Sorry to hijack this thread but I was wondering the same thing about Aurora vs Google Play Store. I've read a few threads here that seem to say that F-Droid and Aurora are less secure/worse alternatives to sandboxed Play Store. I've recently purchased a Pixel 6a and installed GrapheneOS and I'm still in the process of working out/migrating from my old phone. I've got a Google Account tied to my identity from my previous phone. I can't really create a burner Google Account as I don't live in a country where burner mobile numbers are a thing. Am I better off using Aurora Store for everything going forward or is it pretty much fine to use my years old Google Account for app downloads on Play Store in GrapheneOS? Sounds like from your post above MetropleX that the Play Store is pretty restricted but I just want to make sure I'm not making silly mistakes while I'm at the start of using GrapheneOS!
Should I download apps from the Aurora Store instead of the Google Play Store?
[deleted]
MetropleX What does it mean when you say google will know how you use their apps? are you saying only google apps or all apps on the play store?
- Edited
IIUC these little "analytics" libraries can be built into the app by the developer before giving them to GStore or posting on, e.g. github; and/or be called dynamically at execution when Google libraries are available (heck.... maybe they can be imported from Google over the net at execution time!?). Which means there's no escaping them by going to Aurora Store.
However, F-Droid states: "...Wherever possible, applications in the repository are built from source, and that source code is checked for potential security or privacy issues. This checking is far from exhaustive and there are no guarantees....". So this begs the question, will they detect and remove these analytic leaks.
It all depends on the developer. But yes if they use Google's libraries they can work even without Google Play on the phone.
It's true open source apps can be modified before building them. If you're worried about that, you can build them yourself.
These libraries are included when the app is compiled. Apps can't just modify themselves while running like that.
newbie24689 So this begs the question, will they detect and remove these analytic leaks.
No clue. You'd have to ask them what they'd do in that situation. My guess is if they detect this kind of thing, they'd just not update the app or they'd remove it from their repository.
[deleted]
MetropleX if you do make a throwaway account though it’s it worse then aurora store in terms of privacy? What do you use if you don’t mine me asking?
- Edited
[deleted] I use both Aurora and Play Store.
I use Play Store alongside my 'legacy' personal account for apps I'd purchased and when using Family Link parental control in it's own user.
I use Aurora store in other users with and without Play Services where an account isn't required. These profiles have limited use however and upon logging in the first thing I do is go to update them.
The benefit of a throwaway user account to use Play Store is if the user is in regular use and you want to ensure apps are updated promptly and without supervision.
[deleted]
MetropleX okay that makes sense. Once I get my 7 pro I want to do the tidy user profile set up where the second user is my main, but I wanted to install all 3 sandboxes google with a throwaway account, but it seems there is more anonymity with aurora? I might be thinking about this too hard. Coming from an IOS, but really excited. Just don’t want to make stupid mistakes 😂
" ...It's true open source apps can be modified before building them. If you're worried about that, you can build them... "
Sigh.... been there, done that (on other platforms); I'm getting too old
"...Apps can't just modify themselves while running like that..."
Well, I was thinking about the use of DLLs (.dll) to temporarily bring in the function at execution time from over the net - not modifying/updating the app itself. This is what I would do - it would allow Google to bring in "the latest and greatest" metrics even to last month's apps. Of course if this is used, it also presents the possibility for someone to modify the DLL modules with nastyware, TLA-ware, etc.
"...My guess is if they detect this kind of thing, they'd just not update the app or they'd remove it from their repository..."
Sigh..... you're probably right. Which for me means using an absolute minimum number of non-GrapheneOS apps, and then only from careful, trustworthy developers. Pray for a well-supported GrapheneOS application "store" that uses hardened compilers and no outside DLLs.
Thanks for your responses here and elsewhere!!
"...the tidy user profile setup..."
What is this, please? Where is it described, please? An empty main user and a few (or many) additional users?
"...but it seems there is more anonymity with aurora?..."
ISTM that's right. And MetropleX appears to be using aurora where possible.
His comment on using Google playstore to maintain currency/updates seems important, though if you don't have a lot of apps, jroddev release tracker seems a good way around that.
I recall buying increased function of netguard (for old CopperheadOS) directly from the developer, and thereby avoiding Googlestore - direct donation will be my policy when I get GOS up and running (hopefully this afternoon :-) )
[deleted] if using a throwaway your anonymity between stock and Aurora can be considered the same. All Aurora does is use their own throwaway accounts. If you don't want apps to be dependent on using Firebase Cloud Messaging (FCM) for push but want to leave them using their own implementation (e.g websockets) when available,(Signal, Tutanota, Whatsapp to name a few) then Aurora would be the store to use.
Also using Aurora may be essential as certain users have discovered issues trying to register a non identifiable Google account. Trying to register from certain regions or behind certain VPN etc can lead to the sign in process requesting phone numbers for example.