Security relevant issue: what store is trusted and how to know

(I got prompted to write this because the Aptoid store stopped working on our phones. This post is not about that issue, but I noticed that it is pretty unclear what store one should use to download android apps from.)

It is one of the important features of sailfish that it supports both privacy and android apps. The weak point in this combination is that if the information where to get the apps from is unreliable.

Sailfish should really find a way to clearly communicate reliable information about:

• what stores can be trusted
• what stores have turned out to be fake or seriously flawed

If I search the web or even this forum about this, I find opinions, from different times, but no reliable statements that are kept up to date. I still don’t know if I was affected by the fake Aptoid store, because there was no precise information about it, just the store was swapped more or less silently.

In short: for security, this is a weak spot, and I think it should be treated with a bit more care. But maybe some here have some information that I don’t have?

For Android apps I would recommend either F-Droid (https://f-droid.org/) or Aurora (https://auroraoss.com/) and strongly advise against anything else.

F-Droid is focused on open source apps and build most of the offered apps from source in a reproducable way.

Aurora on the other hand is a frontend for google play store without the need for a google account, so it allows you to install pretty much any app from the play store.

Between those two options, I do not see any need for any other potentially sketchy third party store.

When it comes to native apps, it basically depends on your personal preference and who you trust…
The Jolla store has some basic checks, but I highly doubt they will catch any intentionally malicious app with those. Chum apps are currated by a small group of community members and build from source on a build server run by Jolla. Openrepos is as its name implies completely open and anyone can upload anything. This seems to have worked out so far, as I’m not aware of any intentionally malicious native Sailfish apps, but you may want to a bit more careful at which Openrepos apps you install…

For every Sailfish OS release, we publish the release notes. It has the chapter “Known issues”. There was a disclaimer about the Aptoide case here.

I do not know what this means exactly.
Anyways, Aptoide is a different company. Jolla cannot control what they do.

Aptoid is obsolete for some time already. In the past we also used APKpure, but the same story. I prefer open source apps from FDroid. In FDroid you also can see an app Aurora Store (has nothing to do with AuroraOS), a Google Playstore client. In Aurora Store you can search for apps without tracking. It’s not easy, but there are some. ExodusPrivacy gives information about trackers in numerous Android apps.
I have four appstores on my phone: Jolla, Storeman, FDroid and Aurora Store. That will do.

I forgot: when you enter Aurora Store you can choose if you want to make use of Google or prefer to stay anonymous. I did the last.
Paid apps are not possible unless you use MicroG. I haven’t done that, maybe someone else can tell more about it.

Thank you for your replies, this is very helpful, indeed!

Maybe I remember it wrong, but as far as I do, there was a time when “Aptoid” was automatically referred to when one installed “Android Store” from the Jolla Store.

I see. The difficulty seems to be how to know the issues without going through all past issues, and also perhaps a little about the severity (it doesn’t exactly stand out as a problem).

OK, that sounds like a good recommendation – that could perhaps be included in the sailfish tutorial introduction?

Most of us (I think) will need at least a few non native apps.

So for a fresh install, the chain would be

• from Jolla Store install FDroid
• then, from FDroid install Aurora

correct?

I think for paid apps you need to log in with an account. If the app then needs google play services might vary. If yes MicroG can help.

you mean log into Aurora with a Google account?

Exactly. They need an account to manage your bought apps.
It is possible to run an anonymous account when you pay by Google Play store gift cards, which you can buy with cash in supermarkets.

To clarify: I do not recommend this, personaly I do not have a google account. But it provides awy to have payed apps from google store and you can do it without giving them relevant data (phone number or bank account)

ok, but in principle it should be possible to dowload free apps anonymously, right? I just ask because I have a technical problem at this point.

It is recommended to users when installing sailfish:

Yes, it’s a joke. But not a good one.
This installation guide is more than three and a half years old and not updated, since Aptoide began to cause troubles years ago. So please ignore it and use another apk store like Aurora or APKpure.

Yes, indeed. 20 characterd

Just a note – two years later, this is still an issue.

Why? Use FDroid or trust people you maybe should not trust.

Which solution do you suggest?

I would assume a proper Jolla store and proper checks/curation.
At least that would make sense to me.