SgtSurehand Aurora store is insecure because its secure connection and signature verification are less hardened than Googles Play Store. Attempting to use it with your own account makes you look like a bot and Google might suspend your account for spam.

This is why GOS doesn't recommend it.

Specifically, metadata verification is not done, its been known to grab wrong app versions, and no certificate pinning.

People don't criticize obtainium because obtainium only attempts to pull apk files from github, its security is sort of already apparent. The Google Play Store is trying to do something completely different in terms of security.

Your analogy on "checking if the item you bought was really from the store" is a fundamental misunderstanding of how network security functions.

      raccoondad Aurora is in no way less secure than getting apps with Obtainium, F-Droid repositories, direct APK downloads from such as Github, developer websites and other third party aggregators like ApkMirror for example. This practice is widespread.

      What makes it more secure than them is that it gets packages directly from Google infrastructure according to your spoof manager, after authentication that is not directly linked to you (only through your device hardware, software, performance and network connection characteristics). Why would I want to use my own account to do that, even a throwaway when one is already provided and to everyone's confusion used in a mixnet with multiple other users?

      I already know opinion of GrapheneOS development team and heard it from multiple sources so why not cite someone else for change?

      Hang on, I know, creative thinking and independent opinions are not very well received here. Let me ask Naomi. Or perhaps the despised one might chip in.

      I never claimed GrapheneOS devs are in Google's pocket, this was totally uncalled for. And I actually think that thanks to the hardening and controls GrapheneOS provides, using Play Store is a brilliant way to go about their lives but it won't cater for those who wish to get their privacy expectations to next level, albeit at a minor security compromise.

          raccoondad Aurora store is insecure

          While this may be true for the newbie user it is more relevant that Autora is incredibly buggy. The anonymous download often fails. Automatic updates fail. So I perfectly understand why it's not a recommended app.

            I think one of the biggest issues with F-Droid is that they aren't even good at the thing that makes F-Droid seem like a desirable service to use in the first place: removing the need to trust developers.

            They don't actually read through code or go through changes. They blindly fetch and build what's in a public repo. One example is Wireguard made changes to their app that were apparently "against the rules" and F-Droid didn't even notice for around half a year. If I recall correctly, they only noticed because the developer said so and someone noticed, not because they happened to notice it during a random check or something. This proves that a malicious developer could sneak something into their app without F-Droid even knowing as long as what they do isn't caught by their basic scanning. F-Droid or not, you still have to trust the developer to some extent.

            So since very few people read whole codebases, it would be very easy to get malicious code past F-Droid since they don't even notice what's happening in the open. So if they don't even do that well, why have them as an additional trusted party? Not to mention they sign the majority of the apps in their repository and have historically not kept their infrastructure up to date. If anything happened on their end, for example a malicious insider or something like that, that would essentially be game over for people who rely solely on F-Droid for getting their apps.

            Also, keep in mind the kind of people who use F-Droid. It wouldn't be surprising if they were targeted. F-Droid loyalists love to say "F-Droid supports reproducible builds and developers can sign those," but what about the apps that are signed by F-Droid? Who's checking if those haven't been tampered with? I feel so many people put FAR too much trust in F-Droid.

            SgtSurehand Hang on, I know, creative thinking and independent opinions are not very well received here.

            Let's not talk this way about other people in the community, or maybe you were talking about members of the project?

              SgtSurehand

              "I already know opinion of GrapheneOS development team and heard it from multiple sources so why not cite someone else for change?"

              I didn't cite from the GOS team, you can verify these issues for yourself.

              If you don't understand basic network security then please don't talk about it. Don't make it our problem that you want to talk about things you don't understand.

              The analogy you used alone proves enough that you really should not speak on this subject. Its nonsense that relates to nothing about the core issue of over CA trusting and insecure app versions.

                  raccoondad now you got me, I may not possess the technical background to discuss such things, that in no way means such things should not be discussed. I have enough common sense to not continue dragging myself into an argument I don't really wish to be part of but you didn't disappoint me and acted exactly in a way I expected.

                    raccoondad I do not wish to overstay my welcome, yet still remain in the community so I may provide helpful advice when I can to those who care to hear it. And despite our differences I would like to be your friend.

                      I believe the original question about F-Droid and Aurora store being part of App store got answered in process.