Pros/Cons of using APK Mirror instead of Aurora Store

sboarder

Hello GrapheneOS forums!

I've discovered that an app that is only officially available on the Google Play Store which I download using Aurora Store, is also available on APK Mirror, but for some reason, the checksums on their APK file did not match the ones I downloaded via Aurora Store, but the APK signature did match, so I could update using the files on APK Mirror and stop using Aurora Store if I wanted to.

It turns out my files were fetched via Aurora Store using a device model with armv8a, spoofing to an armeabiv7a-only device gave me the exact same file as on APK Mirror, checksums and signatures were exactly the same, and despite it being for armeabiv7a devices, I noticed the APK was bundled with libraries for both architectures, so it still works on my device.

Now that I confirmed how to get the exact same APK file as APK Mirror via Aurora Store, I feel I can trust them as my source of APK files from the Play Store, and can use them instead of Aurora Store. The app will not update if the signature of the new APK is different than the signature of the currently installed version, so in theory I should be safe from malicious APKs right? And from what I heard, APK Mirror is somewhat reputable?

My main reason for switching to APK Mirror is to grab APK files directly from their site, rather than using Aurora Store which connects to Google servers, not to mention I've had trouble updating the apps I want via Aurora Store from time to time, a direct APK download should be much simpler, and if the APK Mirror files are the same ones I can obtain from Aurora Store, there shouldn't be much room for concern I think.

Any thoughts on this? Potential drawbacks? I feel I should be safe here, but maybe there's something I overlooked.

Dan-cer

I am also interested to know which sources are trustworthy. In Linux, it is considered safe to download the installation file directly from the program's website. Doesn't this also apply to *.apk files? I downloaded Telegram directly from the website, for example, because Google provides a restricted version that blocks some channels for political reasons.

What about F-Droid? Is it safe? The main problem there is that it can only deliver a few apps compared to Aurora. The offer of Neo Store is also rather mediocre.

That is, there is often only a choice between Aurora and directly from the manufacturer. Or have I missed something? What is the first choice? Also in terms of security against malware?

Dumdum

Dan-cer What about F-Droid? Is it safe? The main problem there is that it can only deliver a few apps compared to Aurora. The offer of Neo Store is also rather mediocre

Fdroid is explicitly open source only. The "safety" of the apps on Fdroid come from trust in Fdroid's team as they build all apps themselves, unless the app comes from a third party repo (e.g. izzyondroid) which can be enabled in settings. Because they're open source, a lot of apps (sadly not all) can be installed from APKs on whichever git repo they use (github, gitlab, etc.), so you don't even need to rely on / trust Fdroid.

Edit: also Fdroid uses the same signing keys on all apps I believe, which means if someone gets the keys then all apps on fdroid are vulnerable.

Dan-cer

Dumdum Good to know. Because I'm in contact with the developer of "AutoZen" which is an interesting alternative to Android Auto. At the moment it is distributed through Google/Aurora with some bad restrictions.
In example he is not allowed there to embed third-party apps like "Here Wego". The advantage being at Google/Aurora it is easier to find by potential users.
Ho could have an installation file on his website and also at F-droid.

matchboxbananasynergy

Dumdum Fdroid is explicitly open source only. The "safety" of the apps on Fdroid come from trust in Fdroid's team as they build all apps themselves,

Not all apps are built by F-Droid. The ones with reproducible builds are dev's builds and are signed by the devs, not F-Droid.

Dumdum Edit: also Fdroid uses the same signing keys on all apps I believe, which means if someone gets the keys then all apps on fdroid are vulnerable.

Not the same keys on all apps. But for the apps they build, they of course control the keys.

Dumdum

Dan-cer Ho could have an installation file on his website and also at F-droid.

AutoZen isn't open source as far as I can tell, so no, they would not be able to have the app on Fdroid. As I said, Fdroid is explicitly open source only. I could be wrong but it might be possible for developers to create their own third party repo to host a closed source app on. The main Fdroid repo absolutely wouldn't though. Though, I'd be surprised if the developer would be willing to do so, not just creating but maintaining their own repo.

