• Off Topic

  • What is a good appstore to use on graphene considerations?

N1b

Thanks for the link. To be honest i actually needed it. Right now it's still a big problem for me to find the "right" thing.
So e. g. i go to Github and type in "neostore" you then get a baragge of hits that are not the correct link. I saw the stars and figured ok, 0 Stars 2 stars that is not it. that "nekken/neo-store" with 0 Stars at the end of page 2 is still not the right thing i could figure. But how to find the right one?

So do you/anybody have some indicators even little or weird ones how you find/check wether a repository on Github/lab is the right one to download i would appreciate it.

The comment of PS_Alex:

Really great and secure apps are hosted on Github, as well as badly coded ones, or ones that are forked and pretend to be legitimate.

Made me think think even more, how to chose the right download.
My "thinking" process is, right now is really primitive its just like: 1.9K stars that's a lot so it's probably the official app. Download. Any help what to look for appreciated, like how your brain works on this. The only thing i won't do, because i can't is reviewing code (As you figured i am not a coder).

This is right now my biggest problem actually, to determine whether something is reliable on github/lab... So any help how to read the little "signals" appreciated...

Greetings!

      SpeakYourMind

      If this is considered to be not good to post a related but somewhat with a different nuance i could make an own/fresh thread out of this..

        No need to look for this kind of thing... On Android the only reference is the playstore. After that, you're free to install whatever you want, but in terms of privacy and security, on a security-related forum, it'll be the play store on Android.

          User2288 Who signs the applications and how are they maintained by fdroid? I know, but I want to make sure you know what you're talking about.

              Take some time to read and learn here,
              https://sideofburritos.com/
              it was work for me, go YT or NP and look his videos, easy to understand. Search for,
              What should you use? - F-Droid, Droid-ify, Aurora Droid, Neo Store, Google Play, Aurora Store?

                Ixirup

                Man you don't understand. I literally wasn't able to spot the right download for Neo store on Github pages of "not the right" thing... So what to look for is top priority for me. I understand that there are apps that are fraudulent right from the start...But what i don't want to fall victim that i think i downloaded neo store, but in reality i downloaded "the fradulent store" posing as neo store....

                Differently asked/if someone likes a little experiment:

                • If you go to Github and type in "neostore". From the tons of hits you get. What is your "Algorithm" to find the right one?
                • Second: What are the little signals/tells that tell you, that this is the right thing, not some fraudulent web shit with a virus?

                    Ixirup Who signs the applications and how are they maintained by fdroid? I know, but I want to make sure you know what you're talking about.

                    If you would like to help the OP please do so, but judgemental language such as this is not welcome here. Please remember that this community comes from all walks of life, and we're here to help each other out. Please be nice to each other.

                      • [deleted]

                      • Post #36

                      SpeakYourMind the best thing to tell you are looking at the right stuff is using a major search engine like duckduckgo searching "Neostore Github" or "Neo apps" github will lead you the right way.

                        SpeakYourMind You have to check the application's signature if you download it from the Internet, so I don't understand it at all...

                          SpeakYourMind If the signature doesn't match, it's no good. You should have done the same to install grapheneos.

                            @Ixirup
                            I'm intentionally avoiding a long winded argument about this and trying to keep it short to help a newbie and not to delve into long technical arguments. You're confusing and over complicating this for him with your comments. and I'm not here to argue anyway. I am well aware of those articles and their arguments. I understand the app signing and app pinning concepts. Fdroid uses their own singing key, which is no more safe or vulnerable than the developer doing it or play store doing it (So I'd argue). As I've explained in my other posts (which you're welcome to read) the arguments in these articles present theoretic problems. Equally problematic theoretic vulnerabilities exist both against playstore downloads as well as other download sources (github included). In fact downloading from the official website of the developer itself has arguments for vulnerability too, so! My argument is that the potential problems pointed out do not equate to a definite and categorical claim of "UNSAFE for general use" for the Fdroid repository.

                            @SpeakYourMind
                            Look I live in reality. I'm trying to keep things real for you. And In reality, you only have a handful of practical options when it comes to downloading apps, that's it.

                            PlayStore is two components. The PlayStore REPOSITORY and the PlayStore APP. Apps are downloaded from the REPOSITORY using the PlayStore APP. To download from this repository a google account is required.

                            Aurora Store is an APP (which takes over the job of the PlayStore APP) that allows you to download from this repository without needing to have your own google account or needing to install or use the PlayStore App. Aurora uses it's own google accounts to download "for you". Aurora can't auto update apps in the background, but if you open it you can easily update your apps. Its advantage is privacy and being free from PlayStore apps being installed on you system. Its downside is that its not as "convenient" as PlayStore app, and it doesn't "pin" the app signature when it installs a new app. The account sharing aspect of Aurora is generally not a problem at this time except in very rare cases (mostly some financial apps wanting to heavily tie to your identity). There isn't any security risk in this that we know of. But if the particular app heavily relies on the google account as the method to verify you and the app's instance, then this could become a security problem. This is generally not the case for most PlayStore apps including most of the banking apps.

