How unsafe/unadvisable is Aurora Store?

Stewart

Hi everyone,

For a while now, an application I was using (non-open source) from the Play Store is no longer compatible with GOS.
Since Aurora Store no problems, the application installs and updates as it should, but I would like to know at what point installing and updating applications from this store is not recommended?

Thanks in advance

Watermelon

Stewart You can check previous threads or wait for others to reply regarding the issues with Aurora, however it's important to emphasize that only installing new apps from Aurora is dangerous. Updates are fine, especially if you already have installed the app through Google Play Store (installed from the GrapheneOS App Store, and assuming you locked the bootloader and verified the verified boot key fingerprint manually or using the Auditor app at least once after installation).

This is because all Android apps use signatures, and once an app is installed the signature is pinned, meaning that Android only accepts updates to the app inheriting all the data saved within it only if the updated version is signed by the same key that signed the existing version. So if you already have an app installed through Google Play Store and you switch to updating it through Aurora Store instead, the only risk you get from it is that Aurora Store could maliciously (or if it's maliciously compromised) withhold important updates to the app, e.g. security fixes.

Watermelon

Stewart For a while now, an application I was using (non-open source) from the Play Store is no longer compatible with GOS.

It sounds like you're implying that you install open source apps from a source other than Google Play Store that you think is more trustworthy for open source apps. You should be aware that F-Droid is also insecure, in case you use it.

Stewart

Watermelon I think I misspoke, I'll say it again.

I use the Play Store (mainly), Obtainium and Accrescent to download my applications, except that an application available only on the Play Store and that I like is no longer compatible with GOS.

So I'd like to know to what extent Aurora Store is inadvisable?

Oggyo

I can't believe another discussion re. Aurora was opened especially when the OP is not new to the forum...

Stewart

Oggyo An application I used to use is no longer compatible with alternative operating systems, including GOS, and I can't download it from the Play Store.

How unsafe is Aurora Store? What do you suggest as a solution?

fph

From what I understand, the ELI5 version is: the main concern with Aurora Store is that it adds another point of trust: when you install a new app, you have to trust not only the developer and Google, but also Aurora: all the middlemen have the possibility to tamper with your app and its signature.

SgtSurehand

New2MeOS Aurora now provides SHA on their GitLab that you can check against the checksum extracted from installed APK on first install.

fph all the middlemen have the possibility to tamper with your app and its signature.

I would like to hear more about these "middlemen" when all Aurora does is get packages from Play Store using a real Google account from a pool of accounts that is not permanently tied to your device as is the case with sandboxed Google Play.

New2MeOS

Given how relatively easy it is to set up an alias Google account to get apps right from the play store, I don't see the point of using the Aurora store and shared "anonymous" accounts.

Oggyo

New2MeOS I don't see the point of using the Aurora store and shared "anonymous" accounts.

So far, for me, this is still an open issue - https://discuss.grapheneos.org/d/19642-installing-play-integrity-filtered-apps-from-the-play-store

Oggyo

Stewart
I guess, your reply was intended to be for @New2MeOS :)

New2MeOS

Stewart I have only ever used the play store with an Google account purpose created for downloads, and nothing else; no Aurora for me as I just don't like what I've read about it here and elsewhere.

If you want to experiment a bit, there are Chinese app stores like Huwei but as you may imagine that's even more of an unknown risk.

fph

SgtSurehand I would like to hear more about these "middlemen" when all Aurora does is get packages from Play Store using a real Google account from a pool of accounts that is not permanently tied to your device as is the case with sandboxed Google Play.

Sorry if that wasn't clear: the additional "middleman" in this case is Aurora store. If you install RandomApp via Play Store, and you are worried that it might be malicious, then you have to trust (1) RandomApp's developer, and (2) Play Store not to replace it with a malicious version with a different signature. If you install it via Aurora, you have to trust not only (1) and (2), but also (3) Aurora Store's developers, since also they are in a position where they could sthealthily replace it with a different version.

One could also argue that if you use Aurora Store you are safer from (2), since you use Google through a shared anonymous account, so Google cannot set up a targeted attack against one phone only.

But I imagine "being targeted by Google" is not in most users' threat model.

SgtSurehand

fph removing something from your threat model doesn't make the threat disappear. One thing I can't process, if one believes possible Google is able to push malicious updates to a particular device, why would they still settle on using Google Play, even recommend it?