App Stores on GrapheneOS – Who to Trust (and Who Not To)

A False Sense of Security

Just because an app works doesn't mean it was installed cleanly. Many users on GrapheneOS focus exclusively on permissions. That matters — but it's incomplete. The source of an app is at least as critical as what sensors or data it's allowed to access.
An app is not just an app.

In this video we analyze the different app sources and show you the safest hierarchy.

• The source determines who built it
• The signature determines who is allowed to deliver updates
• The update chain determines whether tampering would even be noticed

Signatures and checksums are not nerd stuff. They are the foundation of any serious security model.

How App Trust Works on GrapheneOS

GrapheneOS follows a simple but strict principle:
The app signature is the developer's identity.

• Every app is signed with a cryptographic key
• Every update must carry the exact same signature
• If the signature changes, the update is treated as foreign

If this chain is broken, there are only two possibilities:

1. The developer lost their key
2. Or someone else is suddenly delivering code

Both are a problem from a security standpoint. This logic is the foundation for why some app stores make sense on GrapheneOS — and others don't.

The Recommended Store Hierarchy on GrapheneOS

1. GrapheneOS App Store – the Secure Default

The GrapheneOS App Store is the first and most important starting point. It comes pre-installed on GrapheneOS and is simply called "App Store" on the device.

Why?

• Deeply integrated with the system
• Minimal feature footprint
• Verified builds
• No trackers
• No account required
• No hidden dependencies

Everything offered here is deliberately chosen and securely integrated.

Key rule:

Anything available in the GrapheneOS App Store is the secure default.

2. Accrescent – Small, but Extremely Clean

Accrescent is unknown to many users, but it operates in its own security league. Accrescent should be installed directly from the GrapheneOS App Store — that's exactly what it's designed for.

Characteristics:

• Focus on reproducible builds
• Strict signature verification
• No intermediaries
• No mass distribution

Typical example: App Verifier.

Accrescent only offers a handful of apps — and that's precisely the point. No app zoo. No gimmicks. Only verifiable code.

3. Obtainium – a Tool for Advanced Users

Obtainium is powerful — and that's exactly what makes it dangerous if you don't know what you're doing. Obtainium is not installed through classic app stores, but directly from the project's official GitHub repository.

Advantages:

• Direct source from the developer
• GitHub, GitLab or release feeds
• No store intermediaries

Risks:

• Wrong repositories
• Wrong architecture
• Incorrect release mapping
• No automatic plausibility checks

Core point:

Obtainium is a scalpel, not a kitchen knife.
Whoever uses it takes full responsibility for the source.

4. F-Droid – Situationally Useful, but with Limitations

F-Droid is often broadly perceived as "safe." That's an oversimplification.

• Yes: Open source, transparent builds.
• But: Delayed updates, third-party rebuilds, sometimes different signatures than the original developer.

F-Droid can make sense:

• When there is no better source
• For simple, non-security-critical tools

For sensitive applications, however, F-Droid is not the first choice.

Why Aurora Store Is Problematic

Aurora is convenient. And that's exactly its problem. Factual reasons for caution:

• Third-party app signatures
• Opaque update chain
• Bypasses the regular Play ecosystem
• No clean trust model

"Aurora Store is not problematic because it demonstrably distributes malicious apps, but because it technically bypasses the strict signature and update trust model of the original Play Store. This makes the cryptographic chain of trust less transparent and less robust for the user."

Key rule:

Convenience is not a security concept.
Anyone who cares about clean provenance and verifiable updates should avoid Aurora.

User Profiles – the Underrated Superpower of GrapheneOS

GrapheneOS enables true separation at the operating system level.

Multiple User Profiles

Properties:

• Physical separation of apps and data
• No access between profiles
• Separate app stores per profile

Typical use cases: daily use vs. banking, personal vs. work, Google-free vs. Google-isolated.

App Cloning Across Profiles

The same app package can:

• Be installed in different profiles
• With different accounts
• With completely separate data

Ideal for: messengers, social media, test accounts.

Work Profile with Shelter – Targeted Isolation

Shelter allows creating a work profile within a user profile.

Key properties:

• Logical separation of apps
• No mutual visibility
• Notifications work reliably

Typical use: Google Play Store, Google Play Services.

This lets you isolate Google dependencies without sacrificing push notifications. Important: Not perfect, but massively better than unfiltered integration.

Decision Logic for App Sources

A simple mental checklist:

• Is the app in the GrapheneOS App Store? → use it
• Is it in Accrescent? → use it
• Official source + Obtainium? → only if you understand what you're doing
• Only available on F-Droid? → weigh your options
• Aurora necessary? → look for alternatives

Zap Store – a New, Experimental Ecosystem

Alongside the classic app sources, a completely new model is emerging: the Zap Store. The Zap Store comes from the Nostr community and takes a fundamentally different approach than Google Play or the Apple App Store.

Core ideas:

• Developers publish their apps themselves
• Identity is based on cryptographic keys (Nostr keys)
• Trust is established not by a central authority, but through signatures and reputation
• No control by Google or Apple

The Zap Store is:

• Still young
• Under construction technically and organizationally

It's not a complete replacement yet, but a solid start and very promising.

• It is an excellent radar for new, freedom-oriented and experimental apps
• It shows where alternative ecosystems can evolve
• It is especially interesting for users who consciously want to operate outside centralized platforms

Important:

• Zap Store relies more heavily on trust and personal responsibility
• It is clearly aimed at informed users.

I've written a dedicated article on this, as it would go beyond the scope here. All links are below, in the further reading box.

Conclusion

GrapheneOS doesn't force anyone into security.
It provides tools.
Whether real security results from that depends entirely on the user's decisions.
Those who want control must take responsibility.