                            Another way to download apps from the PlayStore repository is through websites such as APKmirror and APKpure. They download the apps with their own google accounts and provide a copy of that download on their website for people to download. This is a useful source in some cases (as no app or account is necessary and the full PlayStore repository is available to you) but is not ideal because updating the apps is a total pain and fully manual, which is not realistic. Aurora is a much more practical solution. Also going through an extra website to download things adds an extra layer of potential compromise. However this extra layer of vulnerability is the same whether you go through APKmirror, Aurora Store, or Fdroid. The issue of "trust" in those sources and the security of their servers becomes relevant. To avoid this potential risk its recommended to download from "direct source" like github to avoid this "theoretic" extra attack surface, which then puts trust only the developer's security and github's. Is this much safer? How much? (you decide.)

                            Your next option is Fdroid. Fdroid also is both a REPOSITORY and an APP. Droid-ify, NeoStore, and Aurora Droid are alternatives to the Fdroid APP and use the same REPOSITORY. Fdroid apps can be downloaded directly from its website without need of any app, however updates become a problem. Fdroid IS NOT an alternative and replacement to PlayStore. Their apps are mostly different. It is however complementary. Some apps exist on both, and some important apps are exclusive to each with no other way to get them (ex: Brave is only on PS, and OsmAnd+ -Full Free- only on Fdroid).
                            As mentioned before Fdroid app has poor security so use one of the alternatives. NeoStore allows automatic background updates which Droid-ify does not, however NeoStore crashed 5 times in the first hour that I used it and wasn't as polished and clean as Droidify in my use. So I uninstalled and have happily stuck to Droidify since. Have not used Aurora Droid.

                            Accrescent Is another app and repository, however its not ready, and since I haven't used it can't comment much more.

                            Your last option is direct download from source (Official website or Github/Gitlab). This often leaves you with the problem of updating. Obtanium then comes in use here to consolidate and solve the update problem of direct downloads from source. Some argue that Obtanium increases the attack surface. Theoretically true, but.. how much? Realistically your choice is between extreme pain of manually handling 20 apps. Or just use Obtanium. You decide.

                            Tips:

                            • Don't use github's search to find apps. Its terrible. Use a search engine with the "right" words in your search. To be sure you have got the right website you need to confirm it from other web sources as similar a lot of similar entries exist that you should NOT trust.
                            • Fdroid website shows official links to any app's official website and source code. A great way to verify and find the proper "source".
                            • There are other places to get APKs from, don't use them. They are dangerous.
                            • Read the posts I referenced for you.
                            • read the entire Documentation on GOS website.
                            • Don't fret. This is too much info. You can't know it all right now. Start with the good advice given here. Expand later.
                            • Watch SideOfBurritos
                            • Find and watch other android security helpers on youtube. You'll learn from them even if some info is incomplete or not great.
                            • The same app from different download sources might have different signing keys. First time you install an app the "key" gets "pinned". Then you can only update from the same source and not a different one. So decide which source you install the app from as it will affect your future updates. Fdroid has its own key. PlayStore and developer site might have same key, or might not.

                              • [deleted]

                              • Post #40
                              • Edited

                              User2288 it doesn't "pin" the app signature when it installs a new app.

                              That's not true. Signature matching is enforced by PackageManagerService of AOSP, meaning for new updates to be installed, the checksum has to be the same as was on First Install.

                                • [deleted]

                                • Post #41

                                User2288 Fdroid also is both a REPOSITORY and an APP.

                                F-Droid also allows developers to make their own repositories, which could be helpful for Game developers since they won't have to abide by an app store's arbitrary rules.

                                  • [deleted]

                                  • Post #42
                                  • Edited

                                  User2288 I would suggest instead of digging around so much, You can just use the following:

                                  1. Google Play store
                                  2. APK from Developer's website
                                  3. APK Developer's F-Droid repo in a modern F-Droid client (like Neo Store)
                                  4. APK from Developer's official github/gitlab repo's releases

                                  For downloading old versions of apps, APKmirror can be used only after verifying checksums, to distrust APKmirror

                                      My Setup.
                                      Both supports automatic app updates, every time i check the app store all of my apps are up to date.

                                      1.Google Play store - Almost everything is installed from here including most of the opensource apps.
                                      2.Neo Store - If the app is not available in Playstore, apps are mostly from IzzyOnDroid F-Droid Repository or Official F-Droid Repository.

                                        • [deleted]

                                        • Post #44

                                        [deleted] I forgot to include Accrescent, you can use It too; but It only has a few apps.

                                          W1zardK1ng

                                          Are there differences between apps downloaded from playstore vs neostore in terms of tracking or including more google reliance?

                                              I didn't read the entire thread because there are too many messages, but if we do a dumb tier list of most secure ways to retrieve an app, here we go :

                                              • Accrescent
                                              • Play Store
                                              • Obtainium

                                              That said, F-Droid is awesome to search for FOSS apps, you can go f-droid website and search apps from there, then you should either download from accrescent first, play store or obtainium.