not available in the playstore (eg loqseq or newpipe)

  • So I think if you want apps that are not available on the playstore you obviously have to get it from somewhere else, preferably from the developers repo (eg github). One could use Obtanium as an assistant for that (hopefully it will be possible for the devs to enable auto-update in the future), or some apps like NewPipe have their own update checks implemented.

Some apps are only available as their play-enabled version (eg nextcloud or homeassistant)

  • For the apps with a play-enabled version, I do not really know if it really makes a difference, since there will be no play-services enabled in the second user profile, so the app should basically behave the same as their non-play-enabled counterparts? Probably it depends on the app, which additional components are shipped with the play version.

Some apps cost money on play, whereas they are available on github or fdroid for free (eg DAVx5, OSMAnd+)

  • Again you could get the apps from github (but then, OSMAnd+ for example is only available on Fdroid Official Repo) or support the developers by buying it on play, you could use some sort of anonymous payment method for that..

I still think that installing apps over Play Store and using official apks (don't forget to verify their signature before first installation) as a complement, then share the apps with another user profile and using them over there, is relatively comfortable while still being secure and private.

What do you think?

Cheers,
Forumo

    If you have the apps installed via playstore on the owner profile BUT not logged in, and then you copy them to a userprofile that has NO PLAY store installed....will the apps in user profile get their notification service via the owner profile?

      forumo

      1. As you mentioned, at the end of the day I've realized there are some apps I HAVE TO get from Play, some apps I HAVE TO get from fdroid, and some i "best" get from source (github). So in the end I have to use all three sources and manage them.

      2. From what I recall, sms doesn't work on secondary profiles.

      3. on secondary profiles you can accidentally press "end session" and it will close the whole session. An annoyance.

      4. Your suggestion implicates that two profiles always run, with GPS always running on main profile, which means more battery use. With GPS on a secondary profile, when you don't need it then you can "end session" and kill GPS wholly and have only one profile running. Although this is not necessarily a deal breaker if the benefits outweigh the battery hit with regard to the user's proprieties.

      People's requirements vary. I can live without FCM for messaging apps. Some can't. Some can have FCM and messaging apps on secondary profiles. Some can't.

      L8437 will the apps in user profile get their notification service via the owner profile?

      No. Each run their own.

        • [deleted]

        User2288 From what I recall, sms doesn't work on secondary profiles.

        When you create a new profile there's an option to install installed apps from main profile and also you can turn on calls and sms for the profile. It works fine for me.

        User2288

        on secondary profiles you can accidentally press "end session" and it will close the whole session. An annoyance.

        Imagine that a couple of users here actually complained that it is not easy to switch users/ turn off session. But you are not wrong, you can actually accidentally press "end session", when you accidentally swipe the notification tray all the way down, accidentally click on gear button and accidentally click "end session". Fortunately, you can as easily start the session again.

          [deleted] When you create a new profile there's an option to install installed apps from main profile and also you can turn on calls and sms for the profile. It works fine for me.

          Ok I think I remembered wrong. I think it was installing a replacement for the sms "app" that doesn't work on secondary profile.

          [deleted] Imagine that a couple of users here actually complained that it is not easy to switch users/ turn off session. But you are not wrong, you can actually accidentally press "end session", when you accidentally swipe the notification tray all the way down, accidentally click on gear button and accidentally click "end session". Fortunately, you can as easily start the session again.

          Its happened to me multiple times and its "annoyed" me, enough to deserve a mention, in my experience and in my opinion. Do you find me expressing this not so common an ordeal that others "might" or "might not" experience, very objectionable?

            • [deleted]

            User2288 Do you find me expressing this not so common an ordeal that others "might" or "might not" experience, very objectionable?

            [deleted] But you are not wrong, you can actually accidentally press "end session",