73kk13

TalentedQuill I personally use RSS for a lot of things, including the releases. We mention the atoms feed in Release announcements section: https://grapheneos.org/releases.atom

New nightly version of Lawnchair supports Private Space!

https://github.com/LawnchairLauncher/lawnchair/releases

Stewart

4G means 2G, 3G and 4G.
5G means 2G, 3G, 4G and 5G.

Android also has a standard 2G disable toggle but it's often not available with carriers. We changed it to always be available as we did for several other settings.

4G only is a GrapheneOS addition which means only 4G. That is the lowest attack surface option.

5G only will be added in the future. We don't plan to add a 4G + 5G option. The reason we didn't add a 5G only option yet is because we were waiting for it to be more universally available. It would make sense to add it now but we've had much higher priorities.

missing-root As far as I know, no 3rd party launchers support private space yet because of an api not released to AOSP yet or something like that. I found the info in here somewhere but can't seem to find it right now.

CravingPrivacy While there are installation videos/guides on YouTube and other websites, please only follow the guide found on the GrapheneOS website to avoid any unnecessary issues. It's an easy and straightforward process so follow it closely and to a T and you'll be good to go.

A few things come to mind.

1. Use the browser
2. Use RethinkDNS to isolate the app. Block trackers, and only allow the necessary domain for it to function.
3. Use a separate profile, work, or private space.

I personally use #1 because I don't need to look at my bank account everyday nor do I use the tap to pay feature.

Could you tell us your workflow with this bank app?

Fossify Gallery is great too

Not to rub salt in your wounds... but you really should keep backups of your valued data.
If you don't have any backups it doesn't really exist.

If your in need of a nice gallery app i recommend Aves https://github.com/deckerst/aves

Eagle_Owl I agree, publishing at least a hash of the fingerprint should be much more common. I don't understand why so few developers do so. Even posting it in only one place, next to the download, would be better than not doing it at all. Maybe it's just not a common knowledge among non-security-centered developers? Might be worth letting them know and seeing how they respond before assuming malice.

In the meantime, I think I might have found a mitigation to this problem:

Dumdum where did you get the SHA for Feeder, and why does your app say the source is from Github?

My guess is that if a developer does not provide hash signature (or anything else that could be used for verification) then it's good enough to download their app multiple times, on different dates, ideally from various sources, devices, IP addresses, etc.
Every copy that you got this way should have the same hash of it's signature. If that's the case, then it's likely a genuine install, coming from the developer. So it's good idea to save it's SHA256 or SHA512 hash in a public database, so that others don't have to do the same "experiment" in order to have any kind of assurance that their install likely hasn't been tampered with by a third party. If all the signature hashes wouldn't turn out to be identical, that could indicate that at some point one or more of the sources serving said app were compromised and pushed an apk signed by a malicious third party. However, this type of attack is not persistent, as the developer would very likely notice it. Existing installs wouldn't be updated to it since Android uses Trust on First Use (TOFU) model to pin the certificate upon install.

I am aware that this "verification" method is not a perfect solution. However I think this is much better than just mindlessly downloading and hoping an app was signed by it's original developer.

@soupslurpr if you woud like, I am willing to provide a few hashes of useful apps that I "verified" this way - for cross-verification purposes ;)
I'm also curious if that's something you and others did to get some hashes for AppVerifier's database.

App Manager has an apk scanner enabling users to check hashes from MD5 up to SHA512 so it might be relevant to this thread.
io.github.muntashirakon.AppManager
32:0C:0C:0F:E8:CE:F8:73:F2:B5:54:CB:88:C8:37:F1:51:25:89:DC:CE:D5:0C:5B:25:C4:3C:04:59:67:60:AB
Don't trust just this hash, cross-verify whenever possible!