P PrivacyPhones
Guide

F-Droid vs Aurora Store vs Accrescent vs Obtainium: App Stores for Privacy Phones Explained

A practical comparison of every major app installation method for privacy phones — sandboxed Google Play, F-Droid, Aurora Store, Accrescent, Obtainium, and direct APK downloads. Learn which stores to use, which to avoid, and how to combine them.

TL;DR: For privacy phones, use sandboxed Google Play (GrapheneOS) for mainstream apps, Accrescent for security-focused FOSS apps, and Obtainium for direct GitHub/GitLab releases. F-Droid has real security weaknesses including custom signing keys and slow updates. Aurora Store’s anonymous login is unreliable. The best setup combines two or three sources rather than relying on any single store.

F-Droid vs Aurora Store vs Accrescent vs Obtainium: App Stores for Privacy Phones Explained

Switching to a privacy phone means rethinking how you install apps. On stock Android, you open the Play Store without thinking. On GrapheneOS or any de-Googled phone, you suddenly have choices — and those choices have real security and privacy implications.

This guide covers every major app installation method for privacy phone users in 2026: what each does, where it’s strong, where it’s weak, and how to combine them practically.

1. Sandboxed Google Play (GrapheneOS)

What It Is

GrapheneOS runs Google Play services as a regular sandboxed app — no special privileges, no system-level integration. On stock Android, Google Play services is a privileged system app with deep OS access. On GrapheneOS, it’s just another app.

The compatibility layer teaches Google Play how to work within the standard app sandbox. Google Play services, the Play Store, and Google apps install from the GrapheneOS App Store into any user profile, receiving no additional permissions beyond what you explicitly grant.

Security Model

This is arguably the strongest security model on this list. Apps from the Play Store are signed by developers (or via Play App Signing with upload key verification). You get Play Protect scanning, automatic updates, and the same verification chain serving billions of devices — without Google having privileged OS access.

The sandbox means Google can’t silently read your contacts, location, or files unless you grant permissions. You can install Google Play in a separate user profile, completely isolating it from your main profile.

Privacy Implications

There’s an inherent tension: you’re installing Google services on a privacy phone. Google sees your IP, can track app installs, and if you sign in, they’ll associate activity with your identity.

However, GrapheneOS gives you control: deny all permissions to Play services, use a throwaway account, isolate Google Play in a secondary profile, or revoke network access when not installing apps.

Pros and Cons

Pros:

  • Largest app catalog available
  • Developer-signed with strong verification
  • Automatic, seamless updates
  • Banking apps and push notifications work
  • No special privileges given to Google

Cons:

  • Requires Google interaction
  • Google observes app installation activity
  • Some metadata leakage is inevitable

Best used for: Mainstream apps, banking apps, apps that require Google Play services, any app where you need guaranteed authenticity and timely updates.

2. F-Droid

What It Is

F-Droid is the oldest and most well-known alternative Android app repository, focused exclusively on free and open-source software (FOSS). It has been a fixture of the privacy community for over a decade and hosts thousands of apps.

F-Droid’s main repository takes source code from developers, builds apps on its own build servers, and signs them with F-Droid’s own signing keys. This is fundamentally different from how other app stores work.

Security Model — and Its Problems

This is where F-Droid gets complicated. The GrapheneOS team and several security researchers have raised legitimate concerns about F-Droid’s security model that the privacy community needs to take seriously:

Custom signing keys. F-Droid signs most apps with its own keys, not the developer’s. You’re trusting F-Droid as an intermediary — if their signing infrastructure is compromised, every app is at risk. On the Play Store or Accrescent, developers sign their own apps. F-Droid supports “reproducible builds” with developer signatures, but very few apps use this.

Slow updates. F-Droid builds from source on its own infrastructure, introducing delays of days or weeks between a security update and its appearance in F-Droid. For security-sensitive apps, this window is a real vulnerability.

Build server security. F-Droid’s build servers have historically run outdated software. Their guest VM image ran an end-of-life Debian release for months, raising questions about build pipeline integrity.

Index manipulation risk. Because F-Droid controls building and signing, a compromised server could serve modified app versions. The lack of developer-controlled signing creates a single point of failure.

Weakened Android security model. F-Droid’s installation model doesn’t benefit from the seamless verified installer relationship that the Play Store and Accrescent have, and historically required enabling “unknown sources.”

Privacy Implications

F-Droid collects minimal data — no account, no tracking. Apps in the repository are FOSS and generally tracker-free. From a data-collection standpoint, F-Droid is excellent.

But privacy isn’t just about data collection. Compromised or outdated apps delivered through security weaknesses put your privacy at risk regardless of what data F-Droid itself collects.

Pros and Cons

Pros:

  • Large catalog of FOSS apps
  • No account required
  • No tracking or data collection by the store
  • Community-driven, transparent about its processes
  • Anti-feature warnings for apps with ads, tracking, etc.

