Hi, I mentioned alternative app stores & sources for Android devices recently in a post about Youtube Front End Alternatives, and wanted to elaborate on them a bit more. Looking into it for this post, I actually learned a lot more info that has changed how I use them myself. These all primarily host Free and Open Source Software (FOSS). Also, this post is long so have some jump to links.
Jump To:
'F-Droid' & 'F-Droid Basic' Clients
Why use any of these? Data privacy primarily, or perhaps you are a FOSS ideologue, these two kind of go hand in hand. Apps draw over your entire screen and access your system information. They can detect when you stop or pause on a post or video even briefly, and the most popular apps take constant telemetry of actions like this to improve their algorithms which feed you content. The most popular proprietary apps that many people use are popular because of these telemetry based algorithms, and they make a lot of money off of the data they collect from you. This data can be used in many ways, being sold to other companies so they can improve their advertising to you, or fed back into their ecosystem for the same reason. This doesn't only happen with big apps either, typically speaking if something is free on an app store, or the internet in general, the real cost is the data that they collect from you. FOSS apps allow users to see that they have no data collection/telemetry, and are genuinely free of cost as well as corporate influence.
A good idea if you are concerned is to search for an app you use regularly in the play store and check out the 'Data Safety' section on it's store page. This will tell you all the types of data they collect as well as what types they share with third parties. Unfortunately, you grant them the permission to do this simply by using the app. It is far more private to open the respective website of an app in a browser (like youtube.com, instagram.com), but they design their mobile websites to be very unresponsive and difficult to use, and remove popular features that are in the app version, specifically to discourage this behaviour.
F Droid & Derivatives Overview
F-Droid is the most popular alternative to google's play store ecosystem. It is essentially an app store that only hosts free and open source apps on it's own software repository (digital storage space). F-Droid produces the 'F-Droid' app and 'F-Droid basic' which act as app stores/software sources. There are also other derivative apps, like 'Droid-ify', which are built on F-Droid's service but with extra additions.
FOSS and Security: The F-Droid team receives code from developers, checks it for privacy trackers or proprietary code, then builds the app from source code to ensure nothing malicious is added. If an app does not meet these requirements it will not be hosted by F-Droid, ensuring that they only host totally free and open source software, that is reproducible from the code provided by the original developer.
Late Updates: This process takes time, and can often mean that new updates to an app, from a developer, are not available on F-Droid for a number of days. This can potentially be problematic if the update is an urgent security focused one (like for a browser), or if the app has a major issue preventing it from functioning (youtube front ends like newpipe 'break' frequently as youtube constantly changes it's software to hinder them).
Third Party Sources: There is a simple way around this issue in the various F-Droid apps, but it does circumvent the point of the main F-Droid repository (where the F-Droid team reviews each app and update). F-Droid allows the addition of third party repositories, these may be large scale hosting thousands of apps like 'IzzyOnDroid' or individual repositories hosted by the developers of a single app like NewPipe or IronFox. These third party repositories still primarily host FOSS apps only, but typically push updates from developers straight away. These repositories do not always have a third party reviewing the apps/updates as they are made available, and some of these apps may not be available on F-Droid's repository because they don't meet the stricter requirements of being completely FOSS (no proprietary code at all).
Risks: F-Droid, and all of the third party repositories like IzzyOnDroid, make no guarantees as to the safety of what they host. F-Droid does seem to be putting in the most work to ensure the security of what it hosts on it's own repository, but nothing is foolproof and you will see a number of people online who don't trust F-Droid as it is a centralized system with one major potential attack source. Trusting these repositories or individual app developers is completely up to the individual, but websites that host source code (Github, Gitlab, Codeberg etc.) can give you some insight into the userbase size of an app, with the more potential eyes reviewing a source code, the better (theoretically).
'F-Droid' & 'F-Droid Basic' Clients
It is recommended to use F-Droid Basic, as this has a reduced feature set, and therefore less potential 'attack surface' vulnerabilities. Basic also runs on newer app software which makes it more secure and allows background updates. The original F-Droid app still exists to be accessible for older devices. This being said, both apps look and control almost identically, you just have to manually hit install for updates on the regular F-Droid, or on both if you have a device lower than Android 10. F-Droid Basic can be downloaded from the F-Droid app, which itself can be downloaded from their website, you can then delete the regular version once Basic is installed.
