this post was submitted on 12 Apr 2025
8 points (90.0% liked)

GrapheneOS

445 readers
2 users here now

An unofficial discussion community for anyone interested in GrapheneOS.

Helpful links:

Official Graphene OS Discussion Forum

List of official Matrix channels and other contact sources.

founded 2 years ago
MODERATORS
[email protected]
8
App Store Recommendations (infosec.pub)
submitted 1 week ago by [email protected] to c/[email protected]
10 comments fedilink hide all child comments
 

Just recently took the leap to Graphene OS from stock android.

One problem I'm having is getting my apps and keeping them updated. Obviously I've been trying to use F-Droid, Accrescent, and the Grapheme provided app store where I can, but work and friends require me to have apps not available there.

I've been using Aurora Store for everything else, but it seems really buggy (tons of instances where apps won't update, will need ~3 tries to properly install, will notify me there was an error when the app clearly installed, etc). Additionally, I saw somewhere that Aurora store has some privacy/security issues (but didn't dive deeper to see what was meant by that).

I've read Obtanium is another option, but it looks like that still will not meet all my needs.

I suppose I should also say that I'm hesitant to use the Play Store / Play Services at all. I get there's sandboxing around them that makes them less invasive, but I don't full grasp how Graphene accomplishes that / what specifically it prevents.

What are you guys using for your App Stores? Should I just put aside my concerns and trust the sandboxed Play Store?

Appreciate your attention and consideration on this!

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 week ago (2 children)

I use Google Play Store, Graphene's app store and Accrescent. I feel that the known privacy issues from Google Play are more acceptable to me than the unknown consequences to my privacy due to the looser security from F-Droid.

[–] [email protected] 2 points 1 week ago

I like your logic. I'll need to chew on that thought to make sure I agree, but that's a really good point.

[–] [email protected] 2 points 1 week ago (1 children)

Does F-droid have looser security?

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (1 children)

Yes.

  1. F-Droid signs all builds with its own keys, so you can't readily verify if an app supplied by F-Droid is the same as on other app stores.

  2. F-Droid allows a lower target SDK: this is good for users running very old versions of Android, but bad for people who download an app that hasn't been updated in years and has multiple security vulnerabilities.

  3. Slow/irregular updates: often it can takes days, weeks or sometimes months for an app update to be available via F-Droid (at least from their official repo). This can have real consequences if you're waiting for an update for a critical security issue.

Here's an example of someone leveraging a supply chain attack against an F-Droid build of an app.

F-Droid is a great project for providing an alternative source of apps to app stores run by companies, and I admire their goals, but from a security standpoint I wouldn't recommend using it unless you have no other source for an app you need.

[–] [email protected] 2 points 1 week ago

Thanks for the elaboration!

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago)

I have low threat model. I get my apps from droidify and a couple of apps directly from their github pages. Havent bothered to try obtainium, maybe once most of my app isnt in fdroid.

For private space i use aurora. Planning to setup google play store, but havent got around yet. I need to create a fake google acc for that.

[–] [email protected] 2 points 1 week ago (1 children)

I use Obtanium since it's apparently more secure than f-droid. F-droid is still a good place to search for FOSS and privacy-respecting apps. For anything that I can't install through Obtanium, I'll use the Play Store.

[–] [email protected] 2 points 1 week ago (2 children)

Any tips on how to better use Obtanium?

At a glance, it seems to give me what I've always wanted (that is, access to all the switches and levers behind the scenes), but it is a bit overwhelming to start with.

[–] [email protected] 3 points 1 week ago
  1. Install AppVerifier from Accrescent as it integrates with it.
  2. Add the app to Obtainum and leave options as default
  3. Check if the app signature matches
  4. If something goes wrong, check the Obtanium recipes for your app.

The hard part is #3, as a lot of apps don't provide signature hashes. So you night not have confirmation the apk wasn't compromised. Then you have to decide whether you take a leap of faith, try your luck at another app store or give up the app.

[–] [email protected] 2 points 1 week ago

I'm still learning how to use it as well, but the basic methodology is to lookup the github page for the app you want to install and add the app to Obtanium using that github link. This is where f-droid comes in handy for finding github pages. Default settings are usually good enough if you don't know what they do.

I've been told that its unnecessary to use the App Verifier to check apps installed through github, but you can still do it if the SHA signature is available on their github.