SgtSurehand Obtainium doesn't make more secure. It is just better for privacy. Apps are directly fetched from developers(github, gitlab, forgejo etc) instead of play store.
Newbie Experience on GrapheneOS
Tubeless2720 I only mention it because there is a whole bunch of users who use Obtainium and its
questionable security is never discussed while troublemakers always pick on Aurora.
SgtSurehand It's more that Aurora introduces security issues than Obtanium being particularly secure. Particularly if you use the shared account feature. https://xcancel.com/GrapheneOS/status/1844534513663185124#m
And if you're logging in to Aurora, why not just use the much more secure Google Play app?
The one main use case for Aurora is if an app artificially does not allow itself to be listed on Google Play for GrapheneOS, but if installed can still run. Netflix used to be an example of that, although I now believe you can install it via Google Play.
- Edited
Obtainium isnt really an app store, it is mostly a tool to update apps/ notify you of update for apps.
It is just "safer" than downloading from github (or wherever) yourself, because it makes you not forget to update an app.
This is also archivable by using an rss reader instead, as far as i know.
kopolee11 Netflix used to be an example of that, although I now believe you can install it via Google Play
yes it is possible
kopolee11 when you buy your bowl of porridge whether it's in the supermarket or in a local store, do you always verify that it comes from legitimate source? You look at the packaging and put it in the basket. When it comes from Google, it must be Google. What sort of interest would they have in hosting malware?
SgtSurehand I don't understand your point. Aurora does not implement some of the security features that Google Play does. Things like certificate pinning which helps ensure the verification of the app. (The "packaging" in your analogy)
https://privsec.dev/posts/android/android-tips/#aurora-store
kopolee11 don't rely on old information: https://discuss.grapheneos.org/d/15761-aurora-store-has-implemented-certificate-pinning
Privsec sources are not always up to date.
n3t_admin Appreciate the update.
However, Aurora still has other security (and usability) issues when compared to Google Play.
kopolee11 the difference between me and Google is that I will admit to wrongdoing. They will only when they are caught in the act. Good luck into the future.
kopolee11 nothing personal, but I see this all the time in this forum. Someone from the project account posts something here in the forum/on their socials and everyone starts parroting that information without any understanding of what it means. This also has the nasty side effect of outdated information because people keep reciting these posts like Gospel.
I have yet to see clarification about:
- The danger of using shared accounts, what exact risks or attack vectors are opened by using these.
- "Other security issues" that are often brought up but never elaborated on.
- I understand the technical flaws in F-Droids implementation but I fail to see the same issues due to a lack of reproducible builds, 3rd party repos and different (outdated) client apps for the frontend of F-Droid. Aurora Store is not even remotely comparable to that and I fail to see the often mentioned "other security issues". Literally the only thing I can think of, is that updates are sometimes delayed for apps by a day or two. At the same time, I also fail to see how these app updates would be so mission critical. I can't recall any such cases where "urgent app updates" were needed.
So indulge me - I simply want to know what "other security issues" means. In the most technical terms possible, please.
I'm not sure about the security thing, but I understand the endorsement issue. Perhaps Graphene needs its own way to scrape the play store and F-Droid? Since F-Droid is open source, it could probably be forked. Aurora I'm less sure of. I hear good and bad stuff about it. It sounds fairly secure, if imperfect.
Are there any better alternatives? I notice Obtainium doesn't seem to be a store per say.
This might be an interesting read, i found @fid02 bundled some relevant information nicely togheter on this post:
https://discuss.grapheneos.org/d/20760-im-confused-about-google-accounts/30
I'll tag @pxlkng aswell, perhaps he/she could explain in more depth, as i have the impression he/she has a thorough understanding of this specific subject.
n3t_admin respect, well said.
Now let's hear it and if possible without quoting the dev team.
TiggyTheTerrible
sorry i think you misunderstood
Open source apps can normally be downloaded directly as apk file from either their github/gitlab etc. repository or from their website.
