Article <100pusf$4089$1@dont-email.me>

Deutsch English Français Italiano
<100pusf$4089$1@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: "R.Wieser" <address@is.invalid>
Newsgroups: comp.mobile.android
Subject: Re: grapheneOS app store - how to get a list of available apps ?
Date: Fri, 23 May 2025 15:57:17 +0200
Organization: A noiseless patient Spider
Lines: 110
Message-ID: <100pusf$4089$1@dont-email.me>
References: <100la9g$30k1k$1@dont-email.me> <m-q*3G7cA@news.chiark.greenend.org.uk> <100mqnv$3d4a6$1@dont-email.me> <m-q*Ob8cA@news.chiark.greenend.org.uk> <100n4ji$3f2pb$1@dont-email.me> <100nbk8$2p4rf$1@news.usenet.ovh> <100ne0t$3h29q$1@dont-email.me> <o-q*1hbdA@news.chiark.greenend.org.uk> <100pk9i$22iv$1@dont-email.me> <n-q*DCbdA@news.chiark.greenend.org.uk>
Injection-Date: Fri, 23 May 2025 15:57:35 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="4a0a3b990311452c9571ba5f1a8252b7";
	logging-data="131337"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX199oeE1mD3Ea3QOm7Cy3xDnJwoqjbqSYDz3gfnw//QIEg=="
Cancel-Lock: sha1:tAdpYMNb2OLEXQx0pAoQOUfPVbM=
X-RFC2646: Format=Flowed; Original
X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-MSMail-Priority: Normal
X-Priority: 3
Bytes: 5652

Theo,

> I think you need to separate the *store* from the *apps*.

I have no idea what you mean with that.  Sorry.

> By searching Reddit/forums/Usenet/whatever I get recommendations
> from people, which acts as a primary filter for junk.  Nobody is
> going to recommend that $10 flashlight app, and if they do
> everyone else will point out something better.

Well, I could surely do with a suggestion for a TTS app for my Pixel6, 
Andriod 15 OS. :-)

> (anyone can make a website).

Yep.  And than anyone can create an app that is just a thinly-wrapped 
standard browser and point to it - giving it an air of legitimately.  Alas.

You know, I have no idea why someone who has an "app store" would want to 
make it only accessible by an app (and not by a generic internet browser). 
Do you have an(y) idea ?

> You can search on either of those names in store apps and find
> that specific app.

Indeed.  After you've found "those names" and verified that they are legit 
the rest is rather easy.

But those two are the whole problem.   There is no "evil" bit* in the 
manifest of an APK to warn about the app being suspect, and to look further.

* a reference to a joke internet RFC (RFC3514) where that was a proposed 
addition.

> By getting it from a store you know it is signed by Bob and not
> some shady person,

You seem to skip the (definitily non-zero) possibility that "bob" *is* the 
shady person, or that "bob" has sold his app and app-signing ID to a shady 
party. Or that "bob" is legit but uses poisonned libaries to create his app 
with.

So no, getting an app from an app-store doesn't make that in any way 
certain - if it would than Googles walled garden would not have a single 
shady (and worse) app.

> Every store has some junk apps - Google's is worse than others.
> But Google is a reputable conduit of good apps too.

:-)  Than our only problem is to discern the good from the bad ones, right ? 
With the baddies trying to make that as hard as possible ...

> you should look for recommendations outside of the store and then
> only use the store to download apps via their full name, not as a
> tool to discover apps.

I think you are confusing yourself.  "looking for recomendations" equals 
"discover apps".  And as you mentioned earlier, those giving recomendations 
might well be malicious.

Take me for example: I'm looking for a TTS app.  If you would suggest one 
than on which grounds should I trust it to be a non-malicious app ?   Yes, 
you sound trustworthy enough.  The problem is liars often sound trustworthy 
enough too.

And than there is the problem that you could even not be aware of that the 
app you're suggesting is malicious. Something that has also happened to 
developers, who, unknowingly, used malicious/poisonned third-party 
libraries.

Bottom line, there is very little to go on to select an app.  Most of it is, 
and has to be done on, one's gut feeling.

Personaly I inspect an apps manifest, and decide based on which permissions 
it wants.  The more permissions wanted, the less chance I'm going to install 
it.

> By using Aurora you *don't need a Google account* to access Google's
> app catalogue, so that's the best of both worlds from a privacy
> perspective.

I think you misunderstood me: I *do not want* to install any of Googles 
walled garden apps - regardless of the way by which I could download them. 
For multiple reasons.

> (TBF I do tend to trust the apps in F-droid

Same here.

> I think you are making life difficult for yourself and that's why
> you can't find a modern TTS app.

Yes, and that started with not just running Googles stock android. Which was 
a rather concious decision.

But, as you (ofcourse) have multiple app stores at your finger-tips, why 
don't you take a peek in them and suggest me a few URLs ?  :-)

Hmmm... As I now know that my android OS version is rather important when 
selecting an app I should again do a search for a TTS.  Maybe I'll be lucky 
this time...

Thank you for your responses.  As you might have noticed I do not quite 
agree with you, but that doesn't mean I don't appreciate them.

Regards,
Rudy Wieser