Dan-cer

Dumdum He is kind of idealistic to create an app that really provides all you need for navigation, entertainment and more, and I like to support that. I could ask him what he thinks about open source.
As I'm using Vivaldi browser that isn't completely open source, I found out their reasons not to go there and it is quite reasonable.

nomogoogly

I have also wondered about this topic. I recently switched from fdroid to neostore after reading, that neostore is better at showing pros and cons data of apps and also it is better at updating. I have also used Aurorastore, which I understand leaves a bit to be desired. Recently a couple of threads here have suggested using the developers' apk's and using obtanium for much better updating. For those of us, who aren't super knowledgeable on the subject, I would be interested in the forum members views. Is it better to try locating the developers' apk's directly and updating with obtanium, or is this idea just paranoid supposition, with fdroid, neostore or aurorastore being sufficient for the average user?

matchboxbananasynergy

nomogoogly For the "average user", as you put it, using Play Store is probably what you want from a security and usability aspect. People tend to overcomplicate this process and there will always be endless debates about it.

On a personal level, I have serious concerns about people using F-Droid in the long run, as we have seen time and time again that they don't actually understand Android, the Android security model, and that F-Droid itself has a lot of security weaknesses, which often go ignored for many months until their hand is forced and they have to fix it.

Aurora Store could be more secure, but isn't in the end.

With Obtainium, you need to be careful. It's just a tool to grab APKs from various sources. There are gotchas there. There are no checks for whether the apps target a recent targetSdk (F-Droid doesn't really check for that either). As an example, take Termux as an app. They do release it on GitHub, so you could use Obtainium to get that. You won't know that it targets an old targetSdk, and you won't know that it's signed with a testing key that's public, meaning that someone can create a valid update that's malicious.

While you're mostly going to be fine, it requires being careful. My issue with people recommending F-Droid as some kind of panacea is that it too has major issues, and yet it's promoted as a way to obtain apps securely. When F-Droid eventually has a major oopsie and people are at risk, I want people in this community to at least have been aware that it's not the panacea that people make it out to be. At the end of the day, people should use what they want regardless.

nomogoogly

matchboxbananasynergy Thanks for the info. Definitely adds to the knowledge base.

sboarder

Thanks for the discussion everyone, since the number of apps I want from the Play Store is very small, I think getting updates from APK Mirror should be fine for my use case for now, however, I noticed another app from there has a "universal" APK file, which has libraries for arm64v8a, armeabiv7a, and x86-64, and I do not know how to get that universal APK from the Play Store/Aurora Store.

Spoofing as x86-64 and armeabiv7a and downloading via Aurora Store only gives me architecture specific APKs, so I'm not sure how they sourced that particular APK file.

The app id is com.supercell.clashroyale for those curious

I think it could also be a good idea to source APK files from APK Pure, and compare the APK signatures and checksums, if the ones from APK Pure are the same as the ones from APK Mirror, which are the same as the ones downloaded via Aurora Store, then they would all be trustworthy APK files I think.

I also thought about comparing files from other sources, such as QooApp and Aptoide, but those may require a separate app/login, and gathering files from all these sources seems a bit tedious, there seems to be very limited info on APIs for these sources, being able to automate the download of APKs from multiple sources for comparing checksums and signatures would go a long way here.

Since I personally use F-Droid, deploying a small local repository of APKs that I download, verify, and trust would be ideal here, so that I can update via my current F-Droid client.

sboarder

I just noticed that Aurora Store v4.4.4 appears to have an option in networking for a proxy server, has anyone tried using it with a proxy? I imagine the option must have been there before but I never looked into Aurora Store's settings too deeply.

I think a proxy would be good especially for apps that are region/country locked, which give me difficulties when downloading, I might try it out for myself and keep Aurora Store with APK Mirror as a second option.

Dan-cer

And I just realized that I can't download updates from Aurora Store. Yesterday I changed the DNS to Quad9. Could this be the reason?

Dan-cer

Download updates now work again. Maybe the store was unavailable for a short period of time.

DeletedUser29

Dan-cer Yes that happens occasionally.
https://gitlab.com/AuroraOSS/AuroraStore#limitations

Limitations

Underlying API used is reversed engineered from PlayStore, changes on side may break it.

Provides only base minimum features

Can not download or update paid apps.

Can not update apps/games with Play Asset Delivery

Multiple in-app features are not available if logged-in as Anonymous.

Library

Purchase History

Editor's Choise

Beta Programs

Review Add/Update

Token Dispenser Server is not super reliable, downtimes are expected.