• General
  • Spoofing install sources for non-Play Store installed apps...

... that check for installation source?

Like the AA app which works fine (& updates fine) on existing GrapheneOS installs, but no longer allows installation on GOS devices because Play Store refuses to install it on devices without strong integrity now (is that the right terminology?)

Anyway, installing it via Aurora will not work because the install source is not Play Store. But we know the app works fine, so perhaps GOS could allow spoofing the install source for apps as a setting, to get apps working if they do not force Play Integrity in-app?

I know this is a game of cat and mouse, but it can get rid of the minor inconvenience.

    doodle Aurora Store doesn't securely retrieve apps from the Play Store since it doesn't verify the signatures proving the apps came from the Play Store or signed metadata, and it doesn't reduce the trusted set of certificate authorities. This is not how the security model for installing apps from an app store is meant to be. It shouldn't be possible for thousands of organizations with access to a CA to intercept the connections. There's also no enforced Certificate Transparency so it would not be possible to detect that it happened as it would be for a web site which acts as a form of deterrence, although most organizations don't check CT logs.

    Spoofing the app source for Aurora Store would be a security vulnerability in the OS rather than only in Aurora Store.

    Apps with this constraint depend on Play services and the Play Store, so why not install them from the sandboxed Play Store? That's much more secure and you can still use a throwaway account. Using shared throwaway accounts also creates potential security issues and is clearly against the terms of use.

    I know this is a game of cat and mouse, but it can get rid of the minor inconvenience.

    The check in Android Auto is for security and safety policy enforcement. The check in most other apps will get replaced by the Play Integrity API so spoofing it is meaningless.

    You should just use the sandboxed Play Store as we recommend instead of an insecure third party project that's almost certainly going to get banned from accessing the Play Store due to breaking the account sharing rules.

      GrapheneOS Apps with this constraint depend on Play services and the Play Store, so why not install them from the sandboxed Play Store? That's much more secure and you can still use a throwaway account. Using shared throwaway accounts also creates potential security issues and is clearly against the terms of use.

      Several apps like the American Airlines (AA) app don't allow installing to GOS devices on the Play Store anymore (says app is unavailable for your device), but if it was previously installed, it works and updates fine.

      I should clarify that installing from a third-party source, although insecure, if the install source can be spoofed by Play Store by GOS, would allow Play Store to update and replace the app with a trusted copy.

      The app itself does not check for Play Integrity. It runs fine if it was previously installed. However, it checks for its installation source to be the Play Store - for good reasons you mentioned. So this spoof would allow users to 'workaround' Play Store not allowing a first-time install, and then the Play Store can replace the app with a trusted copy in the next update.

      GrapheneOS Apps with this constraint depend on Play services and the Play Store, so why not install them from the sandboxed Play Store? That's much more secure and you can still use a throwaway account. Using shared throwaway accounts also creates potential security issues and is clearly against the terms of use.

      What information does the Sandboxed Play Store have access to on a GOS device?

      Can it see all of the apps installed on the device regardless of the installation source or does it only see apps installed through the play store?

        • [deleted]

        AttemptUndertook yes, the former. If the app can see the list of all installed apps, that would contain also the ones it didn't install. What thought is behind the question?

          [deleted]

          I currently have Play Services and Store installed for notifications. I have not signed into a google account and get all my apps through Aurora or F-Droid stores.

          If Play Store can already see all of the apps I have installed regardless of the source, I am not gaining any extra privacy by using Aurora store. I could just use the GOS recommended approach of using a throwaway google account and get all of my non-F-Droid apps from the Play Store. Is this the logic behind the recommendation?

            • [deleted]

            AttemptUndertook you just answered your own question. I don't use Google Play in order to get just that extra bit of privacy.

              Apps can see other apps in the same profile. It's not any different with Google Play, as they're in the same sandbox as all other apps.

              [deleted] I don't use Google Play in order to get just that extra bit of privacy.

              Technically Google could fingerprint you based on your throwaway account, but even if you don't sign into an account, I am assuming they have other device level identifiers that they could use to fingerprint you. Is that accurate?

              If that is true, for folks like myself that use Play Service and Store for notification purposes (which I would think is a large user base) there is absolutely no advantage to using Aurora store.

                [deleted] That's not how it works, what code is behind it doesn't matter. The sandbox is forced onto apps, whether they like it or not. They have no say in that matter. The play store on GrapheneOS is just another ordinary app so the exact same restrictions are imposed onto it.

                [deleted] Aside from the fact that you think closed source code cannot be inspected, which is false, it simply doesn't matter for what I'm trying to explain.

                Regardless of the app's source model, it's still constrained by the same rules. The sandbox is open source, what apps are and are not allowed to do is open source, it's known, it's not an unknown thing.

                You can use whatever you want, but let's please try to maintain accuracy when discussing these topics that are so often subject to misinformation.

                edit: just noticed a fellow mod had already replied.

                • [deleted]

                Thank you both for your time spent, I will try to process information given with my limited capabilities.

                I have been a regular user of Aurora Store in the past, but hearing GrapheneOS' arguments for its insecurity, and knowing the fact that the Play Store on GrapheneOS is forced to run in the regular app sandbox, I struggle to see even the minor privacy benefits of using Aurora Store rather than Play Store. You do not need to give out your phone number and residential IP address in order to create an account.

                If the aim of exclusively using Aurora Store instead of Play Store is to 'degoogle', i.e. to avoid Google apps and services as much as possible, then I personally believe that using Aurora also goes against such aim: consider that Aurora downloads directly from the Play Store, which is run by the company that one's trying to avoid. It makes more sense to get apps directly from the app developers, using something like Obtainium, and alternative app stores such as Accrescent, if the aim is to remove Google from one's life.

                matchboxbananasynergy

                Thank you for that explanation. Can the Play Store see my IP address?

                The only thing that I can think of (with my limited technical knowledge) is that if I use a throwaway account with the Play Store on GOS and I log into my personal Google account on another device on the same network, Google might be able to connect the two based on both logins coming from the same IP. I am assuming they won't be able to tell for sure that it is the same person, but perhaps they know that both logins came from the same house hold. Is this a valid concern?

                  AttemptUndertook Can the Play Store see my IP address?

                  It must be able to see you IP address as part of network traffic. You would need something like TOR or a VPN to prevent that.