GrapheneOS App Store now includes a mirror of Accrescent, which is a privacy and security focused alternative to the Play Store distributing developer builds of apps:
Accrescent comes from within the GrapheneOS community and we’re collaborating together.
Accrescent is in alpha and isn’t yet open to any developers uploading their apps. It will have a lot more apps available in the future. It will become a full alternative to Play Store permitting closed source apps too, but you’ll be able to filter to show only open source apps.
Lead dev of Accrescent is a GrapheneOS user and contributor. It’ll be a good place to publish apps for GrapheneOS users. AppVerifier, BeauTyXT and Transcribro are from the same person who wrote our Info app. Molly is a security-focused fork of Signal from another GrapheneOS user.
AppVerifier was based on a planned GrapheneOS feature for users to verify APK files based on their key fingerprint. The feature is currently stalled since relying on the clipboard isn’t ideal. For now, users can use AppVerifier from Accrescent until we ship a built-in approach.
We’ll be delegating distributing developer builds of apps signed by the developers to Accrescent rather than doing it in ourselves. Our App Store will be focused on our own apps and eventually hardened, rebranded builds of important third party apps widely used by our community.
AFAIK the main difference is that on F-Droid (at least the main repo), all apps are signed by F-Droid. On Accrescent however, each app is signed by its developer. This can be seen as it being more secure.
If you’re further interested in the topic, there’s at least one discussion thread about the ‘insecurity of F-Droid’, I believe also directly comparing it to Accrescent, on the GrapheneOS forum.
@metaphortune@lemmy.world Article about this issue: https://privsec.dev/posts/android/f-droid-security-issues/
While F-Droid has issues, most of the points in the article are minor inconveniences blown out of proportion. Slow updates because they’re mostly community-funded. I kinda like their app approval and low level permission listing. It’s a double edge sword because there’s an additional level of audit, but also an additional layer for tampering. But that can also happen if devs turn malicious themselves.
Low target SDK lets me use apps that make old devices still usable. It keeps me from throwing them off on the landfill. Most browsers are fucked on old devices (no support for modern TLS) but youtube still works with newpipe forks. So at least I can carry it to watch youtube when travelling. Confusing UX is not a f-droid problem, there are already multiple alternatives.
The only problem they actually have is unstable leadership that has made some of the team leave and there are problems with key signing and they force devs to use old versions.
There’s a lot of wannabe “privacy” sites popping up since a couple years and everyone’s trying to start a big controversy off of small things. It’s easy to complain than rather do the work to make things better and most of these authors can fuck right off.
If I’ve learned one thing about computers, it’s that you can’t ever trust the developers to properly package their software. Sooner or later they will abuse this privilege by introducing unsafe defaults, or bundle some useless, stupid, or outright malicious stuff.