Aurora Store has implemented certificate pinning!

DeletedUser88

Will be available with the next update.

Relevant commits:
https://gitlab.com/AuroraOSS/AuroraStore/-/commit/d72733320273c0bb9bb78efd5ec149bbaf292d2e

https://gitlab.com/AuroraOSS/AuroraStore/-/commit/6af927276d2f18d9927f8f0a2f9388c1a8a171e5

Dumdum

DeletedUser88
Uh, well, I guess a mod can remove the part about certificate pinning from my comment here then.

Rizzler

Sick. I wonder what other problems need to be solved. If i remember correctly this was only one of the concerns. But im happy its improving.

GrapheneOS

Rizzler It needs to verify the Play Store signature metadata, which is more secure than TLS root key pinning but is less important now that it's doing TLS root key pinning.

whambam

Interesting. So, please correct me if I'm wrong; Aurora Store now only accept the certificates from googleapis.com, google.com, auroraoss.com, exodus-privacy.eu.org and gitlab.com, thus mitigating MITM attacks. Whereas before it would accept all of the pre-installed CAs?

DeletedUser88

GrapheneOS What significance does verifying Play Signature metadata hold if TLS root pinning is already implemented? Wouldn't TLS root pinning guarantee that apps are being served from Google domains and are therefore authentic applications hosted on the Play Store?