Some other apps, like whatsapp, can also be downloaded directly from the whatsapp website.
These app version normally use the developers signing key (relevant for app verifier) and were build by the developers.
You give obtainium basically a link to a source (usually a github repository) and tell it how the release version is called. Obtainium then downloads it, installs it and checks/ can be used to check, for updates.
(Which basically means it looks at the provided source link if a new release version exists)
sometimes you can download fdroid versions of apps on the website of the developers, i am not sure but i belive these use the fdroid signing keys.
Obtainium can not be used to download apps that are only avaible in play store (which is the case for most apps that are not open source) (and i would not recommend to like use something like apkmirror)
Also, while obtainium has a search function, one should first look for the repository yourself (since the names can be different than one exspects)
So it is just a downloader and update checker, using obtainium basically means downloading and installing apks yourself, and includes whatever this usually implies.
- Edited
SgtSurehand Aurora store is insecure because its secure connection and signature verification are less hardened than Googles Play Store. Attempting to use it with your own account makes you look like a bot and Google might suspend your account for spam.
This is why GOS doesn't recommend it.
Specifically, metadata verification is not done, its been known to grab wrong app versions, and no certificate pinning.
People don't criticize obtainium because obtainium only attempts to pull apk files from github, its security is sort of already apparent. The Google Play Store is trying to do something completely different in terms of security.
Your analogy on "checking if the item you bought was really from the store" is a fundamental misunderstanding of how network security functions.
raccoondad Aurora is in no way less secure than getting apps with Obtainium, F-Droid repositories, direct APK downloads from such as Github, developer websites and other third party aggregators like ApkMirror for example. This practice is widespread.
What makes it more secure than them is that it gets packages directly from Google infrastructure according to your spoof manager, after authentication that is not directly linked to you (only through your device hardware, software, performance and network connection characteristics). Why would I want to use my own account to do that, even a throwaway when one is already provided and to everyone's confusion used in a mixnet with multiple other users?
I already know opinion of GrapheneOS development team and heard it from multiple sources so why not cite someone else for change?
Hang on, I know, creative thinking and independent opinions are not very well received here. Let me ask Naomi. Or perhaps the despised one might chip in.
I never claimed GrapheneOS devs are in Google's pocket, this was totally uncalled for. And I actually think that thanks to the hardening and controls GrapheneOS provides, using Play Store is a brilliant way to go about their lives but it won't cater for those who wish to get their privacy expectations to next level, albeit at a minor security compromise.
raccoondad Aurora store is insecure
While this may be true for the newbie user it is more relevant that Autora is incredibly buggy. The anonymous download often fails. Automatic updates fail. So I perfectly understand why it's not a recommended app.
I think one of the biggest issues with F-Droid is that they aren't even good at the thing that makes F-Droid seem like a desirable service to use in the first place: removing the need to trust developers.
They don't actually read through code or go through changes. They blindly fetch and build what's in a public repo. One example is Wireguard made changes to their app that were apparently "against the rules" and F-Droid didn't even notice for around half a year. If I recall correctly, they only noticed because the developer said so and someone noticed, not because they happened to notice it during a random check or something. This proves that a malicious developer could sneak something into their app without F-Droid even knowing as long as what they do isn't caught by their basic scanning. F-Droid or not, you still have to trust the developer to some extent.
So since very few people read whole codebases, it would be very easy to get malicious code past F-Droid since they don't even notice what's happening in the open. So if they don't even do that well, why have them as an additional trusted party? Not to mention they sign the majority of the apps in their repository and have historically not kept their infrastructure up to date. If anything happened on their end, for example a malicious insider or something like that, that would essentially be game over for people who rely solely on F-Droid for getting their apps.
Also, keep in mind the kind of people who use F-Droid. It wouldn't be surprising if they were targeted. F-Droid loyalists love to say "F-Droid supports reproducible builds and developers can sign those," but what about the apps that are signed by F-Droid? Who's checking if those haven't been tampered with? I feel so many people put FAR too much trust in F-Droid.