"Controversy" around usage of Aurora Store

monozygote

The points that @pxlkng has made in various threads, eg some recent ones here https://discuss.grapheneos.org/d/19725-auto-update-apps-through-aurora-store and https://discuss.grapheneos.org/d/13828-automatic-aurora-store-update-start-of-aurora-store , have sparked a lot of discussions even on forums beyond such as this recent one in reddit: https://www.reddit.com/r/degoogle/comments/1l6msli/aurora_store_is_absolutely_not_recommended_by_the/.

I've been trying to keep up. Firstly, thanks to all those involved since I have myself come to know so many things from points made by @pxlkng and GOS mods and counterpoints from many others.

Since, like many, I too use Aurora Store (AS), I wanted to understand the concerns about privacy and security from those recommending against using AS given certain scenarios and steps taken to mitigate some alleged drawbacks.

I have setup GOS to use the owner/primary profile only to install apps, immediately disable them and then push them to the secondary profile(s) where they are actually used. This keeps the management centralized and I don't have to install them in each profile I want to use them.

I do this with Aurora Store with anonymous login option.

Right off the bat, my IP address is no longer revealed to Google as stated in the AS wiki: https://auroraoss.com/wiki#:~:text=as%20all%20sessions%20are%20generated%20via%20our%20server,%20so%20only%20our%20server's%20IP . This alone means that if only my owner profile is active, I don't have to actively remember to disable Play services etc (or deny networking to them) when I'm on the move. This gives privacy - I'm preventing play services from actively tracking me as I commute to various places.
Next, I install non-privacy invasive apps in my secondary profile say p2. These can be email apps like Organic Maps or Tuta or Proton or whatever (just for the sake of argument assume that these didn't have google code or reported/colluded with google). Google doesn't know I installed them as AS makes request from an email address and IP that is shared with many others. The device architecture etc would also be used by many so I cannot be singled out. On top of that, there's also some amount of spoofing that AS allows. This again is privacy.
The apps that require play services or are privacy invasive anyway, like social media apps or Gmail/google-maps etc which either directly talk to google or collude and share info under some agreement (banking apps), get installed in a separate profile - p3. Sure as long as I log into that profile, google knows who/where I am and whatever info is collected. There is no difference here between play services and AS. However the big point is that I can just kill the profile session and then be completely invisible to Google until I turn that session back on again. If instead I had used Play service in owner profile, I would need to additionally remember to tinker with owner profile and this is otherwise a needless step that I need to perform or it harms privacy for both points (1) and (2) above. And for those who don't need this point (3) at all, even better, there's nothing to do here.
For security side of things - AS now has certificate pinning so that criticism is no longer applicable.
It doesn't however verify signatures of the downloaded apps. This is the only thing that requires (an easy) workaround. As I understand, thanks to Android OS itself, you cannot update an app if the update has a signature mismatch (ie signed with a different key) compared to the currently installed version of the app. This means you merely need to make sure the 1st installation isn't malicious. To do this, according to recommendations, simply use an alternate phone with throwaway google account (or use friend's/family member's phone) to download apk via play, get its certificate hash, come back to your device, use AS to get the app and use AppVerifier to check it has the same certificate hash. Problem solved. For a good majority of apps you will likely have it in AppVerifier's internal database itself so no need to do all this, only for those whose certificate hash isn't in AppVerifier you do this. It's better to focus to improve AppVerifiers internal database which would make this security concern go away for vast majority of the apps. Until then you have a workaround.
Auto-Updates are a PITA on AS. I don't know of a solution to this. Currently I just make sure to check it at-least once a day, click on check-for-updates and then it springs into action and gives me list. Press update-all and things are updated normally. I personally think this is an OK usability compromise for the sake of other gains. In-fact I would argue that GOS asking for pin/password to profiles every so often (I think 48 hrs) is actually more of a security+privacy concern. It has asked me at times when I'm in a supermarket or under surveillance where I feel uncomfortable entering the pin/password. This also isn't configurable. So I need to remember to log into all profiles once every 24/48 hrs anyway. I just add manually checking for app updates on AS as an additional step to that already existing chore.

So I fail to understand why such drastic statements from both @pxlkng and GOS team that it's categorically less private to use AS or that it brings no gain to using Play Store? I'm so far finding it quite the opposite.

natoal

monozygote

As I understand, thanks to Android OS itself, you cannot update an app if the update has a signature mismatch (ie signed with a different key) compared to the currently installed version of the app. This means you merely need to make sure the 1st installation isn't malicious.

If this is true it'd mean that Aurora Store is secure enough for the average user?

dc32f0cfe84def651e0e

monozygote The apps that require play services or are privacy invasive anyway, like social media apps or Gmail/google-maps etc which either directly talk to google or collude and share info under some agreement (banking apps), get installed in a separate profile - p3.

That's my approach as well: a separate profile with throwaway Goolag account created within same profile and not being used anywhere else.

natoal

monozygote

Are you referring to this AppVerifier https://github.com/soupslurpr/AppVerifier, and do you need to import the APK itself or can it check the installed app through the apps list or something?

raccoondad

Can new apps do any harm if they've never been opened? If not it should be fine imo to just check before opening it

chinook

monozygote THANK YOU for starting this discussion here.

