• Off Topic

  • What is a good appstore to use on graphene considerations?

SpeakYourMind

Without meaning to disregard the position of others on fdroid being insecure, i have argued and would argue that is not true.

Downloading from fdroid is as secure as downloading from github.

There was a technical argument laid against fdroid, however i have critiqued this argument already and have not heard any meaningful counter argument against it yet.

Bottom line: fdroid has some potential issues however those issues do not apply in all situations and the categorical statement that "f-droid" is not secure is simply not true. Downloading from github is not safer than downloading from fdroid. In fact I might argue the contrary, or at least parity.

Do know that fdroid is not a replacement for play store as most apps on playstore are not available on fdroid. Also many apps are fdroid are not available in playstore. So they are "different" libraries with some crossover. Also some apps are only available from fdroid.

Don't use the official fdroid app, use droidify instead. Also be mindful that the app you download adheres to recent target API levels.

Understand what you are downloading from fdroid and you're good go.

For a guide to get you started on apps and stores read this:
https://discuss.grapheneos.org/d/5267-basics/9

      SpeakYourMind
      The link that obtanium created for itself is the correct one.

      The reason the latest version is not detected might be because of release channel factors (alpha, beta, etc). Try refreshing or change settings.
      If you are in a rush just download the latest version from the gitlabs page.

      Due to the recent problems with aurora's official download pages and versions made available recently i have personally decided to just use the version from fdroid. It gets released with a few days more delay but its been a more reliable source.

        SpeakYourMind

        I have this problem as well and f-droid only has version 4.2.3 as well. If you want 4.2.4 then you'll probably have to uninstall the version you have and install from https://auroraoss.com/AuroraStore/Stable/AuroraStore_4.2.4.apk

        I agree it's silly to say f-droid is insecure. There's plenty of malware on the play store, GitHub, and everywhere else. The way to protect against malware is to vet the app's developers or check the app's source code. Nobody's gonna catch malware for you. The reason I recommended Obtainium is because it lets you download from f-droid, GitHub, and other sources from one app.

          Obtanium is a fantastic app and I highly recommend.

          You need all 3 apps to have good and easy access to android apps. So get all three (Aurora, Droidify, Obtanium). Each does something the other 2 don't, so.

            User2288 Mostly agree, it's great we have so many options nowadays to replace Play Store. For me usually Obtainium plus Aurora Store is enough, since Obtainium can access Github, F-Droid and Izzy. If I needed a separate F-Droid frontend, I'd go with Neo Store instead of Droid-ify. It might be not as pretty, but like the other apps it has an "update all" button which is so much more convenient in the long term...

                User2288 On fdroid, the vast majority of applications are no longer maintained, and the fdroid application itself is not at a very high SDK level, which means that all this can weaken the AOSP security model. There was once an article written by a Frenchman which brought together reliable and verifiable sources, and which was based on real facts.
                I mean, installing fdroid on GrapheneOS when there are other solutions is not a very logical choice.

                    Ixirup
                    I think you haven't read the posts I linked to cause it would have answered this. Presence of outdated apps is not an argument against fdroid or an argument for security flaw, and also the official app is not mandatory, you can and should use a replacement.

                    Anyway, there arent too many good apps on fdroid anyway. Maybe about 5 to 10 common good ones for any idividual. If you get them with neostore or droidify or with browser directly, there is no security issue any more than getting from any other source. They are updated apps.

                        Thanks for all the great answers, but it's still a bit overwhelming.

                        What i am struggling right now a bit is the following questions.

                        1. So if the apps from Aurora store don't update automatically - how do you handle this then?
                        2. What i didn't think about - till now - is what problems security wise arise from the fact that the apps from aurora are installed with a shared account with some strangers? Would it be better to make a google account just to download the apps. Or is this a silly idea and makes no difference to using google playstore.?
                        3. @"Ixirup": "And yes, downloading from github with obtainium isn't a great idea either. " Why is it not a good idea to download from Github. I thought is is more or less the gold standard since it has been used to share code for ages and its used a lot?

                        Thanks a lot...

                          • [deleted]

                          • Post #23
                          • Edited

                          SpeakYourMind So if the apps from Aurora store don't update automatically - how do you handle this then?

