This is a step-by-step (ish) guide for how to obtain apps outside of the Google Play Store if you are using Android, or an Android variant (like GrapheneOS). These steps are going to focus on using the Accrescent app store and Obtainium, which I feel to be an ideal solution when used properly. If you are using GrapheneOS, you will find the Accresent app store in your GrapheneOS app store (which has very, very few apps). If you are not using GrapheneOS, you can download Accrescent at https://accrescent.app.
If you are a total beginner, or you’re uncertain about your ability to follow the steps properly once you read through them, I feel like using Aurora Store is a decent option. Many people use F-Droid, but the developers of GrapheneOS do not recommend it, and I personally trust them. (I know this is a whole can of worms. If you want to use F-Droid, I’m sure it’s fine.) Keep in mind that many proprietary apps will only be available via the Google Play Store. You will have to use Aurora for those or find alternative apps if you want to avoid the Play Store.
These are the steps I use to download, verify, and update my apps on GrapheneOS. Once installed, Obtainium will update your apps automatically for you. Follow the steps in order, as options that come first on the list are preferred:
-
If the app is available in the GrapheneOS app store or Accrescent, download it there. If not (which is likely the case) go to step 2. Before going to step 2 make sure you’ve installed “App Verifier” from Accrescent and also properly installed and verified Obtainium (https://obtainium.imranr.dev).
-
Search https://apps.obtainium.imranr.dev/ to see if a config file is posted for the app you’re trying to install. If it’s there, double check the address and website before using it, but I’ve never found anything malicious, or even inaccurate. Clicking the link in the config database will open a .json config file in Obtainium and allow you to easily download the app. If it’s not on that site, try step 3.
-
Search something like “official (app name) apk download” or “github (app name) apk” to see if the official .apk file is posted anywhere by the developers. For most FOSS apps, this will take you to either their official website that will have a download link or to their GitHub repository assets page. Often the developer website just links to GitHub. Again, double check these pages are official. Check things like number of stars on the repo and read through the readme. Once you’re sure it’s the correct app, copy the complete website into Obtainium. If you cannot find the .apk this way, move on to step 4.
-
Next step is to check the F-Droid website. If you find the .apk you need in F-Droid you can search it directly in the obtainium app search with the “F-Droid official” box checked as the source filter. You can click the link that comes up in Obtainium search to verify the download site again before you click download. (You do not need to install any F-Droid client, you can add F-Droid apps directly from Obtainium, and I recommend this approach.)
-
It is highly likely you will find most FOSS apps using steps 1-4. There has only ever been one app that took me past step 4, and that .apk lived on Codeberg. There are various source filters in the Obtainium search. If you know where the .apk lives, you can just directly search for it through the Obtainium search by checking the correct source filter boxes.
-
Verify your app download:
Once you’ve found your .apk, added it to Obtainium, and started the install process, it is important to verify the authenticity of the app. Obtainium automates this with the help of the “App Verifier” app. (Make sure you have App Verifier installed before installing apps with Obtainium. If not, go back and install App Verifier, then install the app you’re trying to install again. Obtainium will prompt you to share the app to “app verifier” to verify its authenticity. This is the default Obtainium behavior. Lots of apps are in the database, but some are not. In those cases, search for the hash online (the github readme, the developer website, social media accounts of the project or devs). Sometimes it’s not possible to find the hash and you have to determine whether it’s worth trusting the authenticity of that app, but most FOSS .apks can be verified using App Verifier. Once you have verified an apk, future apk updates will only be installed if they have the same signature.
This is roughly the process recommended by the GrapheneOS team. If I’m missing anything, feel free to update or comment. This is the process I use at the time of writing, but best practices can absolutely change over time.
Obtainium is not for complete “beginners” but it is also not super technical and should be possible for many people to learn as long as they are detail oriented and have some moderate tech literacy for things like verifying the download source is authentic. (If you know you don’t know how to tell if a website is legitimate, then of course do not use this method and use a more centralized app source like Aurora or even F-Droid.)
Last edited by @dadnerd 2026-03-11T00:38:21Z