[ymse]

Just a shout-out to the fine folks over at CopperheadOS[0]who have been doing a lot of behind-the-scenes hardening in Android over the last year[1].

If you have a Nexus device and don't care much for the Play Store applications (F-Droid is included) give it a go for a true AOSP experience.

The only apps I'm really missing are Tasker and Signal, but I have a second phone for those.

0: https://copperhead.co/android/

1: https://copperhead.co/android/docs/technical_overview

[koevet]

Can't you install the Signal apk directly, from apkmirror[0] ?

0: http://www.apkmirror.com/apk/open-whisper-systems/signal-pri...

[Sylos]

Signal has a Google Play Services dependency for notifications, so it won't work properly without installing the whole Google package.

Open Whisper Systems (the developers of Signal) apparently don't want to replace it or even just build in a fallback [0], and even fought with the LibreSignal developers, which is a fork that removes this dependency, and told them to stop using their servers [1], which lead to LibreSignal being discontinued.

I don't know what the heck is going on with this, but yeah, it's not pretty.

[0]: https://github.com/WhisperSystems/Signal-Android/issues/1106

[1]: https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

There's also a more elaborate article on the topic here:

https://lwn.net/Articles/687294/

[desdiv]

There's a FOSS replacement for Google Play Services¹, and even Moxie himself² suggests using Signal with it if you not comfortable with Google Play.

¹ https://github.com/microg/android_packages_apps_GmsCore/wiki

² https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

[dmichulke]

I am using it and while it's not really working for me (I suppose an update broke it), it's enough to convince Signal to install.

It doesn't receive push notifications but I still receive messages once I run the app in the foreground (a thing I almost consider a feature now and not a bug)

[justinjlynn]

from 2: > I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world.

Wow, Moxie... What the hell?

[hackuser]

Re: APKMirror: I have the same questions I have about all APK proxy services - which claim to pull the APKs directly form the Play Store - why would I trust it to provide software that isn't infected with malware?

Other than APK Downloader, I haven't found another credible source among the very many options. Any solutions would be appreciated.

----

[0] APK Downloader, for those interested ... I'd start with the original, but the others might suit your needs:

* redphoenix89's original here: http://codekiem.com/2014/08/07/official-apk-downloader-v2-do... and here: http://forum.xda-developers.com/showthread.php?t=1515021

* Bexton's updated Chrome extension, based on v1.21: http://forum.xda-developers.com/showthread.php?t=1809458

* Lekensteyn updated Chrome extension, based on v1.3.4 of Bexton's: https://lekensteyn.nl/apk-downloader/ and https://github.com/Lekensteyn/apk-downloader

[chickenbane]

You are fine using apkmirror to grab an update you haven't yet received from the Play Store. When you install the apk, Android knows you are updating an app, verifies the signature, and ensures it came from the same developer.

Android is sane: it won't let you downgrade, further updates from the store will work correctly, etc. Since apkmirror usually get their apks from the Play Store, you'll be okay if you know what you are doing.

That said, your skeptical attitude is very appropriate. Installing apks from outside of the Play Store is by far the biggest vector for malware. Users that only install from the Play Store are currently safe (less than 0.15% of those users get malware).

[hackuser]

> You are fine using apkmirror to grab an update you haven't yet received from the Play Store. When you install the apk, Android knows you are updating an app, verifies the signature, and ensures it came from the same developer.

Great point; thanks.

> apkmirror usually get their apks from the Play Store

How do you know this? I've read reports of other Play Store proxies who injected malware.

> your skeptical attitude is very appropriate. Installing apks from outside of the Play Store is by far the biggest vector for malware

I was talking about APK proxy services, which claimed to pull the APKs from Google Play Store. For app stores, there are other generally reputable sources, such as,

* F-Droid, which focuses on free/open source software and user privacy. It has an excellent reputation and builds every app from source.

* Aptoide: Large commercial market, claims to screen apps for malware

* SlideME: At least at one time, reputedly focused on small, indie devs.

* GetJar: "The worlds biggest Open App Store", Started "by developers for developers"

[Sylos]

I'm not entirely sure, but doesn't APK signing prevent these third parties from tampering with the APKs?

Also, Raccoon is similar to APK Downloader: http://www.onyxbits.de/raccoon

[LukeShu]

There's also this desktop application to download from the play store https://codingteam.net/project/googleplaydownloader (codingteam.net, a "Forge" site, has an expired TLS cert)

[LukeShu]

New URL: https://framagit.org/tuxicoman/googleplaydownloader/

[tdkl]

It needs Google Play Services for push notifications over GCM.

[faviouz]

Looks awesome, but no support for the Nexus 5 :(

[JohnTHaller]

Nexus 5 has a Snapdragon 800 with no 64-bit support. So, it's out. Same with the 805 in my Nexus 6. They're both kinda long in the tooth. The project supports the current (soon to be previous) generation of Nexus devices: 5x, 6p, 9.

[faviouz]

I realized that quickly after I posted my comment.

Guess I'm gonna have to keep looking...

[unicornporn]

I been ran CM on a Nexus 5 some years ago, but since they quit releasing stables I left (the nightlies really weren't stable).

Now I have a 5X. Is the latest version available on the Copperhead site for that phone "based on Nougat"?

[ac29]

Nope, Marshmallow [0]. 0-day 3rd-party Android ROMs aren't really a thing, since AOSP code isnt publicly updated until final release (unless that changed this cycle, but I haven't heard of it).

[0] https://copperhead.co/android/downloads?device=bullhead