So the dev was talking about this in Accrescent’s Matrix server. He acknowledged there being privacy concerns, and said that while there will always be some information that could be gathered even implicitly when downloading split apks, he said that he’s looking into ways to make fingerprinting more difficult. He gave the example of having the client check for app updates irregularly for different apps, so it would be less apparent that it’s the same client requesting the update and this would be harder to profile based on installed apps. He also said that practically speaking, the device identifiers were typically the same across the same device+OS combo, so even if there are a lot of identifiers they don’t necessarily make a unique fingerprint all of themselves.
Keep in mind I’m paraphrasing greatly and that’s just what I understood of it all haha.
I was never a big fan of the project because people over on GOS would promote it so hard when they had less than a dozen apps. Now after four years or so they have a measley couple dozen apps. Also the apps are not exclusively available on Accressent. Why would I deal with another platform to install my apps when I can get them all from GitHub? All they’re doing is further fragmenting the app installation sphere.
Plus, the premise was just faulty from the start - not every developer is going to care about security, so making their app available on yet another platform was just more work they don’t want to deal with.
The folks behind the project are overly obsessed with security. GitHub, F-Droid, Gitlab are perfectly fine and their concerns with these platforms are just exaggerated.
The aim of this project is to be a real alternative to the Play Store, secure, reliable, with no need for an account and no arbitrary decision-making, with applications that are open source as well as not, including Signal and Whatsapp, not a non-secure store like F-Droid, which only has open source software, or Github/Gitlab, which is what we need.
Experienced users and enthusiasts like us are fine using github/gitlab but most users are far more familiar with app store interfaces. Accrescent only has a handful of apps in its infancy but long term with more apps becoming available it’d allow more people an alternative to wean themselves off dependency on the play store if they wish. Just because f-droid is available to fill a need doesn’t mean accrescent can’t coexist alongside it as another option for users.
They still haven’t addressed the privacy concerns of the server side processing.
The only reason they’re doing that is so they can handle analytics/tracking, accounts, payments, age/ID/region restrictions, and alpha/beta testing ala Apple TestFlight.
And if they claim they have no intention of doing that then they would’ve chosen a static system like F-Droid, which would be dramatically cheaper to run since it’d only require a static web server as opposed to a high availability API with database powered by many servers.
That is complete nonsense.
Split APKs can 100% be handled client side.
Proof: The GrapheneOS App Store works using static metadata and fully supports split APKs.
Sorry about that, I misread what the dev said. I was probably thinking of delta updates, which are one of the many reasons for it listed in the Aug 11 blog post.
Delta updates can also be handled using static metadata.
Examples of this are the GrapheneOS OS updater as well as the Fedora Delta RPM system.
I don’t want any more uninformed responses to my posts.
I already accurately quantified all the actual use cases of a dynamic update metadata server in my post above.
Yeah, hoping they can change things to use static metadata instead. It would be leagues better than the current planned implementation when it comes to privacy.
I completely agree and this is what I was saying earlier when i asked another user that said they used a couple of apps from the app store. I asked which apps just out of curiosity and they listed off a few and said that they are available in other app stores also. I really see no value in using this app store what so ever. The fact that i know have to add another app just to add apps from which I still need to trust that the devs of said apps are trust worthy. Well I can go to GitHub to get the app and it’s the same thing. Trusting the developer. Throw in the fact that there was a giant ask for a significant amount of funding. Which went from next to nothing to a good chunk of money. Which will eventually put this app store back in the exact same position once these funds dry up and they will be rallying donations again probably with even more increased costs. I feel bad for making judgement on a project that i really don’t know all that much about but from what I’ve heard and seen, it’s a polite pass from me.
Accrescent’s aim is to be an alternative to the Play Store, not an alternative to Obtainium which isn’t the most practical and F-Droid which only has open source applications and which has security problems.
In the medium to long term, the aim of this project is to host both open source and non-open source applications, including Signal and Whatsapp, in addition to security, privacy, transparency and, above all, without the censorship and arbitrary decisions that are common to the Play Store.
I kind of wish this project had a progress bar for their donations to give people more of an idea if the project has become more sustainable.
Every time I see an update I am assuming at some point one will be “hey uhhh that one massive $16k donation that saved our butt last time is gone, we once again need $12k in 3 months”
