Avatar
Ava 1y ago

###### **Your Cheat Sheet to Installing Android Apps the Privacy Respecting Way: From Direct Sources to Google Play Store**

**1. Direct from Developer**

- Get APKs directly from GitHub, GitLab, or Codeberg etc. using Obtanium

- If the app is on Accrescent, use Accrescent

**2. F-Droid**

Use only in these cases:

- When it's the developer's chosen release channel

- When no other distribution option exists

Most devs will put F-Droid instructions or a download button on their Git page or website. Use the developer's official F-Droid release repository or recommended repository whenever available (eg: many devs use IzzyOnDroid F-Droid repo for their releases instead of creating their own).

**When using F-Droid:**

- Use the official "**F-Droid Basic**" client

- Benefits: Automatic background updates without privileged extension or root

- Enhanced security through reduced feature set and attack surface

- Do not use alternative clients like Neo Store

**3. Google Play Store**

Use only if the app is unavailable through any other official channel.

Some prefer to use Aurora Store (a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps).

This is threat model and usecase dependent.

I prefer to just use Google Play since I have it installed on GrapheneOS where I use some paid apps not available anywhere else, and I want to keep all of my apps all in one place.

(Optional) Create an anonymous Gmail account and use it for Google Play.

---

*Note: This approach aligns with PrivacyGuides and GrapheneOS recommendations, as well as modern security standards. Third-party F-Droid clients are not recommended.*

```

#Ikitao #OPSEC #Privacy #Android #GrapheneOS

Reply to this note

Please Login to reply.

Discussion

Avatar
Matt 1y ago

Great standards and exactly what I naturally landed on after 15 years in the space. It's the best strategy I have found.

nostr:nevent1qqsth9q9qg0gu2s9a708mz756cgkmz03f85gw99w2sax6927aghhdcqpzemhxue69uhkummnw3ex2mrfw3jhxtn0wfnj7q3qf6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4ksxpqqqqqqzxxsvwg

Avatar
Dikaios1517 1y ago

What are your thoughts on zap.store, where devs can sign their own releases using their Nostr key?

Avatar
d0enakallešŸ‡āš” 1y ago

Was about to ask the same.

Avatar
Ava 1y ago

I plan to give it a thorough test and review once it matures a bit.

Avatar
ODELL 1y ago

I THINK YOU WILL LOVE nostr:npub10r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7stjt2p8

Avatar
Ava 1y ago

Thanks! franzap has been adding the open-source privacy respecting apps I find and post about to Zapstore for a little while now. I plan to give it a thorough test and review once it matures a bit.

Avatar
Zapstore 1y ago

Thank you! It will get much better

Avatar
42N3 1y ago

I would, maybe... but first I need to install it. APK anyone?šŸ¤”šŸ˜…

Avatar
Kevin's Bacon 1y ago

My phone won't download the cdn link for some reason. Maybe I have to go through the share dialogue on Firefox or something...

Avatar
GnomeBTC 1y ago

I approve this note

Avatar
sommerfeld 1y ago

There is nothing wrong with installing fdroid apps with Obtainium.

Avatar
Ava 1y ago

The risk is much smaller than using a third party F-Droid client like Neo Store as I outline in the post.

However, it is still best security practice to not introduce a third party when the side-load apk release is only made available by the dev on F-Droid.

Hence, I side with the recommendation of PrivacyGuides and modern security best practices in recommending F-Droid Basic if the dev officially releases the apk on F-Droid and it is not available on their website or git.

fa
AWAGMI? 11mo ago

why would you trust the developer to provide untampered binaries/releases? with f-droid you'll either get reproducible builds or the binaries are built by a party who's main job is providing untampered builds (not a priority for app developers). i see it similarly to trusting a VPN with your traffic vs trusting an ISP with your traffic. if there is something i am missing please educate me.