• General
  • A message for Grapos developers. whats your recomendation?

i am new in this world and i also have lack of interest in this technology.
Still i want privacy and security much as possible.

For weeks i try to figure out what is the best privacy/secure way to download apps.
but i can't find a good answer.
and i noticed that 99% of the people here also not know the answer because they constantly contradict each other and enter into a discussion. no one agree with each other, no one is on the same page here. its like a fcking religion.

so many different app-store's that have their own pros and cons when it comes to privacy and security.
some people even say that all these stores are not safe to use and the only safest is google app store.
But that is from google... not good for privacy and google says: "Developers add malware to apps from Play Store afterwards"

i don't want discussions, i want advice from the pro's that really have the knowledge of this stuff.
i wondering what the developers from Grapheneos himself advise to his costumers.
Why don't grapheneos give instructions about this.
instructions about what the best source to download apps and where not, and how you can best deal with apps in your phone (cutting them of from the internet so the apps can't do any harm or something like that) and be done with it.

just tell me what to do.

    For weeks i try to figure out what is the best privacy/secure way to download apps.

    There isn't one. You're not going to find a clear cut answer for a good solution that offers privacy AND security (at least right now).

    i don't want discussions

    This is a discussion forum.

    • [deleted]

    Welcome to the world of a discussion forum. What you described in terms of user interaction happens everywhere, including the Matrix community. Unfortunately, that's just what happens sometimes. People have their opinions/views on things and they don't always align with other ones.

    Telling you what to do isn't exactly straightforward since one person's threat model can differ from someone else's. Sandboxed Google Play may be perfectly fine for one person but not for another.

    • nrt likes this.

    yourmother Not a GOS dev, but the consensus from the more serious humans in here is:

    Build apk from source youself > Git via Obtanium > website if versioned via Obtanium >> Google Play Store (with or without Aurora) >> maaaaaybe upcoming app store not being named >>>>> anything else.

    It's up to you to find out in any way if each of the apps you download is secure. Use search engines. Learn how to distinguish between word salad and actual true content. Just because someone writes something doesn't mean it has any meaning or should be listened to (this is why the mods frequently tell us to just ignore certain posts).

    And security is a moving target. What was true a couple of years ago might be completely false or insecure today.

      I would like to know also. Aurora seems unreliable. Updating on F-Droid is slow and manual. Obtainium requires manual configuration. There does not seem to be a good and fast and easy way to update not included by default Apps.

        csoo0550 As many have stated multiple times: Can't search or browse from inside Aurora, and Google will probably keep it that way, if not outright killing Aurora. Use play.google.com to find apps, then install that specific app from Aurora. Use your own burner account.

        When using more private options it always means more manual work. It can be automated, but it requires manual work to get to that point.

        Going more private is not for everybody. There's a reason why Apple is doing so well financially.

        What probably would be helpful for most users of GOS is that someone creates a wiki with best practices for all kinds of usecases. It would have to be continously updated and corrected, and the GOS devs and mods should have veto to purge false info without them being forced to add any info since that takes away valuable time from the GOS project itself. It would have to have more restictive write access since there is so much FUD around any security topic, otherwise it would be just another blog that a random person writes for a couple of months.

          dgzeij When thinking about it, it would make more sense that GOS themselves created the wiki and set up the permission structure. Then made someone superuser without admin rights, but otherwise with all necessary permissions to effectively run the site and promote and manage other users to their respecitve user groups.

          dgzeij Build apk from source youself > Git via Obtanium > website if versioned via Obtanium >> Google Play Store (with or without Aurora) >> maaaaaybe upcoming app store not being named >>>>> anything else.

          It's up to you to find out in any way if each of the apps you download is secure. Use search engines. Learn how to distinguish between word salad and actual true content. Just because someone writes something doesn't mean it has any meaning or should be listened to (this is why the mods frequently tell us to just ignore certain posts).

          you think i don't have a life?, i have no job? no family? i have all the time of the world? wtf.

            • [deleted]

            yourmother Relax, please, and be respectful. They're just trying to help.

            • [deleted]

            yourmother you think i don't have a life?

            Just use Play store and Accrescent (Once It has more apps).

            By the way, you should be respectful (at least on this forum)

            yourmother

            You state:
            "i also have lack of interest in this technology"
            "i want privacy and security much as possible"
            "you think i don't have a life?, i have no job? no family? i have all the time of the world? wtf."

            I totally understand your approach and apply it myself in many areas of my life. And in each of these areas I have had to choose (and I have to choose all the time) - either I take on the topic myself, devote time to it at the expense of work/family/leisure time, or I don't pursue the topic in depth, accept some risk, and buy (i.e. pay for) the service in question from whoever is (hopefully) doing it least badly. For me personally, this choice depends either on the specific threat, or simply on whether you are interested and enjoy the area.

            I personally see GrapheneOS as a project primarily for high-risk individuals or for information security and privacy enthusiasts. For both of these types of entities, I assume a deep interest in the field and a willingness and ability (and sometimes even a need) to engage with the ever-evolving topic of information security and privacy protection.

            My approach is that once my willingness and ability to study information security and privacy disappears, I will move on to a ready-made solution that is good enough for my particular situation. At the moment, I would probably choose some of Apple's solutions but I am not sure.

