Hi
As mentioned in this forum (e.g. here) several times before, Aurora Store have a few security bad practices related to legacy storage permission and missing certificate pinning among others.
Looking at the changelog for version 4.4.0, I wonder if this update rectify at least some of these security bad practices?
I've highlighted a few interesting bullets in the changelog below with <--- Here!.
Changelog version 4.4.0:
- Major internal changes to the downloads system
- Aurora Store now requires new permission to download in the background <--- Here!
- Pause and Resume features have been deprecated for downloads
- Concurrent downloads have been deprecated (limited to one download at a time)
- Automatic SHA256 & SHA1 verification for downloaded files <--- Here!
- Better support for apps with shared libraries such as Chrome and WebView
- Major changes to the updates system
- New automatic updates for apps (enabled by default)
- New automatic certificate verification for updates <--- Here!
- Support for updates with signing key rotation (introduced after Android 9.0+) <--- Here!
- Self-Updates (Aurora Store) has been disabled by default (enable in settings > update)
- Native Installer and Aurora Services have been deprecated
- Exporting installed apps doesn't requires storage permissions anymore
- The minimum required Android version for apps is now visible on the app details page (More about this app > Info)
- Translation updates & major bug fixes
- Support for installing apps with Sui (Shizuku Magisk Module)
- Ability to override the GMS version from Settings > Network
- Material3 is now being used in more places