Best ways to obtain apps on Android and is revoking the Network permission enough? (GrapheneOS)

Hi people!

I’ll be getting my new Pixel 7 in a few days and will be installing GrapheneOS as soon as its out for the device, and I have a few questions that have been going through my mind.

1. What is the current stance on running “bad” apps without internet access?

For example the Gcam has a pretty good reputation for the quality of the photos, but you obviously wouldn’t want to run it unrestricted. Or apps like Jabra Sound+ which add a few quality of life feature to the Bluetooth earbuds. Or GBoard, which sadly still seems to be a lot better than the open source alternatives.

Is removing any Network access “enough”? Are there additional steps required? Or are there just to many unsurmountable issues for this to be recommended?

2. If it is enough, what is the recommended way to download closed source apps like that on GrapheneOS?

I’ve seen in other posts that PrivacyGuides.org seems to consider Aurora Store as an imperfect solution but it is still listed as recommended. Should Closed apps be downloaded through there? Or should we rather use the Play Store Mirror that can be enabled in the Graphene app store? Can the GCam be downloaded through either of those on GrapheneOS? I know there are “hacked” builds of it on sites like XDA, are these trustworthy or rather to be avoided?

3. What about open source apps that have alternative ways to be downloaded?

• Some apps are both on F-Droid/Izzyondroid and on the Playstore, like Tutanota, ProtonMail and ProtonVPN, AntennaPod, K9 Mail, etc. Is it better to use the Aurora Store or Neo Store? Nowdays PrivacyGuides.org seems to be recommending Neo Store as a last resort on the site, so should we rather use Aurora? Or something else?

• Some apps like Bitwarden or Newpipe that have an official repo you can add to Neo Store.

• Signal has an official self updating apk. Is it recommended over the playstore version, which needs google play service?

• Brave is the currently recommended Browser for Android and is open source but seems to be only available on the playstore. Should we use the Aurora Store for it? Is the default Browser on Graphene “good enough” to compete?

Thanks for your time and all the great guides. I’ve been a long time reader of the site. Sorry for the wall of text.

1 : Revoke network permission and set up storage scopes if needed

2 : Playstore is the most secure platform.
Aurora store works well for me, to download somes geographic restricted apps on playstore. But it asks to add someone to the trust chain

3 : The best way to download open source apps for me is github. Set up RSS feed and download them there.

Hi there! Welcome to the forum, @Jegah!

You have a lot of inquiries here, so allow me to address these point-by-point:

1. What is the current stance on running “bad” apps without internet access?

Let’s get one thing out of the way. The Network permission that GrapheneOS adds works. It isn’t leaky or faulty, so it’s enough. However, having a bit of context and insight into how Android works will help you make the appropriate decisions for your needs.

If you deny the network permission to an app (let’s take Google Camera as an example), it cannot communicate with the Internet. However, apps on Android can communicate with each other via mutual consent. In very simple, and non-technical terms, here’s what this means:

If two apps mutually consent to talk to one another, they can do that. If you have Google Camera and another app in the same profile, if both of these apps agree to communicate with one another, and the other app has network access, it could theoretically have data passed on to it from Google Camera which it can then send to the Internet.

This is not really a concern in most cases, however, notice how I said that these apps need to be in the same profile. To mitigate this concern, you can separate apps that you think may communicate in their own user profiles. App communication via mutual consent is not possible across profiles.

2. If it is enough, what is the recommended way to download closed source apps like that on GrapheneOS?

GrapheneOS recommends Play Store via their Sandboxed Google Play compatibility layer. it is a great choice when it comes to security. There are privacy drawbacks (or at the very least privacy annoynances) with this approach, as you’ll need to create a Google account to use it, but you can create a disposable one with minimal information just for this purpose.

Aurora Store is okay, but it is not perfect. I would say it’s currently one of the best solutions on DivestOS (which lacks Sandboxed Google Play), but not GrapheneOS.

I will address this specifically because I feel the need to stress this: Please don’t.

You should always stick to official versions of apps and not “modded” or “hacked” versions. You simply do not know what you’re downloading and it may be much worse than just getting the official app.

On Google Camera specifically, you should avoid installing “Gcam Services provider” and instead download GSF from GrapheneOS’s “Apps” app instead.

3. What about open source apps that have alternative ways to be downloaded?

For reference (especially to people who are not the OP who stumble on this thread), here are our recommended ways to obtain apps:

Obtaining Applications on Android - Privacy Guides

We currently recommend avoiding the main F-Droid repositories, as well as the IzzyOndroid repository.