            I'm sticking with GrapheneOS for now, and wish everyone a happy life full of good choices.

            My particular setup at the moment:

            • I use Obtanium & github for selected applications
            • Google Play Store for the rest of my apps
            • single profile (user)

            May you be well!

            yourmother so what you really want is someone else with a life, family, and job to do your work for you? The guy/gal that did their own research for their own threat model to protect their own family on their own time should now do this for you because you cannot be bothered? Sounds reasonable.

            yourmother
            A normal user needs only 10 sec to open browser and type "obtainium". Clicking on github link page and scrolling down & tapping "releases" will take another 10 sec. Downloading and installing will take 15 sec.
            Searching app name with "fdroid" at the end will take 10 sec. Clicking the "source code", copying & pasting the link will take 5 sec. And now you can install any app directly from developer. Very first initial setup and installing first app will take only total 50 sec and adding and installing another app will take only 15 sec. And you can export obtainium data to another device, so next time you don't have to paste link of every single app. It's like your personal app store. Don't you have around 1-2 min?

            • Ram likes this.

            yourmother you think i don't have a life?, i have no job? no family? i have all the time of the world? wtf.

            We all wish we had access to a reliable app collection full of useful apps written for us by people all over the world, without malware or exploitable bugs, using back-end servers without leaks. Plus it would be great for the app collection to be anonymous and the apps to be free. As of August 2023 humanity has not achieved one of those, so we can't give you simple directions for accessing it.

            Some platforms have app stores that are very easy to use. But they tend to be non-anonymous, charge money, and still contain some apps that leak and/or steal.

            yourmother

            A message for Grapos developers. whats your recomendation?

            Please don't direct questions specifically to GrapheneOS or GrapheneOS project members going forward. If you post a question on Matrix or the discussion forum, you need to accept that anyone can answer. Project members do look at a lot of the content that's posted even if they don't reply. Egregious cases of misinformation are often corrected by project members if it wasn't dealt with by the community. It turns into a moderation issue if people are repeatedly lowering the quality of discussion by inaccurate claims, particularly if it's harmful advice leading people to do things in a poor way.

            We try to maintain a decent quality of discussion and information on these platforms. We haven't been achieving that with the discussion forum recently and some cleanup is going to need to be done. Please try to support these efforts to maintain a high level of quality here because many people use it as a source of information. This is a collaborative effort. If you aren't sure about something, posting a response is fine, but then try to avoid stating it as fact.

            so many different app-store's that have their own pros and cons when it comes to privacy and security.

            Yes.

            some people even say that all these stores are not safe to use and the only safest is google app store.

            For obtaining a specific app, such as Element, the sandboxed Play Store is one of the best options. You need to make sure it's the genuine app from the developers, ideally by opening a link from their site. Play Store isn't a very good way to discover new apps if you care about privacy and security, but that's a hard topic in general. Open source also doesn't mean private and secure, but comparing open source to proprietary apps on average, they do tend to have better privacy, but not necessarily better security.

            But that is from google... not good for privacy and google says: "Developers add malware to apps from Play Store afterwards"

            This can happen anywhere, and can happen with open source apps too. Open source doesn't mean a developer adding malicious or unwanted behavior is going to be somehow caught and prevented before you get it. F-Droid doesn't provide any protection from this beyond scanning for binary blobs, etc. It will not protect you from a developer adding malicious source code, particularly when 'malicious' is hard to define and these things can be done in a subtle, well hidden way. It has regularly happened that open source libraries and applications have clear cut malicious code inserted. It's extremely common for these libraries and apps to make privacy unfriendly changes like adding invasive analytics too. All you get from F-Droid is knowing that the developer adding a closed source third party library will likely get detected and the app won't get updated, but in exchange you're trusting people to build/sign the apps who have shown consistent untrustworthy behavior. You're also getting significantly delayed updated in many cases.

            i don't want discussions, i want advice from the pro's that really have the knowledge of this stuff.

            You created a thread on the discussion forum about it, so discussion is what's going to happen.

            i wondering what the developers from Grapheneos himself advise to his costumers.
            Why don't grapheneos give instructions about this.
            instructions about what the best source to download apps and where not, and how you can best deal with apps in your phone (cutting them of from the internet so the apps can't do any harm or something like that) and be done with it.

            GrapheneOS includes our own app repository client which provides a way to install the sandboxed Play Store. There is no advice for this fitting everyone's preferences because all of the available options other than our own app repository currently only used for our own apps have major flaws.

            just tell me what to do.

            If you're using sandboxed Google Play in the profile for broad app compatibility, you might as well use the sandboxed Play Store to install and update apps since that won't give them additional information if you do it properly compared to simply using sandboxed Google Play without using it to install apps. Create a single-purpose Google account without personal information to use with sandboxed Google Play in a single profile. Don't use the same account for anything but sandboxed Google Play, and use a separate account for separate profiles.

            If you aren't using sandboxed Google Play in the profile, there is no best answer. You aren't going to get any perfect answer and can't expect one.

              Hello,
              thank you for your time. i appreciate it :)

              you said:

              GrapheneOS the sandboxed Play Store is one of the best options. You need to make sure it's the genuine app from the developers, ideally by opening a link from their site.

              i don't understand this.
              when i am in playstore, there are no link/site's.

                • [deleted]

                yourmother By looking up the app online?