Clean Slate

You get a brand new android out of the box. What’s your prep/ ideal set up before you start using for a fresh start privacy wise?

  • Install GrapheneOS
  • Install the apps I use, namely, for privacy:
    • Aegis for 2FA
    • Aurora Store
    • Matrix
    • F-Droid
    • Fennec
    • K-9 Mail
    • KPassNotes
    • Organic Maps
    • The Proton suite
    • Signal-FOSS

GrapheneOS without sandboxed Google services:

-Aurora store for Brave, Signal
-Obtainium for all other apps (known FOSS apps only)
-PWAs whenever possible

-RethinkDNS for more granular firewall/local content filtering (only using uBlock’s default filter lists to mitigate that fingerprinting vector)

-Brave for general browsing
-Mulch for a specific use case with a set of accounts
-Vanadium for personal accounts (isolated in Rethink so that only explicitly approved domains can connect)

I don’t think I need a VPN here because I compartmentalize across my devices and the benefit would be marginal.

Why do you install Brave and Signal from Aurora, but all other FOSS apps from Obtanium? You could also install both Brave and Signal from Obtanium (by using Brave’s GitHub releases and Signal’s APK.

Any of the well known security/privacy oriented custom ROMs.
Not only gos…
All are better then stock

1 Like

That’s debatable

1 Like

I was looking into getting both as apks, but there’s a few other apps like Musicolet that I can only get from the play store and I thought I might as well get them there too.

As long as you’re verifying signatures, using apks should be as secure as Google Play I guess, but there might be other considerations I haven’t thought of. Should I be getting everything with Obtainium?

not on the privacy aspect

What should speak against Aurora?
Aurora gets directly from Google Playstore, so security is (usually) guaranteed that no malware is injected with the apk.
And if Aurora is used with an anonymous login, Google doesn’t know anything about you. You are one of the flock.
I also always had the problem of getting the right versions with Obtainium, especially with Brave.
But not only with Brave, other apps have also repeatedly caused problems with Obtainium.
The effort was too high for me compared to the benefit.
I then discarded Obtainium again.

My 2 cents.
Many others will certainly see it differently and pillory me for it.
For me, a balance between benefit and effort is important. I take the pragmatic approach

Aurora has these problems:

  • No unattended updates. Obtainium recently added the feature. There’s no plan for Aurora to support it, and it’s unlikely they ever will.

  • Service disruptions. While Aurora’s anonymous login system has worked reliably recently, back in June there was major downtime after Google had made changes.

  • Questionable future: Aurora Store relies on Google’s infrastructure and violates Google’s TOS. If Google wanted to, they could completely kill Aurora.

I say this as someone who appreciates Aurora, but wishes I didn’t need it. I prefer F-Droid, then Obtainium, and only use Aurora as a last resort.


As long as it works, and it is, theres no need to think about alternatives.
Most can live without unattented updates
Service disruptions are temporarrily
And the future has not come yet.
For me still the best, secure, and easiest way to get play apps

Aurora won’t anonymize you if you’re not using a vpn. Even if everyone is on the same account, Google can track logins from different IPs since it connects to their servers directly.

Your app list is probably unique, I’m pretty sure a list of all the packages installed goes to Google for update checks.

Blacklisting all system apps/apps from other sources would help with that I guess. I’m not sure how many people do that so you might not blend in either with that approach.

As secure as google play store? Absolutely not, play store could be changing the downloaded app to let’s say a virus.

I think that’s as good as it gets. Any other site including Github(Microsoft) could be compromised too. Who would you trust then?

I would trust their pgp key.

Yeah that’s if it’s an option. Play store apps should be signed with the developer’s apk signature which would mitigate that too. Maybe you could install from an apk initially and then update with Aurora. The signature pinning should take care of that issue.

Not only that, anonymous login doesnt work for apps that are locked to specific countries

It does, use the Anonymous (insecure) login

Does that option still exist in the latest version of the app? Seems that it has been renoved…

If you can’t find it, go to Settings>Networking and enable insecure anonymous session

1 Like