I got to watch a disagreement between users in a discord server the other day.
The argument was basically that all apps on GOS should be installed from the following sources. GOS > Accrescent > Play Store. Basically, if it’s not found on one, you should progress to the other. Installing through Github was also an acceptable solution to them, though I personally have had problems with apps becoming severely outdated because I didn’t bother to do a cycle of going through a bunch of apps Github pages and seeing if there are updates.
Other people were arguing for GOS > Accrescent > F-Droid > Obtanium > Aurora > Play Store. This is the path that I had always thought was a better call, especially because some apps are ONLY on F-Droid, such as the non-FOSS variant of Molly, which utilizes sandboxed play services to deliver notifications (as opposed to utterly murdering your battery by running in the background unoptimized all day like the FOSS variant does).
I’d say the apps on F-Droid are generally safe in my experience. I haven’t heard of anyone getting any viruses from F-Droid either. I’d say most open source app stores are fine, unless it’s something like Aptoide or whatever.
My main issue with F-droid is updates take like an extra week to be published due to the f-droid team manually checking em (or so i heard), that’s way too long… I rather use Obtanium and Aurora Store. Tho keep in mind, versions from the Google Play Store are sometimes handicapped compared to the github/fdroid version in order to pass google checks. My main use for f-droid is discovering new apps, it’s great for that.
Which realistically makes it kinda useless? Steam is same way, when u first upload ur game steam checks it but any patches after are not checked. That’s why steam has had 5 malware this year alone, at least the ones we know of. And just like npm being a supply chain hacker gold mine, dev accounts get hijacked all the time, don’t even need 2fa anymore cuz hackers can just clone ur entire browser session just from u clicking 1 link and boom, everything hacked. So unless a 3rd independant party manually verifies every single update/patch, there is no point to what fdroid does imo. Altho i guess they still check the certs and shit like that?
But yeah i just use obtanium since i get the github repo update asap, and aurora store for the rest. GrapheneOS app store is only available on GrapheneOS and Accrescent only has like 20 apps give or take. So what i do is find an app i like in fdroid then add its repo to obtanium. Seems the most sensible to me. I guess waiting a few days after an update has been published is technically safer since if the dev’s account got hijacked, a few days is usually enough for him to get it back and remove the malicious update. But then u fall behind on updates and i like having the latest and greatest stuff, so idk what’s best.
There’s a whooping 6 apps on it, 5 if u don’t count the Accrescent app store (which itself has 32 apps)
Out of those 5 apps, i tried their secure pdf viewer, and i’m sure it’s the most secure “try ur best fbi” pdf viewer on the planet, but then i went back to Orion viewer (a foss pdf viewer) and the night and day difference is big in terms of usability and features. So yeah, not too satisfied so far. Will try the camera next and see what features it lacks compared to the stock samsung camera (but im not gonna post it cuz i dont wanna spam). But yeah, an app store with 5 apps (37 if u count Accrescent’s) isn’t really an app store imo, it’s more like an app closet
That was the reason for my initial question. The people on the GOS discord and forum that say that f-droid, aurora, and obtanium were unsafe were saying that you should use the GOS and accrescent stores first, but realistically, what that means is you’re using Google Play for everything anyways, and you’re unable to get certain f-droid exclusive apps.
I think Github is the worst solution off all of them because Github apks are often not signed and the security entirely depends on the security of the url, which means that centralized services like Github or Certificate Authorities could prevent updates or changing them at any time.
I generally use F-Droid for two kinds of app installations: those made available through third-party F-Droid repositories and reproducibly built apps (making migration away from F-Droid simple if needed). Beyond that, F-Droid is also a great starting place for app discovery because of its long history and mindshare among open source Android app developers. I don’t think that means apps in F-Droid are safe, but I don’t believe that would be the case for any app store without curation anyway. In fact, I am curious whether there have been any community-driven curation projects to overlay all the app stores.
Personally I find Obtanium/Github quite difficult to use. I update apps via Tor and often have connections timeout or refused by Github. Although there is nothing I can really do about it, I am not so pleased with the large majority of open source projects being developed and hosted on Github in first place.
Accrescent is in alpha, so while I can potentially understand some of the benefits behind its design it will currently always come with caveats. For example, right now Accrescent is re-writing some of the logic for the app to resolve critical discovered bugs. As a result new versions of apps uploaded to Accrescent do not show in the app.
So far I have avoided apps that are only available on F-Droid or Google Play (like Antenna Pod). I completely understand the decision the developers have made, but I think it’s also fair for me to use my time on apps that put more effort into being available outside those two.
That disagreement you witnessed encapsulates the growing schism between the Privacy and Security communities. Unfortunately as corpos and govts increase their passive surveillance, targeted attacks are also on the rise from malicious hackers or govts targeting persons of interest. While privacy and security were long synonymous with each other, we’re getting to a point where you need to choose which is more important to you. I elaborated my thoughts and my stance on this here: When Privacy and Security Conflict. Since I care more about thwarting surveillance capitalism, I happily use fdroid even though the possibility of compromise increases ever so slightly. What can I say, I like to live dangerously meanwhile play services exists only on a separate profile with a handful of google-dependent apps I thought I couldn’t live without, but it turns out I hardly ever even need to open that profile. What this accomplishes: instead of Play Services uploading info about my usage about 5 times a second, that firehose of privacy violating data stays completely shut off 95% of the time.
While GOS does sandbox play services and play store, unfortunately a lot of people misunderstand this to mean it prevents the constant stream of data being siphoned off your device, when that is not the case. It just means it has regular permissions and somewhat limited visibility of the rest of your system, and if you allow it network access, it will continue to do what it was designed to do, which includes uploading useage info. Sure, it has less info to pull in, but when I have the option of not running it at all, and using open source apps that respect privacy and aren’t a part of the surveillance capitalism ecosystem, I’d rather just do that!
What about IzzyOnDroid repo via FDroid Basic or another FDroid install app? I used to have nearly all apps sourced via Obtanium that weren’t in Accrescent or FF Updater. I recently re-balanced my app sources focusing on 1) devs signing the apks, but 2) trending away from Obtanium as I’m tired of the intermittent errors, and 3) minimizing FDroid in general due what I read about the quality of the build servers (old Debian, unconfirmed?), but still not fully opposed to the FDroid repo as I like their mission in general.
My breakdown:
Sources for my apps with apks signed by the dev:
Accrescent = 4
IzzyOnDroid = 17
FDroid = 5 ( not in Izzy)
FF Updater = 3
Obtanium = 14
Apks from Fdroid with Fdroid signing = 1 (quick testing of an app)
There are another 8 of the Obtanium apps that I will likely move to Izzy itself and still have devs signing.
I kind of like Izzy as a sub for Obtanium. Izzy doesn’t have the errors of Obtanium, IMO. Quick updates. Smoother. Less errors (none so far actually). I’ve seen Izzy in Github threads interacting with devs.
F-Droid is running Debian “bookworm” 12, which is one major version behind but still has full support until June 2026 and LTS support until June 2028 and had its most recently minor release last month.
meanwhile play services exists only on a separate profile with a handful of google-dependent apps I thought I couldn’t live without, but it turns out I hardly ever even need to open that profile. What this accomplishes: instead of Play Services uploading info about my usage about 5 times a second, that firehose of privacy violating data stays completely shut off 95% of the time.