Just recently took the leap to Graphene OS from stock android.

One problem I’m having is getting my apps and keeping them updated. Obviously I’ve been trying to use F-Droid, Accrescent, and the Grapheme provided app store where I can, but work and friends require me to have apps not available there.

I’ve been using Aurora Store for everything else, but it seems really buggy (tons of instances where apps won’t update, will need ~3 tries to properly install, will notify me there was an error when the app clearly installed, etc). Additionally, I saw somewhere that Aurora store has some privacy/security issues (but didn’t dive deeper to see what was meant by that).

I’ve read Obtanium is another option, but it looks like that still will not meet all my needs.

I suppose I should also say that I’m hesitant to use the Play Store / Play Services at all. I get there’s sandboxing around them that makes them less invasive, but I don’t full grasp how Graphene accomplishes that / what specifically it prevents.

What are you guys using for your App Stores? Should I just put aside my concerns and trust the sandboxed Play Store?

Appreciate your attention and consideration on this!

  • besselj
    2·
    2 days ago

    I use Obtanium since it’s apparently more secure than f-droid. F-droid is still a good place to search for FOSS and privacy-respecting apps. For anything that I can’t install through Obtanium, I’ll use the Play Store.

    • DahGangalang@infosec.pubOP
      2·
      2 days ago

      Any tips on how to better use Obtanium?

      At a glance, it seems to give me what I’ve always wanted (that is, access to all the switches and levers behind the scenes), but it is a bit overwhelming to start with.

      • acockworkorange@mander.xyz
        3·
        2 days ago
        1. Install AppVerifier from Accrescent as it integrates with it.
        2. Add the app to Obtainum and leave options as default
        3. Check if the app signature matches
        4. If something goes wrong, check the Obtanium recipes for your app.

        The hard part is #3, as a lot of apps don’t provide signature hashes. So you night not have confirmation the apk wasn’t compromised. Then you have to decide whether you take a leap of faith, try your luck at another app store or give up the app.

      • besselj
        2·
        2 days ago

        I’m still learning how to use it as well, but the basic methodology is to lookup the github page for the app you want to install and add the app to Obtanium using that github link. This is where f-droid comes in handy for finding github pages. Default settings are usually good enough if you don’t know what they do.

        I’ve been told that its unnecessary to use the App Verifier to check apps installed through github, but you can still do it if the SHA signature is available on their github.