If not able to stop using WhatsApp, how important is it to download it from the Play Store vs WhatsApp's website itself?

Hi everyone, hope you’re having a good day. I was browsing the GrapheneOS forums a while ago and recently discovered that WhatsApp actually provides their app as an APK in kind of a similar manner Signal or Telegram provide theirs as well.

Normally, I wouldn’t even consider to discuss anything related to WhatsApp installation in a place like this due to it being not an ideal messenger, however, curiosity got the best of me and I’d like to ask: for people that can’t really not stop using WhatsApp, does installing the app via the APK of their website provide any virtual benefit over the Play Store?

I can see the automatic vs manual updates being a con first and foremost for the APK, but not anything else asides from that…

Thanks a lot in advance!

It depends on your threat model.

Using their website for installing means you don’t have to use the play store.

My preferred method would be to download the apk through Obtainium and verify the hash.

If you’re using Play Store already for other apps, that’s probably “more secure” and preferred.

I’m a strong believer in centralized package management and automatic updates.

So my recommendation would be:

  • If you have a Google Play account on your phone, use the PlayStore.
  • If not use Aurora Store without a Google Account.

My reasons are simple. Even if not perfect, Google or the F-Droid-Team can do a much better job vetting and monitoring the apps and their developers, than I can. - There are too many apps and updates for to spend my personal time on keeping up with each and every project.

I’d never install an app from a homepage, because I had to manually update the app or allow it to install updates (and therefor apps) on its own.

This is why Obtainium exists. You can get your apps directly from the developer, verify them, and let Obtainium update them automatically.

(Just like with an app store, don’t install random, shady apps.)

Slightly OT but security related

Besides the source of the apk I would suggest to enable the Strict account setting to greatly reduce attack surface. It’s like a lockdown mode for the messenger.

https://blog.whatsapp.com/whatsapps-latest-privacy-protection-strict-account-settings?lang=en

I know. If you know the developers and know you can trust them, it is a great option.

I don’t. I mostly know an app and it’s developer is reasonably trustworthy because the app is listed by F-Droid.

Even when I want to install a well known “mainstream” app, with Optanium, I still have to find the real original source first. There are fakes and clones for every popular app on Github and the Internet in general.

That means Optainium is great for advanced users, who exactly know what they want and where to get it, and who spend the time and effort to get to know and follow every open source app/project they use. - I’m not that person and I never met that person in real life.

Just use verified-apps-android to verify them.

If security is your concern, you should avoid the Trust on First Use model for app sourcing. While the ability to sideload APKs is a great advantage of AOSP, this doesn’t mean you should prefer website APKs over a good centralized app store. Obtainium et al. are excellent for reducing platform dependency (which might or might not be a priority of yours) and providing automatic updates where there are none, but outside of those specific use cases, that is where their benefits stop.

Whatsapp will promt you to install new versions when available.

I have the website-install through Obtainium, also am in the situation of “associates not wanting to migrate to more-private alternatives”.

Some things before beginning, I am not sure whether or not most these are differences between the two ways of obtaining apps. I am but the humble user of this setup who’s gathered some information along the way.

Info is going to be GrapheneOS oriented.

Certain differences between the two:

Unfortunately, someone would have to test for these more finer-grained differences between the two. I am not willing to shut out these to-be listed things working or not working (advantages / disadvantages) with the information I have on the Google Play or Aurora Store versions of the app.

To start, I’m going to share some of the advantages from the point of view of the setup I have and see as positives (and negatives) from both-ish sides of the coin:

Positive

  • Automatic updates work through Obtainium.

  • I can, today, use the website APK without having Google Play Services installed, and have notifications working.

  • If I only have Whatsapp relying on Google Play Services, this way I can for certain wholly drop Play Services.

  • I won’t have to rely on other methods of updating Whatsapp than Obtainium.

  • I am be able to get the app straight from the developer.

  • One less app from Googles offering. (Aurora Store, Play Store)

  • I need only add one app, Whatsapp, to the list “privacy invasive apps” to worry about.

  • App stores are easier to work with.

  • With app stores, Whatsapp just works straight out of the box. (if using Play Services)

Might want to research the negatives and positives of a Whatsapp install from an app store a bit more.

Negative

  • Aurora Store accounts might have beta enabled software, and that might break things.

  • Having had to scour for bits of information and figure stuff out for myself, it was somewhat of a hassle to find and build a working tutorial at how to exactly get everything working.

  • Local WhatsApp backups without Google were kinda annoying.

  • The slight uncertainty I have of this setup working in the long term.

People have said in the past, that there’s no private way of using Whatsapp. I think cutting Google Play Services out of the equation has to make the package needed to use Whatsapp more private. As such, I think there are ways of using Whatsapp more privately.

To make clear of not being all-in-for Meta-owned software, it is after all good to keep in mind that WhatsApp collects a lot of metadata of the user and it is not intented, or designed to be Signal. The saviours it has are E2EE, massive adoption, convenience.

Always would be best is if magic happens and you manage to get everyone in your life on board the Signal train (。•̀ᴗ-)✧

Some resources you might find helpful:

Verification info between the two:

Play Store version, Website APK version

Obtainium setup,
https://discuss.grapheneos.org/d/35940-whatsapp-not-working-anymore/64
https://discuss.grapheneos.org/d/35940-whatsapp-not-working-anymore/66

GrapheneOS specific Whatsapp setup without G P S (people have written more step-by-steps on the forum but this is what I used)

https://discuss.grapheneos.org/d/32377-whatsapp-messages-do-not-arrive-until-i-open-app/10

With the guide they didn’t mention of crashes, so if you don’t want to experience those, hardened memory allocator has to be off.

https://discuss.grapheneos.org/d/35940-whatsapp-not-working-anymore/68

You’ll find more information on the topic if you search “whatsapp” on GrapheneOS forum!

There is a good-faith argument to make against:

  1. As per FDroid itself, do not assume that an app is secure because it came from these third-party repos. Apps are given basic security checks on first upload, and a weaker automated scan for subsequent updates
  2. Attack surface is effectively increased. You arent shifting trust from the developer to the FDroid/Play teams, as developer trust is required regardless. You are adding infrastructure to your stack

Play is far more opaque than FDroid on their process, but given the insane amount of malware distributed through Play Store, its contents are certainly subjected to far weaker checks

So the argument would boil down to: you need to be verifying a trusted developer regardless of installation source, in which case, you can reduce complexity & attack surface by installing the app directly from said trusted developer

Probably more of a ‘subject to your threat model’ situation than an objective right/wrong call

For a normal phone I’d choose the source that will keep it updated with the least manual attention. If Play Store is already on the device, that is usually the boring/safe option. If the whole point is avoiding Google Play Services, then the website APK through Obtainium can be reasonable, but only if you are comfortable checking the source once and not mixing install sources later. The privacy difference is probably smaller than keeping WhatsApp updated, limiting permissions, and avoiding cloud chat backups if you don’t need them.