Cons:

  • F-Droid signs apps with its own keys (single point of trust)
  • Significant update delays for security patches
  • Build infrastructure has had security concerns
  • Reproducible builds are rare
  • Custom builds may differ from developer’s official release

Best used for: Discovering FOSS apps. But consider installing those same apps via Obtainium or the developer’s own release channel for better security guarantees.

3. Aurora Store

What It Is

Aurora Store is an open-source client for Google Play. It lets you browse and download apps from Google’s catalog without the official Play Store app. Its headline feature is “anonymous” login — accessing Play Store without a Google account.

Security Model

Apps from Aurora Store are the same APKs Google Play serves, signed by original developers. App authenticity is equivalent to the official Play Store.

However, Aurora Store is an unofficial client reverse-engineering Google’s API:

  • No seamless unattended updates like the official Play Store
  • Historical issues retrieving wrong app versions
  • Anonymous login uses shared authentication tokens — inherently fragile

The Anonymous Login Problem

Aurora Store’s anonymous login has been unreliable since 2023. Google aggressively blocks shared account tokens. The developers took down the “Dispenser” (anonymous login provider) multiple times. While anonymous login has been periodically restored, it remains a cat-and-mouse game with Google.

As of early 2026, anonymous login may or may not work on any given day. If anonymous access matters to you, have a backup plan.

Logging in with your own Google account provides no privacy advantage over the official Play Store — and you lose Google’s official verification and update mechanisms.

Privacy Implications

With working anonymous login, Aurora Store hides your identity from Google while accessing the Play catalog. Without it, you’re using a less secure Play Store client with your own account.

The client is open-source and doesn’t add tracking. But connections to Google’s servers still expose your IP and download activity.

Pros and Cons

Pros:

  • Access to Google Play’s full app catalog
  • Apps are developer-signed (same as Play Store)
  • Open-source client
  • Anonymous login (when it works) hides identity from Google

Cons:

  • Anonymous login is unreliable and frequently broken
  • Unofficial API usage can cause version mismatches
  • No seamless unattended updates
  • Shared token system has inherent security concerns
  • Not endorsed by the GrapheneOS team

Best used for: Accessing a specific Play Store app without installing Google Play services. Not recommended as a primary app source due to reliability and security limitations.

4. Accrescent

What It Is

Accrescent is a security-focused Android app store designed from the ground up with modern practices. It emerged from the GrapheneOS community, and the GrapheneOS App Store mirrors Accrescent’s repository — effectively an endorsement.

The catalog is currently small (a few dozen apps), but Accrescent prioritizes correctness over growth.

Security Model

Accrescent’s security model addresses many of F-Droid’s weaknesses:

Developer-signed apps. Unlike F-Droid, Accrescent never signs apps — developers keep full control of their signing keys. If Accrescent’s servers are compromised, attackers can’t sign modified APKs.

App signing key pinning. When a developer submits an app, a hash of their signing key is embedded in signed repository metadata. Every installation verifies the key hash. An attacker who compromises the server can’t swap in a different signing key without detection.

Minimum version pinning. Signed metadata includes a minimum version for each app, preventing downgrade attacks where an attacker serves an older, vulnerable version.

Signed repository metadata. All repository metadata is signed with a key embedded in the Accrescent client. Even if the server is fully compromised, the metadata can’t be tampered with undetected.

Split APK support. Apps are delivered as optimized split APKs for your specific device, reducing download size and attack surface.

Unattended updates. On Android 12+, Accrescent handles updates automatically without requiring privileged OS integration.

Privacy Implications

No account required. No tracking. No data collection. Accrescent doesn’t even know who you are.

Pros and Cons

Pros:

  • Strong security model with developer-controlled signing
  • Key pinning and downgrade attack protection
  • Signed repository metadata prevents tampering
  • No account, no tracking
  • Endorsed by and integrated with GrapheneOS
  • Automatic unattended updates

Cons:

  • Very small app catalog (growing but still limited)
  • Strict publishing requirements mean slower onboarding for developers
  • Still a young project

Best used for: Security-sensitive FOSS apps. If an app is available on Accrescent, it should be your first choice. Check here first, then fall back to other sources.

5. Obtainium

What It Is

Obtainium isn’t an app store — it’s an update manager. Point it at an app’s release page on GitHub, GitLab, or other supported sources, and it monitors for new releases and handles updates. It supports over a dozen source platforms.

You get apps directly from the developer’s official release channel, cutting out all intermediaries.

Security Model

Obtainium downloads the developer’s published APK — no rebuilding, no re-signing. Android’s signature verification ensures subsequent updates must match the original signing key.

Security depends entirely on the developer’s practices. A compromised GitHub account means Obtainium serves the compromised release. There’s no store-level review layer.

You can configure signature verification, filter by release type (stable vs. pre-release), and set update intervals.

Privacy Implications

Obtainium connects directly to the source platform (GitHub, GitLab, etc.). No intermediary sees your download activity. There’s no account or tracking from Obtainium itself.

