Most secure way to install Play Store apps on Play Service-free Owner profiles!?

trilogy6202

As often discussed on this forum, it's very important to install apps from secure sources in order to keep GOS devices secure (and private). Therefore, the general advice is to install apps directly from the Google Play store, except for the dozen or so apps that can be installed from the GOS App Store or from Accrescent.

But this presents a dilemma for the users - myself included - that prefer to daily drive their owner profile while avoid installing Google Play Services on it.

In a perfect world it would be possible install apps on a secondary profile / private space with Google Play Services installed and "pull" then to the owner profile but until (if ever) that becomes possible, what is the second most secure way of installing apps from the play store.

Here is my method which I have not seen proposed or discussed before - though it very well might have. Comments are of course welcome and if you have an even better way given the premise I've described further down please let us know.

The premise:

You want to daily drive the owner profile and you don't want to install Google Play Store on it.
You want the most secure way to install apps on the owner profile that are not available GOS App Store or Accrescent but are available on the Play Store while still abiding to the premise above.
You want to try to be as anonymous towards google as (reasonably) possible WHILE YOU install apps from their Play Store - whether you use apps with google libraries that can phone home and track you is outside of the scope in this thread.
You are okay with always being signed in to an "anonymous" Google account in Private Space - maybe you even prefer it this way, I do - and you don't need to use your private space with your "real" Google account (if you even have one).

The method below might sound a little extreme but IMO it's actually not that cumbersome and I believe it provides an approach that is both very secure and very private (towards Google) which is why I think it might be of interest to some users in here. I personally DON'T use exactly this method. I use a slightly dialed down version that I will describe below. Also, I've only personally tried this with private space but I believe it will work in secondary user profiles as well.

Preparation:

Sign up to two anonymous Google account - Google_account_Owner and Google_account_PS (Private Space) - 2 ways are linked at the bottom. Remember to setup some kind of 2FA so Google won't ask for your phone number in the future.
Sign up to a VPN and create two new tunnels, Tunnel_owner and Tunnel_PS, Tunnel_Owner will be used on owner account ONLY when installing apps from Aurora Store. I prefer to use the official wireguard app so I choose a provider that allow me to download the .conf file.
On owner profile, install Aurora store but don't open it yet - Only ever open Aurora Store when Tunnel_Owner is established. Don't allow "App background usage" under "App battery usage"
On owner profile, install a VPN app, and setup Tunnel_Owner. Test that it works but don't use it for anything as this tunnel will be dedicated to installing apps from Aurora Store.
In private space, install a VPN app, setup and enable Tunnel_PS and set it to "always on" and "block connection without VPN". Then check that you are connected to the VPN server.
In private space, install Google Play Store and log in with Google_account_PS.

Process for installing Apps from Play Store on owner profile

On owner profile, enable Tunnel_Owner and check that you are connected to the VPN server.
On owner profile, open Aurora Store and log in with Google_account_Owner and manually install the second latest version of the app you want to install - Do not grant network access or open the app yet. This is in case a vulnerability have been found in that version which has been patched in the latest release.
On owner profile, close Aurora Store and disconnect from Tunnel_Owner.
Optionally (but probably not necessary), disable the Aurora store app as an extra security that it won't ping any google servers while not connected to Tunnel_Owner.
In private space, install the same app from the Google Play store. Since apps are only installed once on Android even if they are available on several user profiles (including Private Space) this will update the previously installed version of the app on the Owner Profile to the latest version.
Once in a while go to the play store in Private Space end check for updates to the app(s) you've installed this way.

As mentioned above, I use a slightly dialed down approach as I don't have a separate Tunnel_Owner dedicated to use while installing apps from Aurora store. This probably sacrifices some anonymity towards Google as they will be able to see my IP when I connect to their server through Aurora but I don't case as my thread model allows it.

Two ways to sign up for an google account anonymously:

trilogy6202

Okay, as I realize that this is a rather long post, let me just shortly mention that the ‘trick’ in this method is that 1) Aurora store allows you to install older versions of apps and 2) that apps are only installed once on android even if they are available on several user provides. Therefore, apps that are updated in a secondary user or private space will be updated in the owner profile.

This IMO largely mitigates the risks associated with installing apps form Aurora Store as this version is never granted network access nor opened and shortly after installation it’s replaced by a new version directly from Google Play Store.

Magook

trilogy6202 interesting approach. Now, would it be easier to install first the latest version on Google Play Store(in Private Space) and then install the same latest version via Aurora (in Owner)? I might be wrong, but as far as I understand once app is installed via Google Play, the install from Aurora would need to match the signature verification of the app from Google Play; thus verifying is the same app (untampered).

The Google Play app installs can be carried out from a secondary profile to save up the Private Space for anything else you might need it for. You would just need to jump into the secondary profile with Google Play to install a new app if needed, since updates can be carried out via Aurora if my assumption of signature verification is correct.

trilogy6202

Another thing that I want to make clear is that this IS NOT as secure as getting your apps directly from Google Play Store. Period. If your thread model calls for it, avoid Aurora and use the play store directly.

I'm not a cyber security expert and I don't understand all the implications of Aurora stores shortcomings like not doing certificate pinning, etc.

Nevertheless, I still believe that this is an improvement over just using Aurora store for users that won't install Play Services on their main user profiles.

Dumdum

trilogy6202 like not doing certificate pinning

To my knowledge, they have.

trilogy6202

Dumdum Great news. Didn't know that that had been solved.

brandy078

There is a great tutorial from Side of Burritos on YT.

trilogy6202

brandy078 Side of Burritos guide is nice yes, you are probably referring to at the bottom of OP. But his setup is significantly different as his main profile is a secondary user profile which is not the premise for my guide.

KleinesSinchen

This thread ask an interesting question I’ve also asked myself. Owner is running all the time and therefore I do not want Google services and Play Store there… but only owner can push app to secondary user. No way to pull.

Only trouble is first installation of an app.

I’ve seen usage of developer options, especially USB debugging, is commonly advised against due to ADB giving a PC privileged access over the GrapheneOS phone. Despite that I went that route with a PC I trust:

Installed Google stuff with burner account on dedicated secondary user
Installed all the apps I need from Play Store for secondary user
Developer options on, USB debugging on
adb shell
pm list -3 (to get a list of all non-system apps)
pm install-existing [package name] --user 0
USB debugging off, revoke all authorizations, developer options off → reboot.

I've no idea if my installation is considered tainted because having granted USB debugging once.

Owner now has all apps right from Play Store. They can be disabled if not needed in owner, but owner can now push them to any secondary users – while the one with Google services can do updates.

carboneos

Why not using an apk extractor to install apps on main profile which has already been installed in private space via play store, instead of using aurora store?

trilogy6202

carboneos Interesting approach and potentially simpler to execute than the one in OP. I've never tried APK extractors so I don't know anything about any potentially security implications of this method. Definitely something to look into:

2 questions:

Can you recommend an APK extractor that you believe to be trustworthy?
Does apps know that they wat installed this way?

trilogy6202

Magook I must admit I haven't tried but if what you say is true it is indeed easier.

It should work from secondary user profile as well.