[deleted]
[deleted] I forgot to include Accrescent, you can use It too; but It only has a few apps.
What is a good appstore to use on graphene considerations?
Are there differences between apps downloaded from playstore vs neostore in terms of tracking or including more google reliance?
[deleted]
applesbana It depends on the app.
This kind of discussion comes up every 4 days and always ends the same way. Read these articles instead.
https://wonderfall.space/marches-android-alternatifs/
I didn't read the entire thread because there are too many messages, but if we do a dumb tier list of most secure ways to retrieve an app, here we go :
- Accrescent
- Play Store
- Obtainium
That said, F-Droid is awesome to search for FOSS apps, you can go f-droid website and search apps from there, then you should either download from accrescent first, play store or obtainium.
[deleted]
Ixirup The developers sign their apk expressly for obtainium?
No.
Ixirup Obtainium checks the sources?
Obtanium does not check the 'source code', It only checks for APKs via many sources:
Currently supported App sources:
GitHub
GitLab
Codeberg
F-Droid
IzzyOnDroid
Mullvad
Signal
SourceForge
SourceHut
APKMirror (Track-Only)
APKPure
Third Party F-Droid Repos
Jenkins Jobs
Steam
Telegram App
VLC
Neutron Code
"HTML" (Fallback)
Any other URL that returns an HTML page with links to APK files (if multiple, the last file alphabetically is picked)
For more info, Read https://github.com/ImranR98/Obtainium/blob/main/README.md
Ixirup Obtainium is just a fancy and easier way for installing .apk manually.
So instead of going on github and download apk then install it, then using Feeder to track new version of your downloaded app , you can use Obtainium to do that for you, you just giving him the github url or whatever source you have, and Obtainium will fetch and download apk for you, then it will also track new version and will notify you so you can update it.
88dotorg
Thank you i stumbled across the same video the same evening and must say: really excellent video. Really like how he explains things!
- Edited
Man thank you for that extensive write up!! So much things i think the same like it is important that it is not to complicate to update Apps from a source. That it is important to get the download right in the beginning, since the keys might differ. That the search of Github is broken, how i found out. That the easy fix is to use DuckDuckgo as Some1 pointed out too.
Your comments on APKmirror and APKpure answered thinks i wondered about too..
So all in all thank you. I willd do more studying i already stumbled on SideOfBurritos, great explanatioins....
So really thanks for all of this!
And yes for me it is important to find reliable sources to download AND make Updates not to complicated. That is exactly what my thoughts are about. So indeed Github/lab + Obtainium is one idea i like.
you need to confirm it from other web sources as similar a lot of similar entries exist that you should NOT trust.
Fdroid website shows official links to any app's official website and source code. A great way to verify and find the proper "source".
I can't find the links on the F-droid Website for the website of the Neo store project. Am i overlooking something? Or is it for Neo store not there...
Do you use any other site recommendation for verifications purposes? besides F-droid I would love to hear, still big topic for me to verify downloads...
Greetings!
Ixirup
For the first 2 Articles: i don't speak french and i don't want to autotranslate...
The last one i did read, thanks for this. That lead to my decision to not use Fdroid as primary source of downloads....
[deleted]
SpeakYourMind Do you use any other site recommendation for verifications purposes? besides F-droid
What do you mean by verification purposes?
Another source of truth. Like i search in DuckDuckGo for "neostore" it shows me a github/lab page for download with files on it and a hash for the download file.
So another reliable site to check that the github page and file is legit and not set up by a hacker...
User2288 here isn't any security risk in this that we know of. But if the particular app heavily relies on the google account as the method to verify you and the app's instance, then this could become a security problem.
I thought about it a how the account sharing poses maybe a security thread a little more and tried to read up on it more, but i couldn't find anything useful.
Apps might rely on the google account maybe more than it is wise to indentify a user. In europe we use undergrounds and trains more. The apps for this e. g. are more regional and the companies are nto really professional with their IT.
So this is a good example to ask the question. Would the account sharing pose somewhat the risk that some hacker could restore my account or somehow else extract the data with the credit card data in it, due to the account sharing on Aurora?
That the app itself is not that secure is a risk i have been living well the last 7-8 years and i am OK with. Focus here is if the Account sharing adds another layer of risk and how large that is, given the fact that the app might not be programmed very wise or relies more heavy on the google account than it should be.
Is it more of a tiny risk or a medium to larger one?
[deleted]
- Edited
SpeakYourMind You can't do much except checking developer's website for finding github link or just searching via search engine
I would recommend just using proper app stores like Google Play and Accrescent (in Beta). "Verifying" checksums will only complicate things for you, and Its very easy to spot fake repos btw; for example, you can check the dev's name in repo url:
https://github.com/NeoApplications/Neo-Store
In this url First is the Developer name, and then comes the repo name, If let's say I fork this then It would become https://github.com/MyName/Neo-Store.
[deleted]
- Edited
User2288 Downloading from fdroid is as secure as downloading from github.
I would say It depends on who you want to trust:
If you trust the app developer and Github¹, and you have ensured that the repo is genuine, Github releases is the way to go.
But If you trust official F-Droid repo, and the app developer, the offical F-Droid repo could be OK.
For me personally, I don't trust F-droid because instead of acknowledging the points made in this article, they resorted to harrasing those who do not agree with them and falsely associating PrivSec (privsec.dev) with GrapheneOS.
¹Github need not be trusted If the checksum of the apk is verified (manually of course).
[deleted]
[deleted] ² BTW F-Droid supports Reproducible builds, which most apps actually don't even use because It makes releasing updates slower.