I want to make protonmail strong with Android, but I can not know which is more secure, the web or the app via Tor. Web version is accessed from Onion domain with Tor browser. The app launches Orbot to select and run the app. Which one is better anonymity? Also, there is an app named Shelter and you can create clones of other apps, but the cloned apps created by that can not be selected by Orbot. Is it safe to select only the Shelter app for VPN? Is it safer than regular apps?
Without defining any threat models, you likely won’t be able to get anything but abstract answers.
It seems that you are focused on just installing some apps with “security” in their description. However, you don’t get anything but subjectively perceived security by installing arbitrary apps.
Their android app is not open source so you have no idea what they are doing. They were promising to open source the app for 2 years already. They might have a native Java app or just a glorified browser that opens the website.
I’d suggest either switching to a provider that supports IMAP or POP3 without any bridges, or at least has an open source app.
But if you are committed to Protonmail, I believe the web version (its front is open source) is better.
I doubt that the vast majority of people can do anything with source code. Many projects consist of dozens (or hundreds) of files, there are many different programming languages and there are oftentimes dependencies on third-party libraries. Besides, “open source is more secure than closed source” is a myth (see https://infosec-handbook.eu/blog/software-security-myths/#m1).
You can always use gpg directly in your terminal or on your Windows desktop to encrypt/decrypt e-mails. There is no need to rely on apps or websites.
The fact that not all people can check the source code doesn’t make it a myth.
How many people can check the source code of closed-source software? The maintainers/owners and companies they (may) hire to audit their code.
How many people can check the source code of open-source software? The maintainers/owners, the companies they (may) hire to audit their code and everybody else that knows the language.
It’s true that a single person can hardly check the code of everything he uses, however, open-source software provides the ability to do so. You can decide for yourself if you want to spend the time reviewing it, hiring someone else to do it for you or not checking it at all.