GitHub still sees your IP and download activity, which is a step up from Google but still involves a major platform.

Pros and Cons

Pros:

  • Apps come directly from the developer
  • No intermediary re-signing or rebuilding
  • Supports many source platforms
  • Highly configurable (filters, intervals, version tracking)
  • Developer-signed APKs verified by Android

Cons:

  • No centralized security review
  • Relies on developer’s release practices
  • Manual setup for each app
  • If a developer’s repository is compromised, you’re exposed
  • No repository-level protections (key pinning, downgrade prevention)

Best used for: FOSS apps where you want the developer’s exact release without F-Droid’s intermediary build process. Excellent for apps that maintain GitHub/GitLab releases.

6. Direct APK Download

What It Is

Some developers distribute apps directly from their own website, bypassing all stores. Signal is the best-known example — download Signal’s APK from signal.org/android/apk/.

Security Model

Signal provides the SHA-256 fingerprint of their 4096-bit signing certificate on the download page, with verification instructions using apksigner. You can verify the APK before installing.

After first install, Android’s signature pinning ensures updates must use the same key. Signal’s direct APK includes a built-in update checker.

This model works when the developer has infrastructure and security practices to support it — it doesn’t scale to random developers hosting APKs on personal websites.

Privacy Implications

You connect directly to the developer’s server. No Google, no intermediary. Your IP is visible to the hosting provider, but there’s no store-level tracking.

Pros and Cons

Pros:

  • Maximum developer control
  • No intermediary of any kind
  • Developer-signed with verifiable certificate
  • For apps like Signal, includes a built-in updater
  • Minimal metadata exposure

Cons:

  • Manual initial setup and verification
  • Only practical for a handful of apps
  • No centralized update mechanism (unless the app builds one in)
  • Requires technical knowledge to verify signatures
  • You must trust the developer’s website security

Best used for: High-value security apps (like Signal) that offer direct downloads with verification. Not practical as a general-purpose installation method.

The GrapheneOS Team’s Criticisms of F-Droid (and Why They Matter)

The GrapheneOS project has been vocal about F-Droid’s security model. Their criticisms are worth understanding:

  1. Adding an unnecessary trusted party. F-Droid rebuilds and re-signs apps, so you must trust both the developer and F-Droid’s infrastructure. Strictly worse than trusting only the developer.

  2. Build infrastructure as single point of failure. A compromise of F-Droid’s build pipeline could inject malicious code into any app, signed with F-Droid’s keys, undetectable by users.

  3. Update delays endanger users. Security patches taking days or weeks to reach F-Droid leave users vulnerable to known exploits — especially dangerous for browsers and messaging apps.

  4. False sense of security. Many users assume F-Droid’s “FOSS only” policy means apps are audited. In reality, F-Droid runs automated checks for proprietary blobs and trackers — not security reviews.

These don’t mean F-Droid is malicious. They mean you should understand what it does and doesn’t guarantee.

No single source is perfect. Here’s a practical setup for GrapheneOS users:

Primary: Sandboxed Google Play

Mainstream apps, banking, anything requiring Play services. Install in a separate user profile to isolate Google.

Secondary: Accrescent

Check here first for privacy/security-focused apps. If available on both Accrescent and F-Droid, prefer Accrescent.

Supplementary: Obtainium

FOSS apps with GitHub/GitLab releases not on Accrescent. Developer’s exact release without F-Droid’s re-signing.

Selective: Direct APK

Signal (from signal.org) and other high-value apps offering direct downloads with verification.

Occasional: F-Droid

App discovery — finding FOSS alternatives. Consider installing via Obtainium or the developer’s release once found.

Sparingly: Aurora Store

Only if you need a Play Store app without installing Google Play services, understanding anonymous login may not work.

Decision Matrix: Which Store for Which Apps

App TypeRecommended SourceWhy
Banking, financeSandboxed Google PlayRequires Play services; needs timely updates
Mainstream apps (Uber, etc.)Sandboxed Google PlayLargest catalog, seamless updates
SignalDirect APK (signal.org)Developer-provided with verification
Privacy-focused FOSS appsAccrescent → Obtainium → F-DroidIn that order of preference
Apps with GitHub releasesObtainiumDeveloper-signed, no intermediary
Apps only on Google PlaySandboxed Google Play (or Aurora Store)Play Store is the only source
Apps with security-critical updatesSandboxed Google Play or AccrescentFastest update delivery

Final Thoughts

The app store question isn’t about finding one perfect solution — it’s about understanding tradeoffs and making deliberate choices. Sandboxed Google Play offers the best combination of security, compatibility, and update speed, even though it involves Google. Accrescent represents the future of privacy-respecting distribution. Obtainium gives power users direct developer access. And F-Droid, despite its flaws, remains useful for discovering open-source software.

The worst approach is installing apps carelessly from any source. The best is a deliberate combination of stores, chosen based on each app’s security requirements. Your privacy phone is only as secure as its weakest app installation decision.