                          Not an Aurora user but if it's still doesn't do unattended updates, you need to manually go in there and update what you need from within the Aurora app.

                          SpeakYourMind What i didn't think about - till now - is what problems security wise arise from the fact that the apps from aurora are installed with a shared account with some strangers? Would it be better to make a google account

                          With a shared account it's the same risks as if you would have used mine account without having access to its credentials. It's just a strangers Google account. If don't mind using your own account (throwaway or otherwise) just use Play.

                          SpeakYourMind Why is it not a good idea to download from Github. I thought is is more or less the gold standard since it has been used to share code for ages and its used a lot?

                          Obtainium is fine. If you don't trust it, download the app manually from GitHub first and then start tracking it through Obtainium. Developer distributed APKs from GitHub or otherwise are in fact officially recommended by GrapehenOS among the best ways to get apps. If you only use a few APKs it makes more sense to manually update them IMO but if it's a dozen or more Obtainium might be worth the extra overhead.

                                N1b
                                Whre would you download Neo Store? It sounds good, on the github page it says download from F-Droid (which most here say is not secure) or "IzzyOnDroid" which i don't know how good that is. i would like to install it that it updates itself. Which way to go?

                                Good night... alll...

                                • N1b replied to this.

                                    SpeakYourMind Whre would you download Neo Store?

                                    You can download it from Github directly (scroll further down and you'll find the releases: https://github.com/NeoApplications/Neo-Store/releases)

                                    I'm not sure if it will pull the self-updates from github or Izzy after that. If you trust Izzy and have their repository activated, you can install it from there since it will usually find an update there a few days before F-Droid. I got mine from Izzy about a year ago and it worked ever since.

                                        SpeakYourMind Why is it not a good idea to download from Github. I thought is is more or less the gold standard since it has been used to share code for ages and its used a lot?

                                        It's not that downloading from Github is a bad idea. It simply ends up with you trusting the source of the app you download. Really great and secure apps are hosted on Github, as well as badly coded ones, or ones that are forked and pretend to be legitimate.

                                          • [deleted]

                                          • Post #28

                                          Chopped7821 You should use f-droid

                                          I don't know why you are recommending a repository who's official frontend literally targets Andeoid 7.1

                                            N1b

                                            Thanks for the link. To be honest i actually needed it. Right now it's still a big problem for me to find the "right" thing.
                                            So e. g. i go to Github and type in "neostore" you then get a baragge of hits that are not the correct link. I saw the stars and figured ok, 0 Stars 2 stars that is not it. that "nekken/neo-store" with 0 Stars at the end of page 2 is still not the right thing i could figure. But how to find the right one?

                                            So do you/anybody have some indicators even little or weird ones how you find/check wether a repository on Github/lab is the right one to download i would appreciate it.

                                            The comment of PS_Alex:

                                            Really great and secure apps are hosted on Github, as well as badly coded ones, or ones that are forked and pretend to be legitimate.

                                            Made me think think even more, how to chose the right download.
                                            My "thinking" process is, right now is really primitive its just like: 1.9K stars that's a lot so it's probably the official app. Download. Any help what to look for appreciated, like how your brain works on this. The only thing i won't do, because i can't is reviewing code (As you figured i am not a coder).

                                            This is right now my biggest problem actually, to determine whether something is reliable on github/lab... So any help how to read the little "signals" appreciated...

                                            Greetings!

                                                SpeakYourMind

                                                If this is considered to be not good to post a related but somewhat with a different nuance i could make an own/fresh thread out of this..

                                                  No need to look for this kind of thing... On Android the only reference is the playstore. After that, you're free to install whatever you want, but in terms of privacy and security, on a security-related forum, it'll be the play store on Android.

                                                    User2288 Who signs the applications and how are they maintained by fdroid? I know, but I want to make sure you know what you're talking about.

                                                        Take some time to read and learn here,
                                                        https://sideofburritos.com/
                                                        it was work for me, go YT or NP and look his videos, easy to understand. Search for,
                                                        What should you use? - F-Droid, Droid-ify, Aurora Droid, Neo Store, Google Play, Aurora Store?