Step 4 · Apps & sources

Where do your apps come from?

On a secure smartphone, what matters isn't only which apps you use, but where they come from. The three big sources: F-Droid, Aurora Store and Obtainium. Here's the honest breakdown.

F-Droid vs. Aurora vs. Obtainium

You don't need "one" source, but the right one for each app. Here's how to combine them sensibly.

SourceWhat it isStrengthWeakness
F-Droid Store for open-source (FOSS) apps Reviewed, no trackers, privacy-friendly Updates sometimes delayed, own signing
Aurora Store Anonymous access to the Google Play Store Get Play apps without a Google account Apps may contain trackers; only as good as the app
Obtainium Loads apps directly from GitHub/developer pages Original signature, the latest versions instantly You have to trust the source links yourself

My recommendation – the rule of thumb

  • Obtainium for apps actively developed on GitHub (e.g. many privacy tools) – you get the real developer version, updated fastest.
  • F-Droid for classic open-source apps where reviewed FOSS builds matter more to you than being up to the last minute.
  • Aurora Store only as a fallback – for apps that are only available in the Play Store and that you don't want to put in your Google profile.

A note on priority: Always prefer open alternatives. If an app strictly requires Google Play, it belongs in the separate Google profile – not in your main profile via Aurora.

Did you mean "Obsidian"? You'd mentioned Obsidian – that's a note-taking app, not an app store. For getting hold of apps, Obtainium is the right choice. Obsidian itself you can of course use as a (very good, local) note-taking app.

The best apps by purpose

A curated selection of privacy-friendly apps that have proven themselves on GrapheneOS. Source in parentheses.

💬 Messengers

  • Signal – the gold standard for encrypted chats (Obtainium/Play).
  • Molly – a hardened Signal fork (F-Droid/Obtainium).
  • SimpleX / Briar – no phone number, maximally private (F-Droid).

🌐 Browsers

  • Vanadium – pre-installed, hardened, the default choice.
  • Mull – Firefox-based with privacy hardening (F-Droid).

🔐 Passwords & 2FA

  • Bitwarden / Vaultwarden – password manager (Obtainium/F-Droid).
  • KeePassDX – local password vault (F-Droid).
  • Aegis – 2FA codes, encrypted & open source (F-Droid).

🗺️ Maps & navigation

  • OsmAnd – offline maps based on OpenStreetMap (F-Droid).
  • Organic Maps – lean, fast, offline (F-Droid).

📧 Email, calendar & cloud

  • Proton Mail / Tuta – encrypted email (Obtainium/Play).
  • Thunderbird (K-9) – free email client (F-Droid).
  • DAVx⁵ – calendar/contacts sync with your own server/Nextcloud (F-Droid).

📝 Productivity & media

  • Obsidian – local notes & knowledge base.
  • NewPipe / Tubular – YouTube without tracking (F-Droid/Obtainium).
  • Material Files – open-source file manager (F-Droid).
App recommendations change. Before installing, quickly check whether a project is still actively maintained – active updates are an important security signal.
Note: Some of the tools mentioned (e.g. Aurora Store, NewPipe/Tubular) access third-party services through unofficial means. This may violate the terms of service of the respective provider. Using them is your own responsibility.

Push notifications without Google

A common worry: "Do notifications work without Google Play?" – Yes, in most cases.

Built-in push channels

Apps like Signal or Molly come with their own background service and don't need Google push at all.

UnifiedPush

An open standard (e.g. via ntfy) that more and more apps support – push entirely without Google.