The issues with the main F-Droid repository are well documented. While IzzyOnDroid is mostly an improvement compared to the default, we cannot recommend it as apps can be removed from that repository, leaving you without updates, and sometimes the repository’s maintainer makes a lot of other peculiar choices such as only distributing 32-bit versions of apps because of storage concerns. (Joplin on IzzyOnDroid is an example of that)

You can theoretically use F-Droid repositories by developers directly (such as NewPipe), but I would recommend that if you can obtain an app a different way, you should opt for that instead of getting sucked into F-Droid’s ecosystem. Furthermore, there are issues with app stores allowing for multiple third-party repositories which are briefly touched on here:

Vanadium is a great browser, and it’s what I use on GrapheneOS. The reason why we don’t recommend it on our Mobile Browsers page is because it’s GrapheneOS exclusive.

Vanadium is mostly focused on security, and it takes advantage of OS hardening to do that. Brave is a fine choice, and it does offer fingerprinting protections that Vanadium doesn’t. It’s up to you which you’ll choose for you use case, but Vanadium takes the cake when it comes to a robust, secure and minimal browser.

I hope this answers your questions. Feel free to reach out again if not. Furthermore, I would highly suggest signing up to the GrapheneOS forum as well: https://discuss.grapheneos.org/

Thanks for the detailed response!

So anytime the apps is available in the PlayStore, using GrapheneOS’s sandboxed Google Play is recomended (or Aurora for sightly more privacy a the cost of a bit of security)? Even for Signal and Bitwarden?

Signal is an example where the apk version might be better for privacy as far as I understood (with it not using google play services). Are there security drawbacks?

What about downloading directly from github/gitlab? How does that compare to either Sandboxed Google Play or Aurora in term of privacy and security?

For the sake of simplicity, I would say yes. If you use Sandboxed Google Play already, I don’t really see the point of using another app source, unless a specific app is not present on Play Store.

There are some drawbacks to using the Play Store, such as the fact that new apps, and older apps that opt in to the feature use Play App Signing, which means that Google holds the signing keys, just like the F-Droid team does, but their overall system is still miles ahead of what F-Droid does, so it isn’t as much of an issue.

There is a lot of confusion around Signal in this manner around, so let me try to make things clear:

The official Signal app, whether you get it from Play Store, or directly from their website, is pretty much the same (except for the fact that the version from their website has an auto-updater).

As far as Google libraries goes, it’s exactly the same thing. Here’s how Signal works.

When you install it, it looks for Google Play Services. If it finds them, it defaults to using FCM for notifications. If it doesn’t find Google Play Services, it falls back to its own websockets implementation. This happens with the version from their website and the version on the Play Store (which you can also obtain via Aurora Store as well). The libraries are always there. The app just decides whether it can use them or not.

If you want a version of Signal that doesn’t have those libraries and cannot do FCM notifications and doesn’t have the Google Maps integration, there’s Molly-FOSS. The standard Molly version works exactly as Signal does, and Molly-FOSS only uses websockets and doesn’t have a location sharing option.

It’s a very good choice as long as you verify the APKs on the first download (as Android checks the signature and makes sure it matches the initial install for subsequent updates), and you make sure that you’re keeping up with updates via RSS and updating as needed.

GrapheneOS recommends Play Store via their Sandboxed Google Play compatibility layer.
it is a great choice when it comes to security.

is it? Google itself says: “Developers add malware to apps from Play Store afterwards”
https://tweakers.net/nieuws/212382/google-ontwikkelaars-voegen-achteraf-malware-toe-aan-apps-uit-play-store.html

so its probably better to download apps directly from github/gitlab instead of install and using google spyware on your phone?

Yes

Doesn’t mean that other stores or sources have less malware. I saw a video about Android’s security model, were they said that the rate of malware was much lower on the Play Store than on some other stores. Even if you installed malware, you would still need to give access to your data or it would need a sandbox escape to do something meaningful.

Google doesn’t make spyware. I see only little benefit in directly downloading from GitHub. It’s just inconvenient and you need to take care of updates.

in aurora store to? (more malware?)

Aurora Store is just a frontend to Play Store. It’s not different in terms of available apps.

but has is more/less malware than playstore?

The same, of course

so if aurora store is the same as play store, why is playstore recommended over aurora store?
i mean if aurora has the same level of malware and security etc etc and the privacy is better with aurora (because you can download apps anonymously) then why doesn’t Grapos recommend aurora as number one app-store instead of playstore?

Play Store has additional security like certificate pinning.
Regardening the privacy aspects: Every app can get a list of the installed apps. So if you have just one app with Google trackers, or one of Google’s apps installed, Google can theoretically know which apps you have installed. So the privacy benefit of not using Play Store is little if you have it already installed.

even if the apps come form aurora store?

Bruh. For the last time: Aurora Store provides the exact same apps as Play Store!