###### **Your Cheat Sheet to Installing Android Apps the Privacy Respecting Way: From Direct Sources to Google Play Store**
**1. Direct from Developer**
- Get APKs directly from GitHub, GitLab, or Codeberg etc. using Obtanium
- If the app is on Accrescent, use Accrescent
**2. F-Droid**
Use only in these cases:
- When it's the developer's chosen release channel
- When no other distribution option exists
Most devs will put F-Droid instructions or a download button on their Git page or website. Use the developer's official F-Droid release repository or recommended repository whenever available (eg: many devs use IzzyOnDroid F-Droid repo for their releases instead of creating their own).
**When using F-Droid:**
- Use the official "**F-Droid Basic**" client
- Benefits: Automatic background updates without privileged extension or root
- Enhanced security through reduced feature set and attack surface
- Do not use alternative clients like Neo Store
**3. Google Play Store**
Use only if the app is unavailable through any other official channel.
Some prefer to use Aurora Store (a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps).
This is threat model and usecase dependent.
I prefer to just use Google Play since I have it installed on GrapheneOS where I use some paid apps not available anywhere else, and I want to keep all of my apps all in one place.
(Optional) Create an anonymous Gmail account and use it for Google Play.
---
*Note: This approach aligns with PrivacyGuides and GrapheneOS recommendations, as well as modern security standards. Third-party F-Droid clients are not recommended.*
```
#Ikitao #OPSEC #Privacy #Android #GrapheneOS
Replies (15)
Great standards and exactly what I naturally landed on after 15 years in the space. It's the best strategy I have found.
Ava
###### **Your Cheat Sheet to Installing Android Apps the Privacy Respecting Way: From Direct Sources to Google Play Store**
**1. Direct from Developer**
- Get APKs directly from GitHub, GitLab, or Codeberg etc. using Obtanium
- If the app is on Accrescent, use Accrescent
**2. F-Droid**
Use only in these cases:
- When it's the developer's chosen release channel
- When no other distribution option exists
Most devs will put F-Droid instructions or a download button on their Git page or website. Use the developer's official F-Droid release repository or recommended repository whenever available (eg: many devs use IzzyOnDroid F-Droid repo for their releases instead of creating their own).
**When using F-Droid:**
- Use the official "**F-Droid Basic**" client
- Benefits: Automatic background updates without privileged extension or root
- Enhanced security through reduced feature set and attack surface
- Do not use alternative clients like Neo Store
**3. Google Play Store**
Use only if the app is unavailable through any other official channel.
Some prefer to use Aurora Store (a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps).
This is threat model and usecase dependent.
I prefer to just use Google Play since I have it installed on GrapheneOS where I use some paid apps not available anywhere else, and I want to keep all of my apps all in one place.
(Optional) Create an anonymous Gmail account and use it for Google Play.
---
*Note: This approach aligns with PrivacyGuides and GrapheneOS recommendations, as well as modern security standards. Third-party F-Droid clients are not recommended.*
```
#Ikitao #OPSEC #Privacy #Android #GrapheneOS
View quoted note →
Ava
###### **Your Cheat Sheet to Installing Android Apps the Privacy Respecting Way: From Direct Sources to Google Play Store**
**1. Direct from Developer**
- Get APKs directly from GitHub, GitLab, or Codeberg etc. using Obtanium
- If the app is on Accrescent, use Accrescent
**2. F-Droid**
Use only in these cases:
- When it's the developer's chosen release channel
- When no other distribution option exists
Most devs will put F-Droid instructions or a download button on their Git page or website. Use the developer's official F-Droid release repository or recommended repository whenever available (eg: many devs use IzzyOnDroid F-Droid repo for their releases instead of creating their own).
**When using F-Droid:**
- Use the official "**F-Droid Basic**" client
- Benefits: Automatic background updates without privileged extension or root
- Enhanced security through reduced feature set and attack surface
- Do not use alternative clients like Neo Store
**3. Google Play Store**
Use only if the app is unavailable through any other official channel.
Some prefer to use Aurora Store (a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps).
This is threat model and usecase dependent.
I prefer to just use Google Play since I have it installed on GrapheneOS where I use some paid apps not available anywhere else, and I want to keep all of my apps all in one place.
(Optional) Create an anonymous Gmail account and use it for Google Play.
---
*Note: This approach aligns with PrivacyGuides and GrapheneOS recommendations, as well as modern security standards. Third-party F-Droid clients are not recommended.*
```
#Ikitao #OPSEC #Privacy #Android #GrapheneOS
View quoted note →
Ava
###### **Your Cheat Sheet to Installing Android Apps the Privacy Respecting Way: From Direct Sources to Google Play Store**
**1. Direct from Developer**
- Get APKs directly from GitHub, GitLab, or Codeberg etc. using Obtanium
- If the app is on Accrescent, use Accrescent
**2. F-Droid**
Use only in these cases:
- When it's the developer's chosen release channel
- When no other distribution option exists
Most devs will put F-Droid instructions or a download button on their Git page or website. Use the developer's official F-Droid release repository or recommended repository whenever available (eg: many devs use IzzyOnDroid F-Droid repo for their releases instead of creating their own).
**When using F-Droid:**
- Use the official "**F-Droid Basic**" client
- Benefits: Automatic background updates without privileged extension or root
- Enhanced security through reduced feature set and attack surface
- Do not use alternative clients like Neo Store
**3. Google Play Store**
Use only if the app is unavailable through any other official channel.
Some prefer to use Aurora Store (a Google Play Store client which does not require a Google account, Google Play Services, or microG to download apps).
This is threat model and usecase dependent.
I prefer to just use Google Play since I have it installed on GrapheneOS where I use some paid apps not available anywhere else, and I want to keep all of my apps all in one place.
(Optional) Create an anonymous Gmail account and use it for Google Play.
---
*Note: This approach aligns with PrivacyGuides and GrapheneOS recommendations, as well as modern security standards. Third-party F-Droid clients are not recommended.*
```
#Ikitao #OPSEC #Privacy #Android #GrapheneOS
View quoted note →
What are your thoughts on zap.store, where devs can sign their own releases using their Nostr key?
I THINK YOU WILL LOVE
@ZapstoreWas about to ask the same.
Thanks! franzap has been adding the open-source privacy respecting apps I find and post about to Zapstore for a little while now. I plan to give it a thorough test and review once it matures a bit.
I plan to give it a thorough test and review once it matures a bit.
Thank you! It will get much better
I would, maybe... but first I need to install it. APK anyone?🤔😅
My phone won't download the cdn link for some reason. Maybe I have to go through the share dialogue on Firefox or something...
I approve this note
There is nothing wrong with installing fdroid apps with Obtainium.
The risk is much smaller than using a third party F-Droid client like Neo Store as I outline in the post.
However, it is still best security practice to not introduce a third party when the side-load apk release is only made available by the dev on F-Droid.
Hence, I side with the recommendation of PrivacyGuides and modern security best practices in recommending F-Droid Basic if the dev officially releases the apk on F-Droid and it is not available on their website or git.
why would you trust the developer to provide untampered binaries/releases? with f-droid you'll either get reproducible builds or the binaries are built by a party who's main job is providing untampered builds (not a priority for app developers). i see it similarly to trusting a VPN with your traffic vs trusting an ISP with your traffic. if there is something i am missing please educate me.
