kopolee11 nothing personal, but I see this all the time in this forum. Someone from the project account posts something here in the forum/on their socials and everyone starts parroting that information without any understanding of what it means. This also has the nasty side effect of outdated information because people keep reciting these posts like Gospel.

I have yet to see clarification about:

  1. The danger of using shared accounts, what exact risks or attack vectors are opened by using these.
  2. "Other security issues" that are often brought up but never elaborated on.
  3. I understand the technical flaws in F-Droids implementation but I fail to see the same issues due to a lack of reproducible builds, 3rd party repos and different (outdated) client apps for the frontend of F-Droid. Aurora Store is not even remotely comparable to that and I fail to see the often mentioned "other security issues". Literally the only thing I can think of, is that updates are sometimes delayed for apps by a day or two. At the same time, I also fail to see how these app updates would be so mission critical. I can't recall any such cases where "urgent app updates" were needed.

So indulge me - I simply want to know what "other security issues" means. In the most technical terms possible, please.

      I'm not sure about the security thing, but I understand the endorsement issue. Perhaps Graphene needs its own way to scrape the play store and F-Droid? Since F-Droid is open source, it could probably be forked. Aurora I'm less sure of. I hear good and bad stuff about it. It sounds fairly secure, if imperfect.

      Are there any better alternatives? I notice Obtainium doesn't seem to be a store per say.

      TiggyTheTerrible
      sorry i think you misunderstood

      Open source apps can normally be downloaded directly as apk file from either their github/gitlab etc. repository or from their website.
      Some other apps, like whatsapp, can also be downloaded directly from the whatsapp website.

      These app version normally use the developers signing key (relevant for app verifier) and were build by the developers.

      You give obtainium basically a link to a source (usually a github repository) and tell it how the release version is called. Obtainium then downloads it, installs it and checks/ can be used to check, for updates.
      (Which basically means it looks at the provided source link if a new release version exists)

      sometimes you can download fdroid versions of apps on the website of the developers, i am not sure but i belive these use the fdroid signing keys.

      Obtainium can not be used to download apps that are only avaible in play store (which is the case for most apps that are not open source) (and i would not recommend to like use something like apkmirror)

      Also, while obtainium has a search function, one should first look for the repository yourself (since the names can be different than one exspects)

      So it is just a downloader and update checker, using obtainium basically means downloading and installing apks yourself, and includes whatever this usually implies.

        SgtSurehand Aurora store is insecure because its secure connection and signature verification are less hardened than Googles Play Store. Attempting to use it with your own account makes you look like a bot and Google might suspend your account for spam.

        This is why GOS doesn't recommend it.

        Specifically, metadata verification is not done, its been known to grab wrong app versions, and no certificate pinning.

        People don't criticize obtainium because obtainium only attempts to pull apk files from github, its security is sort of already apparent. The Google Play Store is trying to do something completely different in terms of security.

        Your analogy on "checking if the item you bought was really from the store" is a fundamental misunderstanding of how network security functions.

            raccoondad Aurora is in no way less secure than getting apps with Obtainium, F-Droid repositories, direct APK downloads from such as Github, developer websites and other third party aggregators like ApkMirror for example. This practice is widespread.

            What makes it more secure than them is that it gets packages directly from Google infrastructure according to your spoof manager, after authentication that is not directly linked to you (only through your device hardware, software, performance and network connection characteristics). Why would I want to use my own account to do that, even a throwaway when one is already provided and to everyone's confusion used in a mixnet with multiple other users?

            I already know opinion of GrapheneOS development team and heard it from multiple sources so why not cite someone else for change?

            Hang on, I know, creative thinking and independent opinions are not very well received here. Let me ask Naomi. Or perhaps the despised one might chip in.

            I never claimed GrapheneOS devs are in Google's pocket, this was totally uncalled for. And I actually think that thanks to the hardening and controls GrapheneOS provides, using Play Store is a brilliant way to go about their lives but it won't cater for those who wish to get their privacy expectations to next level, albeit at a minor security compromise.

                raccoondad Aurora store is insecure

                While this may be true for the newbie user it is more relevant that Autora is incredibly buggy. The anonymous download often fails. Automatic updates fail. So I perfectly understand why it's not a recommended app.

                  I think one of the biggest issues with F-Droid is that they aren't even good at the thing that makes F-Droid seem like a desirable service to use in the first place: removing the need to trust developers.

                  They don't actually read through code or go through changes. They blindly fetch and build what's in a public repo. One example is Wireguard made changes to their app that were apparently "against the rules" and F-Droid didn't even notice for around half a year. If I recall correctly, they only noticed because the developer said so and someone noticed, not because they happened to notice it during a random check or something. This proves that a malicious developer could sneak something into their app without F-Droid even knowing as long as what they do isn't caught by their basic scanning. F-Droid or not, you still have to trust the developer to some extent.

                  So since very few people read whole codebases, it would be very easy to get malicious code past F-Droid since they don't even notice what's happening in the open. So if they don't even do that well, why have them as an additional trusted party? Not to mention they sign the majority of the apps in their repository and have historically not kept their infrastructure up to date. If anything happened on their end, for example a malicious insider or something like that, that would essentially be game over for people who rely solely on F-Droid for getting their apps.

                  Also, keep in mind the kind of people who use F-Droid. It wouldn't be surprising if they were targeted. F-Droid loyalists love to say "F-Droid supports reproducible builds and developers can sign those," but what about the apps that are signed by F-Droid? Who's checking if those haven't been tampered with? I feel so many people put FAR too much trust in F-Droid.

                  SgtSurehand Hang on, I know, creative thinking and independent opinions are not very well received here.

                  Let's not talk this way about other people in the community, or maybe you were talking about members of the project?

                    SgtSurehand

                    "I already know opinion of GrapheneOS development team and heard it from multiple sources so why not cite someone else for change?"

                    I didn't cite from the GOS team, you can verify these issues for yourself.

                    If you don't understand basic network security then please don't talk about it. Don't make it our problem that you want to talk about things you don't understand.

                    The analogy you used alone proves enough that you really should not speak on this subject. Its nonsense that relates to nothing about the core issue of over CA trusting and insecure app versions.

                        raccoondad now you got me, I may not possess the technical background to discuss such things, that in no way means such things should not be discussed. I have enough common sense to not continue dragging myself into an argument I don't really wish to be part of but you didn't disappoint me and acted exactly in a way I expected.

                          raccoondad I do not wish to overstay my welcome, yet still remain in the community so I may provide helpful advice when I can to those who care to hear it. And despite our differences I would like to be your friend.

                            I believe the original question about F-Droid and Aurora store being part of App store got answered in process.