Simplify your setup:
- Always on VPN
- Google Play compat
- Use the Google Play store as much as possible (more secure, but of course FOSS tradeoffs)
- Use Google Camera w/ network disabled
- Use Google Keyboard w/ network disabled
Whittle down from there if you don't need all that functionality. That still provides excellent privacy and security if you limit apps.
Google play store versus Aurora? Isn’t Aurora the same basically but they’re using different throwaway Google accounts for you?
Google Play.
I'd only use Aurora if I couldn't use Google Play properly, like with CalyxOS.
Care to explain? This goes counter to privacy guided and advice I’ve seen up to this point
Also #[2] DM’d you a few questions a bit ago about your last podcast appearance, did you see those?
If you trust google with security of apps (I do, it's something they're very good at) it's a much more secure way of getting apps than anything else.
The only draw back (and it is a drawback!) is that you have to be signed in to use it, but can just do a burner account.
Aurora could easily be compromised and serve malicious apps, and there are potential concerns with the fake "anon" account being compromised as well.
F-Droid is solid and I use it for a few things, but obviously tons of things aren't on F-Droid because the actual publishing policies and setup is a nightmare.
Sometimes the community tends to focus so heavily on privacy they forget the importance of security
Exactly, there is a good balance that has to be hit IMO as vulnerabilities and open doors to malicious app installation could be more harmful than anything else in many scenarios, especially if you have any reason at all to be targeted.
So it basically comes down to the initial downloading of an app right? If that’s signed correctly with the developer’s keys, then it can’t be replaced with a malicious version later no matter the “app store” you use right? (Excluding f-droid b/c of wonky signing policies)
So for most users Google Play is the right answer, but there are tradeoffs to consider.
Obtainium seems to be a powerful option here if you’re comfortable finding the source location yourself (only risk remaining is that the dev keys themselves are compromised which also would risk the other app stores?). This seems most like a desktop, download software from source, but with a nice consolidated updater.
Idk for me it feels like getting most software through Obtainium would be ideal and fallback to Google Play for apps that aren’t listed anywhere else. I’d only do this with a fully anonymous Google account tho (is this even possible anymore?)
Would be cool to have nostr used for software, publishing hashes of each release.
So for #[5] somehow you’d post hashes of each Envoy release to nostr (one note+replies?) and Obtainium could have a “nostr hash verified” section when you add an app so it will additionally check a specific nostr note/thread for the most recently posted hash signed by #[6] npub, must match hash of APK update before installing.
So both dev keys and nostr keys would have to compromised to trick Obtainium then. Any obvious pitfalls here? #[4]
I install in the play store and see which one in Droidify/Aurora-droid/f-droid says its installed to know which is the official. Many use the exact same versions as the play store. I can then update with droidify going forwards.
Thanks I'll give that a shot, zapped ⚡⚡
Please message with questions or concerns! Happy to help, have been a happy user for over a year now, and going on 3y w/ Calyx/Graphene
