Aurora Store has implemented certificate pinning!

DDeletedUser88 · Sep 16, 2024

Will be available with the next update.

Relevant commits:
https://gitlab.com/AuroraOSS/AuroraStore/-/commit/d72733320273c0bb9bb78efd5ec149bbaf292d2e

https://gitlab.com/AuroraOSS/AuroraStore/-/commit/6af927276d2f18d9927f8f0a2f9388c1a8a171e5

DDumdum · Sep 16, 2024

DeletedUser88
Uh, well, I guess a mod can remove the part about certificate pinning from my comment here then.

Rizzler · Sep 16, 2024

Sick. I wonder what other problems need to be solved. If i remember correctly this was only one of the concerns. But im happy its improving.

Wwhambam · Sep 16, 2024

Interesting. So, please correct me if I'm wrong; Aurora Store now only accept the certificates from googleapis.com, google.com, auroraoss.com, exodus-privacy.eu.org and gitlab.com, thus mitigating MITM attacks. Whereas before it would accept all of the pre-installed CAs?

GrapheneOS · Sep 16, 2024

Rizzler It needs to verify the Play Store signature metadata, which is more secure than TLS root key pinning but is less important now that it's doing TLS root key pinning.

DDeletedUser88 · Sep 17, 2024

GrapheneOS What significance does verifying Play Signature metadata hold if TLS root pinning is already implemented? Wouldn't TLS root pinning guarantee that apps are being served from Google domains and are therefore authentic applications hosted on the Play Store?