Lilac6044

I think this topic has been debated to death at this point. I also think it would have been better to post this on one of the threads you linked above rather than creating a whole new thread...

If you are happy with Aurora, then use Aurora.

pxlkng

I agree with the post above and don't think I have anything of significant value to add anymore.
Everything has already been said on at least the GOS forum threads you linked, probably even more.

On a side note, I invite you to join the official chat rooms on either Discord, Matrix or Telegram and ask your questions there. The chat rooms are much more active and better to do live discussions, and I feel you will get your questions answered there more extensively and by more people than just me and some few others.

monozygote

natoal As of now I'm pretty sure of this from what I've read. I do appreciate that you need to do this extra verification (if you are paranoid, not a bad thing to be though) on 1st install but one could just mention this as a caveat instead of (almost completely) dismissing the AS approach as insecure, less private and totally not recommended.

Also you do this if you distrust AS, eg. if you believe they have been compromised or are deliberately tampering the 1st installs. Given AS is quite popular (maybe not as much as GOS) I would assume this would get noticed really fast and whistle blown. There are many folks who check their first installs of an app and others who scrutinize this kinda stuff. It's also something very easily detectable (I could do it and I consider myself an idiot). So I doubt that in practice you really need to worry about this attack vector, though ofc nothing stops you from trying to be safer.

I also feel for @pxlkng a bit here since they've been really helpful and answering a lot in such discussions so they're probably jaded by now. I'll try hitting them up on chat rooms as suggested, because I don't agree (maybe due to lack of understanding on my part) with a lot of their concerns/comparisons of AS vs Play store.

Not used chat rooms before, but I assume unlike these threads where you can dip in and out according to convenience/free-time, chat rooms would demand continuous availability? Again that's me going by the chat rooms on Stackexchange/Stackoverflow, where many groups use the same room and each group is talking about potentially orthogonal topics.

natoal

monozygote

I don't believe the part about Android rejecting mismatched signatures has been mentioned before, or it hadn't been given enough significance considering it is a solution to app tampering which is the major 'security issue' critics mention the most

Lucario1829

natoal i think the youtuber sideofburritos who posts a lot about graphene mentions it in his video about obtainium, actually. i knew id heard it before but couldnt remember where

natoal

Lucario1829

I was referring to this forum and in regards to Aurora Store specifically, but there seems to be a bug with Obtainium not updating apps with a new signature, and even uninstalling the app doesn't fix it

raccoondad

I would like to mention on the signature verification aspects, it would probably be fine to use Aurora as a update manager, but I'd avoid using it for first installs at the very least.

raccoondad

natoal Can new apps do any harm if they've never been opened?

Yes, don't install software you can't verify.

natoal

raccoondad

It would be nice if AS allowed us to download the APK alone so we could check it in AppVerifier before installing, not sure if it does

monozygote

chinook Cheers! Yeah I would personally love to have the discussion here because more eyes, more engagement, information not siloed, people can join in according to convenience/free time, yada yada.

Not sure if GOS mods/pxlkng would be willing to engage given (IMO) a lot of people are giving a lot of importance to this topic. I've been invited to chat room and am just trying to find a stretch of time that I can be available there for a meaningful discussion. I believe it's much easier if done here.

Even if it's brief like "Point 1 is valid, Point 2 isn't or you are misinformed because <such and such>, ..." and so on. I don't think all the points I've raised have been addressed in prior discussions (or at-least it's difficult to see without point-wise labelling of what is being discussed). Folks have raised questions about IPC and those have been answered but I think I'm not contesting the points which already have a settled upon answer (like AS vs Play store doesn't make any diff if the trackers and collusion is a part of an app - I ack that in point (3) in the post).

other8026

monozygote been invited to chat room

Sorry, but this seems strange. Did someone track you down and invite you to some random chat room because you're talking about Aurora here?

wizoatk

other8026

FYI. https://discuss.grapheneos.org/d/23016-controversy-around-usage-of-aurora-store/3

On a side note, I invite you to join the official chat rooms on either Discord, Matrix or Telegram and ask your questions there. The chat rooms are much more active and better to do live discussions, and I feel you will get your questions answered there more extensively and by more people than just me and some few others.

SgtSurehand

natoal AS allows saving downloaded apks (Settings > Installation > Delete APK post-install > uncheck), you can cancel installation, check apk and install later.

monozygote

SgtSurehand Since the intro of private spaces (or before that just use a throwaway profile) you can just install AS in there, install app normally using AS in private space, inspect apk and if everything's fine just install it in the main profile again and push it to whichever profile you want. At-least that way you won't have to actively monitor the installation process to then cancel it.

I also think instead of doing this for all app might be just easier to do it for AS itself. It's Open Source and well used and (mostly?) well received. So if an installation of AS is trustworthy you know it's doing the right thing until at-least the next update. FDROID builds apps from source so you could use FDROID only for AS if you want as there aren't frequent updates to AS anyway (because criticism of FDROID is that it's slow by a week or more to get you the updates).

SgtSurehand

monozygote First install of AS from
https://gitlab.com/AuroraOSS/AuroraStore/-/releases

Hashes provided on site
https://gitlab.com/AuroraOSS/AuroraStore