Automatic Aurora-Store Update / start of Aurora-Store ?

upstage4186

pxlkng It has security issues.

I see. I don't know much regarding the issue of authenticity but tbh, I've been using Aurora for a while and not had any problems with auto-updating.

pxlkng Aurora Store does not do that. It does not avoid Google.

So, what if I have an app that bundles Google libs, but deny it network access, but also have Google play/services installed which DOES have network access as required. I think the concern is, would they be able to communicate via IPC and then as a result, leak data from the network-blocked app?

pxlkng There would be no reason for a FOSS app that has no Google libraries included (e.g. Molly FOSS) to talk with Play Services.

In an ideal world where I could use only FOSS apps, this would be great, but unfortunately I have to install chat apps, apps for banking, work, etc. I know there's Private Space and extraneous user profiles, but sometimes its more ideal to install certain shady apps (like chat apps that need to be active all the time) in the main profile. Not having Google Play in this profile would be awesome.

pxlkng

upstage4186 for a while and not had any problems

Security is proactive, not reactive. It working now doesn't mean it can't break at any moment. It is just not secure or reliable and has shown this many times in the past, where users noticed after months they have been missing updates.

DeletedUser313

pxlkng

So it would be linked to a profile rather than a device then

upstage4186

I agree with pxlkng, Aurora Store tends to have delayed updates. There are also times where the installation fails and I have to try repeatedly

upstage4186

pxlkng Security is proactive, not reactive. It working now doesn't mean it can't break at any moment.

Well yeah, true of any complex system, but it seems other users do indeed have auto-update issues so I guess it's something I need to keep an eye on.

I would love for you (or someone else) to address the IPC issue, though. If an app with google libs embedded and google play services can talk, the app does not have network access but play services does, could this be a potential privacy leak vector.

You mentioned in your first post that:

pxlkng It has security issues and no privacy benefit over sandboxed Play Services.

So far, it seems that it DOES have a privacy benefit. I guess I'll need to balance that out against the potential security drawback(s).

pxlkng

DeletedUser313

Depends on your preference and "threat model". You're not linking any account to the device, though, as Play Services does not have access to hardware identifiers. See https://grapheneos.org/faq#hardware-identifiers

For how to create an anonymous account refer to my second message in this thread.

grayway2

pxlkng it's not enough. Going public public places and creating a Google account from there is just the first steep. You have then to be on always on VPN before sign in on that account from your owner profile. Once you download an app, you have to push it on an another profile.

The risk of getting his google account locked for suspicious activity or connection is not negligible.

pxlkng

DeletedUser313

I think not even necessarily that, only to the unique install of Play Services. If you would reinstall Play Services in the same profile I think it should see that as new, at least that is my understanding.

pxlkng

grayway2 Once you download an app, you have to push it on an another profile.

No, you do not have to do that.

pxlkng

grayway2 You have then to be on always on VPN

You also don't have to be on always on VPN.

grayway2

pxlkng what's the point to create an anonymous google account if they have later your home WiFi address or the one from mobile operator ?

grayway2

pxlkng Apps that will talk to Play Services are those that have Google libraries bundled anyways, so it doesn't make a privacy difference.

What makes you think that it does not make a difference ? If we could today prevent apps to communicate each other, it would make a hugh difference.

I could use apps with google libraries build in without linking what I do on them to the Google account I use on a profile.

pxlkng

grayway2

I've only said you don't have to. It all depends. Maybe its on a profile that you only use on public WiFi, at all, and therefore don't need any VPN.
All a question of how its used and what the requirements and preferences are.

Some may even create the account from their home network or on mobile data because they don't care about Google having their IP.

But you can't say you have to have one.

grayway2

pxlkng I'm not so sure that apps from profiles are not doing any connection to the internet even if in bfu state. They maybe can use the connection from owner profile and connect but I'm probably wrong

Rand-Uzer

Here is why you should NEVER use google playstore or for that matter ANYTHING google. I would rather put a gun to my head than use any google product. You have a DEGOOGLED phone, DEGOOGLED is a big hint here so why go to the effort to DEGOOGLE a phone then turn around and download playstore or anything google?
You might as well just buy a cheap phone if you want to use this criminally convicted corporations spy products.
[removed]

https://www.forbes.com/sites/daveywinder/2025/03/18/60-million-malicious-google-play-downloads-as-331-apps-bypass-security/

and here ...

https://www.bleepingcomputer.com/news/security/over-90-malicious-android-apps-with-55m-installs-found-on-google-play/

Mod note: I've removed some of this post because it's rude.

DeletedUser495

Rand-Uzer you can not compare running sandboxed Google Play to using it in priviledged mode on a vulnerable hardware. But I do have my issues with it. It could be the most secure app store in this part of Milky way, but my issues are not related to security.

Delaney

Rand-Uzer I would rather put a gun to my head than use any google product.

Lmao

pxlkng

Rand-Uzer

GrapheneOS is not about degoogling, which is a very idealistic term often sacrificing security and privacy.

There are areas where it benefits security and privacy to avoid Google (privileged Play Services) and there are areas where you want Google for security and privacy (Pixel phones, AOSP, etc)

A GrapheneOS phone is not degoogled. It is still hardware manufactured by Google and you are still running proprietary Google firmware, as well as AOSP which is made by Google and Linux which has heavy contributions from Google.

Please do not spread such idealistic FUD/misinformation.

Rand-Uzer read these 2 articles

This is in no way specific to the Play Store, everything has such issues and malware exists everywhere.

GrapheneOS

Rand-Uzer Using Aurora Store implies using the Play Store and installing apps from it which are generated and signed by Google. You aren't avoiding the Play Store, Google services or Google code by using Aurora Store. It is a frontend to a Google service providing Google generated / signed apps. The reason Aurora Store isn't recommended is because it doesn't check the signatures of the apps it downloads.

Please avoid spreading baseless, unsubstantiated claims here.

pxlkng

Delaney

pxlkng GrapheneOS is not about degoogling, which is a very idealistic term often sacrificing security and privacy.

There are areas where it benefits security and privacy to avoid Google (privileged Play Services) and there are areas where you want Google for security and privacy (Pixel phones, AOSP, etc)

A GrapheneOS phone is not degoogled. It is still hardware manufactured by Google and you are still running proprietary Google firmware, as well as AOSP which is made by Google and Linux which has heavy contributions from Google.

pxlkng

In general, Google is actually very good on security.

upstage4186

It's kinda bizarre how nobody is addressing the potential privacy cost of having to sign into a Google account, then having apps register with FCM. Google being able to link your notification metadata with a single account that you're logging into, combined with which apps you're downloading, etc, seems like a factor for people who are concerned about big tech building profiles on them (yeah, we exist).

It's great that the Play Store is more secure than Aurora, and I would love to be able to gain that extra security, but for plenty of people, it's unfortunately a trade-off against the privacy implications.

Please someone prove me wrong so I can ditch Aurora too.

pxlkng

upstage4186

All those things are not avoided by and don't change with Aurora Store. Logging in with an account doesn't matter for profiling, Google can still know apps are installed on the same profile or even device and correlate activity, an account is not required for that.
Also, with Aurora Store you are still using a Google account, just that of some else. This is not a good thing and has various negative implications on security and privacy.

Again, Aurora Store is not only less secure, it is also less private due to being less secure. And even if it would be as secure as the Play Store, it would still not have any privacy benefit, at best it could only have the same privacy as the Play Store, which very likely will never happen.

You can just create an anonymous Google account and use that. Better than using Aurora Store and best its going to get with using the Play ecosystem.

« Previous Page Next Page »