Whats the go to method for installing apps? Aurora? F-Droid? Wouldn't mind getting thoughts on this or even his preferred way of installing apps.
Conversation
Replying to
If the developer provides a self-updating mechanism for their app, it makes a lot of sense to get it directly from them.
F-Droid has serious issues with the security of their infrastructure and the app. Updates are often very delayed and they make undocumented changes to apps.
3
1
7
Lots of people recommend F-Droid but it has some serious flaws and they're completely not open to acknowledging or addressing them. We expect many users are going to end up getting compromised when the poorly maintained/secured F-Droid infrastructure ends up compromised...
1
1
2
Aurora Store is an alternate frontend to the Play Store. It's possible to use the Play Store itself too. Either way, the Play Store requires an account.
Aurora Store automatically obtains a shared throwaway account by default for convenience and as a form of privacy feature.
1
2
The shared throwaway accounts used by Aurora may be problematic, since someone could log into the account and change settings. Aurora also doesn't provide the same security checks as the official Play Store client. It's up to you which one you want to use.
2
2
5
Other than the apks being hosted on their site which is questionable, is there an issue with sites like apkpure?
1
They're third party services with highly questionable security practices. It's better to obtain apps directly from the Play Store using either Aurora Store or the Play Store itself (which works via sandboxed Google Play) rather than involving a third party site in it.
Android pins the signing key of installed apps and enforces that any updates are signed with the same signing key or a new key with a key rotation proof signed by the pinned key. It also enforces that the version code is equal or greater. Means updates are always well secured.
1
This allows the OS to safely share installed apks across profiles.
F-Droid incorrectly reuses developer app ids for their own builds, which is why you'll get an error if you install an official release of an app in 1 profile and then try to install an F-Droid build in another.
1
Show replies