Whats the go to method for installing apps? Aurora? F-Droid? Wouldn't mind getting thoughts on this or even his preferred way of installing apps.
Conversation
Replying to
If the developer provides a self-updating mechanism for their app, it makes a lot of sense to get it directly from them.
F-Droid has serious issues with the security of their infrastructure and the app. Updates are often very delayed and they make undocumented changes to apps.
3
1
7
Lots of people recommend F-Droid but it has some serious flaws and they're completely not open to acknowledging or addressing them. We expect many users are going to end up getting compromised when the poorly maintained/secured F-Droid infrastructure ends up compromised...
1
1
2
Aurora Store is an alternate frontend to the Play Store. It's possible to use the Play Store itself too. Either way, the Play Store requires an account.
Aurora Store automatically obtains a shared throwaway account by default for convenience and as a form of privacy feature.
1
2
The shared throwaway accounts used by Aurora may be problematic, since someone could log into the account and change settings. Aurora also doesn't provide the same security checks as the official Play Store client. It's up to you which one you want to use.
2
2
5
Other than the apks being hosted on their site which is questionable, is there an issue with sites like apkpure?
1
They're third party services with highly questionable security practices. It's better to obtain apps directly from the Play Store using either Aurora Store or the Play Store itself (which works via sandboxed Google Play) rather than involving a third party site in it.
1
2
Android pins the signing key of installed apps and enforces that any updates are signed with the same signing key or a new key with a key rotation proof signed by the pinned key. It also enforces that the version code is equal or greater. Means updates are always well secured.
1
This allows the OS to safely share installed apks across profiles.
F-Droid incorrectly reuses developer app ids for their own builds, which is why you'll get an error if you install an official release of an app in 1 profile and then try to install an F-Droid build in another.
1
App ids are based on a reverse domain owned by the developer such as our camera app being app.grapheneos.camera because we own grapheneos.app. Each incompatible variant of an app is supposed to have a separate id, including unofficial builds signed with different keys.
Unfortunately, one of the major issues with F-Droid is that their official repository reuses the official app ids despite the vast majority of the apps in the repository being their own builds signed with their own keys. Users often run into signature errors trying to mix them.
1
The correct approach would be for them to add an F-Droid reverse domain prefix to id for apps they're signing with their own keys. This is one of many issues with F-Droid which they aren't interested in resolving. Another example are their poorly secured, out-of-date servers...
1