mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-06-19 12:04:08 -04:00
Accrescent app store
This commit is contained in:
anarsec
parent
2d6f88baa9
commit
b21bc33a60
1 changed files with 14 additions and 12 deletions
|
|
@ -87,7 +87,7 @@ If Auditor ever detects tampering, you should immediately treat the device as un
|
|||
|
||||
User profiles are a feature that allows you to compartmentalize your phone, similar to how [Qubes OS](/posts/qubes/#what-is-qubes-os) compartmentalizes your computer. User profiles have their own instances of apps, app data, and profile data. Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile. In other words, user profiles are isolated from each other — if one is compromised, the others aren't necessarily.
|
||||
|
||||
The Owner user profile is the default profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password.
|
||||
The Owner user profile is the only profile that is present when you turn on the phone. You can create additional user profiles. Each profile is [encrypted](/glossary/#encryption) with its own encryption key and cannot access the data of other profiles. Even the device owner cannot view the data of other profiles without knowing their password.
|
||||
|
||||
We'll now create a second user profile for all applications that don't require Google Play services:
|
||||
|
||||
|
|
@ -116,15 +116,15 @@ To reiterate, the user profiles and their purposes are:
|
|||
|
||||
# How to Install Software
|
||||
|
||||
The GrapheneOS app store contains the standalone applications developed by the GrapheneOS project, such as Vanadium, Auditor, Camera, and PDF Viewer. These are automatically updated.
|
||||
The GrapheneOS app store contains the standalone applications developed by the GrapheneOS project, such as Vanadium, Auditor, Camera, and PDF Viewer. These are automatically updated.
|
||||
|
||||
To install additional software, [Sandboxed](/glossary/#sandboxing) Google Play can be installed through the GrapheneOS app store: ["Google Play receives absolutely no special access or privileges on GrapheneOS."](https://grapheneos.org/features#sandboxed-google-play)
|
||||
To install additional software, the GrapheneOS app store can install two other app stores: [Sandboxed](/glossary/#sandboxing) Google Play and [Accrescent](https://accrescent.app/). ["Google Play receives absolutely no special access or privileges on GrapheneOS."](https://grapheneos.org/features#sandboxed-google-play) Accrescent currently only has a small selection of apps.
|
||||
|
||||
Avoid F-Droid due to its numerous [security issues](https://www.privacyguides.org/en/android/#f-droid). The [Aurora Store](https://www.privacyguides.org/en/android/#aurora-store) has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
|
||||
Avoid the F-Droid app store due to its numerous [security issues](https://www.privacyguides.org/en/android/obtaining-apps/#f-droid). We also don't recommend the [Aurora Store](https://www.privacyguides.org/en/android/obtaining-apps/#aurora-store), as it has [some of the same security issues as F-Droid](https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do).
|
||||
|
||||
The approach we will take is that all applications needed in the Default user profile will be installed in the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all installed applications will be "disabled", because we only use these applications from the Default user profile (except, [if you ever use the phone away from home](/posts/grapheneos/#force-all-network-traffic-through-a-vpn), a VPN app that needs to run in all profiles). Then we'll use the **Install available apps** feature to delegate apps to the Default user profile.
|
||||
The approach we will take is that all applications will be installed in the Owner user profile, using Sandboxed Google Play and/or Accrescent. We'll then "disable" these installed apps in the Owner user profile and delegate them to the Default profile. This is because we will only actually use them from the Default user profile (except, [if you ever use the phone away from home](/posts/grapheneos/#force-all-network-traffic-through-a-vpn), a VPN app that needs to run in all profiles).
|
||||
|
||||
## Software from Sandboxed Google Play
|
||||
## Software from Sandboxed Google Play and Accrescent
|
||||
|
||||
To install and configure Sandboxed Google Play:
|
||||
|
||||
|
|
@ -134,22 +134,24 @@ To install and configure Sandboxed Google Play:
|
|||
* Automatic updates are enabled by default on the Google Play Store: **Google Play Store Settings → Network Preferences → Auto-update apps**.
|
||||
* Notifications for Google Play Store and Google Play Services must be enabled for auto-updates to work: **Settings → Apps → Google Play Store / Google Play Services → Notifications**. If you get notifications from the Play Store that it wants to update itself, [accept them](https://discuss.grapheneos.org/d/4191-what-were-your-less-than-ideal-experiences-with-grapheneos/18).
|
||||
|
||||
You are now ready to install applications from the Google Play Store. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
|
||||
For Accrescent, simply install it through Apps in the Owner user profile.
|
||||
|
||||
You are now ready to install applications from the Google Play Store and Accrescent. See [Encrypted Messaging for Anarchists](/posts/e2ee/) for ideas.
|
||||
|
||||
### Delegating apps
|
||||
|
||||
Now we will delegate apps to the profiles they are needed in:
|
||||
|
||||
* In the Owner profile, disable all applications downloaded from the Play Store (except for the VPN): **Settings → Apps → [Example] → Disable**.
|
||||
* In the Owner profile, disable all applications downloaded from the Play Store or Accrescent (except for a VPN app): **Settings → Apps → [Example] → Disable**.
|
||||
* To install any app in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select it.
|
||||
|
||||
## Software That Isn't On the Play Store
|
||||
## Software That Isn't On the Play Store or Accrescent
|
||||
|
||||
Some apps are not on the Play Store, either because they're still in development or because they don't want users to have to interact with Google. Apps installed through the Play Store update automatically, but if you were to download individual APK installer files, you would have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself). Additionally, you must verify the authenticity of the APK file yourself with a tool like [AppVerifier](https://github.com/soupslurpr/AppVerifier).
|
||||
Most software is available either through the Play Store or Accrescent. For the small number of apps which aren't, downloading individual APK installer files isn't a good solution because you would then have to remember to update them yourself (there are exceptions, like Signal, which is designed to update itself).
|
||||
|
||||
[Obtainium](https://www.privacyguides.org/en/android/#obtainium) is an app manager which allows you to automatically update apps after installing them from an APK file (an APK is found from the developer's own releases page such as GitHub or the developer's website). It is available on their [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases) — `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't available in the Play Store, install Obtainium in the Owner user profile (and don't disable it). Use the same process as above to install apps into the Owner user profile, but through Obtainium, then disable the app and delegate it to a secondary profile. AppVerifier integrates with Obtainium so that before Obtanium installs an APK you can do a verification — AppVerifier can approve selected apps, or you can manually compare the APK's fingerprint to somewhere that the developer has published it.
|
||||
[Obtainium](https://www.privacyguides.org/en/android/obtaining-apps/#obtainium) is an app manager which allows you to automatically update apps after installing them from an APK file (an APK is found from the developer's own releases page such as GitHub or the developer's website). It is available on their [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases) — `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture).
|
||||
|
||||
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal without [Google software](https://github.com/mollyim/mollyim-android#free-and-open-source) and it is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium, press **Add App**, then paste the Github Releases URL.
|
||||
If you need apps that aren't available in the Play Store or Accrescent, install Obtainium in the Owner user profile (and don't disable it), then verify its authenticity with AppVerifier, which is available through Accrescent. Use the same process as above to install apps into the Owner user profile (but through Obtainium), disabling them then delegating them to a secondary profile. AppVerifier integrates with Obtainium so that before Obtanium installs an APK you can verify its authenticity — AppVerifier can approve selected apps, or you can manually compare the APK's fingerprint to somewhere that the developer has published it.
|
||||
|
||||
## Software That Requires Google Play Services
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue