Hi,

I've recently started using GrapheneOS in my journey to degoogle and I love it.

I'm really sorry if I've posted in the wrong place or if I've tagged this discussion incorrectly, but I have a few (probably very noobish) questions if that's okay.

  1. I unfortunately have some apps that I need on my phone that are on the Play Store, if I use Aurora Store to download them, how safe/secure is this?

  2. This might be a really silly question, but if I download the app through Aurora Store, I understand that it uses dummy anonymous accounts to download from the Play Store since I selected the "Anonymous" option, but does any of my data on the app get synced to that Dummy Google Accounts Cloud Storage/Settings or whatever? (I know this probably sounds really silly and I'm probably just overly-nervous, but thought I'd double-check)

  3. If you had any tips at all to give someone new to GrapheneOS, what would it be?

Aurora Store is less secure than Play Store for various reasons. It makes sense to use it in some scenarios though, which in my mind, are the following:

  1. In a profile where you're not using sandboxed Google Play
  2. For apps while mark their play store listings as requiring the stock OS to work, but don't actually require it (Netflix is an example of that).

Beyond that, my recommendation for people starting out is to use sandboxed Google Play and Play Store with a throwaway Google account made just for this purpose.

    matchboxbananasynergy Thanks for the answer :)

    I only need it for a small handful of apps. Is there anything to worry about in regards to my second point? (For example: the Anonymous Google Accounts potentially getting app-data synced to them from my phone?)

      devotessential Is there anything to worry about in regards to my second point? (For example: the Anonymous Google Accounts potentially getting app-data synced to them from my phone?)

      No, no issue with that. The 'anonymous' accounts are only used to authenticate against Google servers in order to access the store and download apps. The apps you install through Aurora Store have no ties to the account that was used to download them.

        233328 That's brilliant, thank you! Is there any documentation anywhere that says that? I'm interested in learning more and more about Aurora Store as I'm a complete noob at the minute!

        Also (and I'm sorry for constantly asking questions!) is there any security issues I need to be concerned about? Or is it pretty safe from a Security perspective to install the small handful of apps I require that aren't published online as APKs from Aurora without having to worry about security? (The Privacy element is a whole other thing)

          devotessential Is there any documentation anywhere that says that?

          Not specifically. Aurora Store is open source, you can check out the project and maybe contact the developers if you're concerned and have questions: https://gitlab.com/AuroraOSS/AuroraStore

          devotessential is there any security issues I need to be concerned about?

          Well it is less secure than using the Play Store since it adds a party to the equation (you have to trust the Aurora Store devs on top of Google's servers). It also doesn't implement security features like certificate pinning, although I'm not knowledgeable about what that implies. There's no obvious gaping hole that makes it an absolute no-go, if that's what you're asking.

          I have used it in the past, without issues. Whether it's secure enough depends on your requirements.

            233328 certificate pinning

            Certificate pinning prevents machine-in-the-middle (MITM) attacks. The application "pins" (comes bundled with) an expected certificate, and if the remote certificate doesn't match, then it will reject the network connection. This prevents an adversary from issuing their own certificate for the website, which your local application would otherwise connect to. The downsides are that if you don't update the app for a long time, the certificate might rotate and then you can't connect without updating or re-downloading the app to get a version with a current pinned certificate; and the user can't MITM the connection either to inspect the app to see what data is actually being sent (without disassembling the app, removing the pin check/replacing the cert, etc.).

            8 days later

            this is about the 3rd time i ragequit aurora store. If you want to use it, be willing to follow or create issues on aurora's gitlab repo. It's a buggy mess and may get throttled by google "just because". I gave up on it and made a fake account. To make a fake google account without a phone number, i needed to connect to a france vpn server and create the account on the play store app itself. You may need to create a fake user between 13 and 15 years old for the "skip" option becomes available.