davd
I wrote a blog post about migrating to #grapheneos as my daily driver including links to all the nice #foss apps I use now. What are your favorite open source apps on Android? @flowinho Since we talked about it the other day  https://www.davd.io/posts/2026-03-21-back-on-grapheneos-in-2026/ #didit #dutgemacht
Back on GrapheneOS in 2026 - davd.io

davd.io is a blog featuring various topics related to web development and server operation

davd.io
Mar 21 at 8:00pmTuba
Show threadRestless1d ago
@_davd @flowinho
That's awesome. Thank you very much. There are some very useful tipps!
Show threadAndreas21h ago

@_davd @flowinho Markor, Öffi, NewPipe, Thunderbird, Firefox, AntennaPod, DAVx5, Voice and VLC are probably my most used open source apps. Syncthing Fork is also super important for me but I deactivated updates for now due to weird changes in its maintenance.

BTW in the banking section you mention C24 only works with play services. According to Plexus it seems to work okay with microG, though. I heard a lot of banking apps do in the meanwhile. (I can't try it myself yet, though)

Show threaddavd15h ago
@cvap @flowinho Will check them out, thx! Yeah I saw that with microG, and while it may work, I want to stick with whats officially supported by GOS for now. I feel like I already have to play catch-up enough to pull in a Play Services reimplementation that also needs to catch up with upstream Play Services all the time. I think by now I'd rather migrate away from C24, but unfortunately I cannot get a second account at ING unfortunately :( Do you know by chance if Push works with microG?
Show threadAndreas11h ago

@_davd @flowinho I read that microG offers push notifications and did not see any complaints regarding C24 and push in Plexus. But I do not know for sure. There is this comment, though:

> "Works great except for the inbuilt scanner which is used to authenticate a (nice-to-have) browser session. As a work-around, you can use any standalone scanner app and open the scanned URL with this C24 app.
> A warning may appear re an unlocked bootloader but that doesn't seem to impact operations."

Show threadAndreas10h ago
@_davd @flowinho I think it is fine to use the play services sandboxed, I just wanted to point out there may be a less googled way also.
Show threada53bdb19h ago

@_davd @flowinho
Don’t use F-Droid and Aurora store for security, use Obtainium, Accrescent and AppVerifier.

https://privsec.dev/posts/android/f-droid-security-issues/

https://xcancel.com/search?f=tweets&q=from%3AGrapheneOS+Aurora+Store

F-Droid Security Issues

F-Droid is a popular alternative app repository for Android, especially known for its main repository dedicated to free and open-source software. F-Droid is often recommended among security and privacy enthusiasts, but how does it stack up against Play Store in practice? This write-up will attempt to emphasize major security issues with F-Droid that you should consider. Before we start, a few things to keep in mind: The main goal of this write-up was to inform users so they can make responsible choices, not to trash someone else’s work.

Show threaddavd15h ago
@a53bdb @flowinho Thx for your feedback! Accrescent has like 10 apps, so that unfortunately does not get me very far. For a profile without Play, the Play Store is also not an option, so Aurora it is, unless I want to manually download each apk manually (I don't want to make my main profile a secondary profile to install apps that way). For F-Droid, true, but many apps don't publish their decluttered F-Droid builds on GH or any build at all (like AntennaPod), so for now guess I'll live with it.
Show threada53bdb14h ago
@_davd @flowinho Obtainium can obtain apps from F-Droid repo too. Don’t sacrifice other apps dependencies security if you have to use it.
Show threaddavd14h ago
@a53bdb @flowinho Yeah that's what I do mostly 👍 But the fundamental sec issue (central build, signing infra) stays the same. On the other hand, assuming my biggest problem is the central signing, then the impact of F-Droid getting compromised is much higher. However, I feel in reality it's not that black and white. Devs with lax opsec have their accounts compromised and GH actions are super prone to supply-chain attacks (see https://www.theregister.com/2025/03/17/supply_chain_attack_github ). So it's a trade-off, unfortunately 😅
GitHub supply chain attack spills secrets from 23,000 projects

: Large organizations among those cleaning up the mess

The Register
Show threada53bdb14h ago
@_davd @flowinho Developers from F-Droid probably have the same possibility of getting hacked. Centralized building simply increase the risk.
Show threaddavd13h ago
@a53bdb @flowinho I agree with the sentiment and the fundamental risk. The problem is that it just doesn't work like "a upstream developer build is always more secure than the F-Droid build". If I look at the pipeline of an app build and the GH actions they use are not even pinned to reduce the risk of SCAs, I'll happily take the F-Droid build instead. As always, it depends on what you do.
Show threaddavd14h ago
@a53bdb @flowinho True, I only use it for the apps I can't get otherwise anyway