The apps are a bit dated in their design and feel a bit unintuitive compared to modern app stores. You are able to search for apps by name or terms close enough ('calendar' should bring up numerous calendars for example). You could also look up apps in a browser on f-droid.org if using the app is too annoying. The F-Droid made clients only provide the F-Droid repository as standard, but you are able to add more in Settings>Repositories>(+) button. This allows you to scan a QR code from a website to automatically add that repository, or manually enter the URL of one. As an example, I use IronFox browser, a privacy hardened Firefox fork, and just had to enter 'https://fdroid.ironfoxoss.org/fdroid/repo' in the URL section. Most app source code host pages (GitHub, GitLab, Codeberg etc.) will have a clickable link to automatically add their repository to F-Droid, or they will provide a guide on their main page. The same goes for larger third party repositories like IzzyOnDroid, see their info page.
Droid-ify Client
If you are not technically minded at all, are likely to not adopt something if it is a little inconvenient, and/or just wanting to start using less corporate apps and explore more FOSS ones, Droid-ify is probably a better bet. It is built atop F-Droid, providing the same access to it's repository, but has a much better user interface and adds several popular third party repositories like IzzyOnDroid. This provides hundreds of more apps, so it is easier to find alternatives to the ones you were already using which may be collecting data from you (calendars, notes apps, email clients etc.).
From an average user's perspective this is a better option, the main downside of Droid-ify and similar F-Droid derivatives like NeoStore, is that they do not support repository 'mirrors'. Mirrors are identical repositories that allow the bandwidth of downloads to be spread out across multiple servers instead of all focusing on one source which can cause a DDoS effect (inundation of connections that overloads, slows, or shuts down a server). Again, as an average user this most likely will never effect you in any way, but it is worth mentioning.
The Droid-ify client can be downloaded from F-Droid, or the release section of it's GitHub page. There are other clients like Droid-ify you can check out, NeoStore I mentioned briefly is one, but I have only personally tested Droid-ify before.
Accrescent App Store
Accrescent is a newer app store with a focus on 'security, privacy, and usability' that is currently in alpha release stage. It has a number of security features with regards to signature keys, in a similar way to how Linux distributions secure their repositories. It only works for Android 10 and up, and at the time of writing only hosts about 10-15 apps total. Apps do not have to be FOSS to hosted by Accrescent, but it is the case for the majority of what it hosts currently. IronFox, the browser that I use, is on there and highly recommends it as the primary download source. Accrescent also comes standard on GrapheneOS, the heavily security/privacy focused alternate operating system for android phones. Can download it from their website, I honestly haven't really used this, but it will probably become a bigger player over time.
Obtainium
This is not an app store, but a standalone app that will pull app releases directly from developer's host pages for you. Not really for non-technical people, or those new to the alternative/FOSS app space. This is a good option if you already know and trust the FOSS apps that you use and just want them/their future updates directly from the source as quickly as possible. The developer recommends using it with 'AppVerifier' to manually double check signatures on first download, after that it will auto update the apps you add to it for you (on android verisons that support that). Adding apps is pretty easy, you can manually enter a URL of a source code host page (GitHub, GitLab, Codeberg etc.) or search apps by name from some supported sources. This is all difficult to succinctly explain, and is not really new user friendly, but the developer has made a 30 minute '101' video that covers everything. Obtainium can be downloaded from F-Droid, or it's GitHub page.
Aurora Store
Aurora is an unofficial FOSS front end for the google play store. At times it has offered to ability to download play store apps 'anonymously' by creating and cycling various alt accounts for you. Not sure if that is the case anymore, as they had constant issues with the accounts being banned, and their site says you have to have a google account to log in with. This option probably better for people that don't already have access to the play store, like those on custom/alternative operating systems like LineageOS, GrapheneOS, CalyxOS. I wanted to briefly mention it as it is a FOSS app 'store' available on F-Droid, but it's use case is outside of the scope of this post. Here is the F-Droid link, and GitLab link.
Conclusion...
I am becoming more of a FOSS ideologue, so I have switched to using F-Droid Basic. I 'believe' in what they are doing and want to support it as intended. I am also just pulling more data and apps off my phone to use it less anyway, a notes app or calendar app can't take my data if I am writing it physically in a notebook or an animal crossing themed calendar on my fridge. My use case and life circumstances are unique though, and this will not work for everyone. I am also just weighing up whether I even want to use a smartphone at all anymore, especially as my phone gets older and already doesn't receive updates. There are a few options I have been looking at, but I'll make another post about that at some point. Please make your own decisions regarding all of this stuff, and genuinely try to ensure they are right for you.
Thanks for reading :)
Heres some forum discussions if you want to be more confused/informed, lmao:
Better way to obtain some apps: F-Droid vs Github without any verification - GrapheneOS forum
F-Droid or Obtainium? - GrapheneOS forum
What's the difference between Fdroid and Izzyondroid, and which one is more secure to use? - r/fossdroid subreddit