Just recently took the leap to Graphene OS from stock android.
One problem I’m having is getting my apps and keeping them updated. Obviously I’ve been trying to use F-Droid, Accrescent, and the Grapheme provided app store where I can, but work and friends require me to have apps not available there.
I’ve been using Aurora Store for everything else, but it seems really buggy (tons of instances where apps won’t update, will need ~3 tries to properly install, will notify me there was an error when the app clearly installed, etc). Additionally, I saw somewhere that Aurora store has some privacy/security issues (but didn’t dive deeper to see what was meant by that).
I’ve read Obtanium is another option, but it looks like that still will not meet all my needs.
I suppose I should also say that I’m hesitant to use the Play Store / Play Services at all. I get there’s sandboxing around them that makes them less invasive, but I don’t full grasp how Graphene accomplishes that / what specifically it prevents.
What are you guys using for your App Stores? Should I just put aside my concerns and trust the sandboxed Play Store?
Appreciate your attention and consideration on this!
I use Google Play Store, Graphene’s app store and Accrescent. I feel that the known privacy issues from Google Play are more acceptable to me than the unknown consequences to my privacy due to the looser security from F-Droid.
Does F-droid have looser security?
Yes.
F-Droid signs all builds with its own keys, so you can’t readily verify if an app supplied by F-Droid is the same as on other app stores.
F-Droid allows a lower target SDK: this is good for users running very old versions of Android, but bad for people who download an app that hasn’t been updated in years and has multiple security vulnerabilities.
Slow/irregular updates: often it can takes days, weeks or sometimes months for an app update to be available via F-Droid (at least from their official repo). This can have real consequences if you’re waiting for an update for a critical security issue.
Here’s an example of someone leveraging a supply chain attack against an F-Droid build of an app.
F-Droid is a great project for providing an alternative source of apps to app stores run by companies, and I admire their goals, but from a security standpoint I wouldn’t recommend using it unless you have no other sourcw for an app you need.
I like your logic. I’ll need to chew on that thought to make sure I agree, but that’s a really good point.