Spoofing install sources for non-Play Store installed apps...

doodle

GrapheneOS Apps with this constraint depend on Play services and the Play Store, so why not install them from the sandboxed Play Store? That's much more secure and you can still use a throwaway account. Using shared throwaway accounts also creates potential security issues and is clearly against the terms of use.

Several apps like the American Airlines (AA) app don't allow installing to GOS devices on the Play Store anymore (says app is unavailable for your device), but if it was previously installed, it works and updates fine.

I should clarify that installing from a third-party source, although insecure, if the install source can be spoofed by Play Store by GOS, would allow Play Store to update and replace the app with a trusted copy.

The app itself does not check for Play Integrity. It runs fine if it was previously installed. However, it checks for its installation source to be the Play Store - for good reasons you mentioned. So this spoof would allow users to 'workaround' Play Store not allowing a first-time install, and then the Play Store can replace the app with a trusted copy in the next update.

AttemptUndertook

GrapheneOS Apps with this constraint depend on Play services and the Play Store, so why not install them from the sandboxed Play Store? That's much more secure and you can still use a throwaway account. Using shared throwaway accounts also creates potential security issues and is clearly against the terms of use.

What information does the Sandboxed Play Store have access to on a GOS device?

Can it see all of the apps installed on the device regardless of the installation source or does it only see apps installed through the play store?

[deleted]

AttemptUndertook yes, the former. If the app can see the list of all installed apps, that would contain also the ones it didn't install. What thought is behind the question?

AttemptUndertook

[deleted]

I currently have Play Services and Store installed for notifications. I have not signed into a google account and get all my apps through Aurora or F-Droid stores.

If Play Store can already see all of the apps I have installed regardless of the source, I am not gaining any extra privacy by using Aurora store. I could just use the GOS recommended approach of using a throwaway google account and get all of my non-F-Droid apps from the Play Store. Is this the logic behind the recommendation?

[deleted]

AttemptUndertook you just answered your own question. I don't use Google Play in order to get just that extra bit of privacy.

AttemptUndertook

[deleted] I don't use Google Play in order to get just that extra bit of privacy.

Technically Google could fingerprint you based on your throwaway account, but even if you don't sign into an account, I am assuming they have other device level identifiers that they could use to fingerprint you. Is that accurate?

If that is true, for folks like myself that use Play Service and Store for notification purposes (which I would think is a large user base) there is absolutely no advantage to using Aurora store.

matchboxbananasynergy

Apps can see other apps in the same profile. It's not any different with Google Play, as they're in the same sandbox as all other apps.

matchboxbananasynergy

AttemptUndertook I am assuming they have other device level identifiers that they could use to fingerprint you. Is that accurate?

Regular apps don't have access to device identifiers. https://grapheneos.org/faq#hardware-identifiers

Don't think of Google Play on GrapheneOS as different in any way. Everything that applies to regular apps applies to it too.

[deleted]

matchboxbananasynergy I heard this over and over. You can't see past the proprietary code, can you? Assume zero trust.

AttemptUndertook

matchboxbananasynergy

Thank you for that explanation. Can the Play Store see my IP address?

The only thing that I can think of (with my limited technical knowledge) is that if I use a throwaway account with the Play Store on GOS and I log into my personal Google account on another device on the same network, Google might be able to connect the two based on both logins coming from the same IP. I am assuming they won't be able to tell for sure that it is the same person, but perhaps they know that both logins came from the same house hold. Is this a valid concern?

spring-onion

[deleted] That's not how it works, what code is behind it doesn't matter. The sandbox is forced onto apps, whether they like it or not. They have no say in that matter. The play store on GrapheneOS is just another ordinary app so the exact same restrictions are imposed onto it.

matchboxbananasynergy

[deleted] Aside from the fact that you think closed source code cannot be inspected, which is false, it simply doesn't matter for what I'm trying to explain.

Regardless of the app's source model, it's still constrained by the same rules. The sandbox is open source, what apps are and are not allowed to do is open source, it's known, it's not an unknown thing.

You can use whatever you want, but let's please try to maintain accuracy when discussing these topics that are so often subject to misinformation.

edit: just noticed a fellow mod had already replied.

[deleted]

Thank you both for your time spent, I will try to process information given with my limited capabilities.

DeletedUser370

I have been a regular user of Aurora Store in the past, but hearing GrapheneOS' arguments for its insecurity, and knowing the fact that the Play Store on GrapheneOS is forced to run in the regular app sandbox, I struggle to see even the minor privacy benefits of using Aurora Store rather than Play Store. You do not need to give out your phone number and residential IP address in order to create an account.

If the aim of exclusively using Aurora Store instead of Play Store is to 'degoogle', i.e. to avoid Google apps and services as much as possible, then I personally believe that using Aurora also goes against such aim: consider that Aurora downloads directly from the Play Store, which is run by the company that one's trying to avoid. It makes more sense to get apps directly from the app developers, using something like Obtainium, and alternative app stores such as Accrescent, if the aim is to remove Google from one's life.

p338k

AttemptUndertook Can the Play Store see my IP address?

It must be able to see you IP address as part of network traffic. You would need something like TOR or a VPN to prevent that.

nroth_us

I think this got a bit sidetracked. Let's accept for now the premise that we will sometimes need to use Aurora Store to install apps since some app authors use OS allowlists that include PixelOS and Samsung Android but not GrapheneOS.

How do I do that?