"Controversy" around usage of Aurora Store

DeletedUser313

As I understand, thanks to Android OS itself, you cannot update an app if the update has a signature mismatch (ie signed with a different key) compared to the currently installed version of the app. This means you merely need to make sure the 1st installation isn't malicious.

If this is true it'd mean that Aurora Store is secure enough for the average user?

monozygote

DeletedUser313 As of now I'm pretty sure of this from what I've read. I do appreciate that you need to do this extra verification (if you are paranoid, not a bad thing to be though) on 1st install but one could just mention this as a caveat instead of (almost completely) dismissing the AS approach as insecure, less private and totally not recommended.

Also you do this if you distrust AS, eg. if you believe they have been compromised or are deliberately tampering the 1st installs. Given AS is quite popular (maybe not as much as GOS) I would assume this would get noticed really fast and whistle blown. There are many folks who check their first installs of an app and others who scrutinize this kinda stuff. It's also something very easily detectable (I could do it and I consider myself an idiot). So I doubt that in practice you really need to worry about this attack vector, though ofc nothing stops you from trying to be safer.

I also feel for @pxlkng a bit here since they've been really helpful and answering a lot in such discussions so they're probably jaded by now. I'll try hitting them up on chat rooms as suggested, because I don't agree (maybe due to lack of understanding on my part) with a lot of their concerns/comparisons of AS vs Play store.

Not used chat rooms before, but I assume unlike these threads where you can dip in and out according to convenience/free-time, chat rooms would demand continuous availability? Again that's me going by the chat rooms on Stackexchange/Stackoverflow, where many groups use the same room and each group is talking about potentially orthogonal topics.

dc32f0cfe84def651e0e

monozygote The apps that require play services or are privacy invasive anyway, like social media apps or Gmail/google-maps etc which either directly talk to google or collude and share info under some agreement (banking apps), get installed in a separate profile - p3.

That's my approach as well: a separate profile with throwaway Goolag account created within same profile and not being used anywhere else.

DeletedUser313

monozygote

I don't believe the part about Android rejecting mismatched signatures has been mentioned before, or it hadn't been given enough significance considering it is a solution to app tampering which is the major 'security issue' critics mention the most

Lucario1829

DeletedUser313 i think the youtuber sideofburritos who posts a lot about graphene mentions it in his video about obtainium, actually. i knew id heard it before but couldnt remember where

DeletedUser313

Lucario1829

I was referring to this forum and in regards to Aurora Store specifically, but there seems to be a bug with Obtainium not updating apps with a new signature, and even uninstalling the app doesn't fix it

raccoondad

I would like to mention on the signature verification aspects, it would probably be fine to use Aurora as a update manager, but I'd avoid using it for first installs at the very least.

DeletedUser313

monozygote

Are you referring to this AppVerifier https://github.com/soupslurpr/AppVerifier, and do you need to import the APK itself or can it check the installed app through the apps list or something?

raccoondad

Can new apps do any harm if they've never been opened? If not it should be fine imo to just check before opening it

raccoondad

DeletedUser313 Can new apps do any harm if they've never been opened?

Yes, don't install software you can't verify.

DeletedUser313

raccoondad

It would be nice if AS allowed us to download the APK alone so we could check it in AppVerifier before installing, not sure if it does

chinook

monozygote THANK YOU for starting this discussion here.

monozygote

chinook Cheers! Yeah I would personally love to have the discussion here because more eyes, more engagement, information not siloed, people can join in according to convenience/free time, yada yada.

Not sure if GOS mods/pxlkng would be willing to engage given (IMO) a lot of people are giving a lot of importance to this topic. I've been invited to chat room and am just trying to find a stretch of time that I can be available there for a meaningful discussion. I believe it's much easier if done here.

Even if it's brief like "Point 1 is valid, Point 2 isn't or you are misinformed because <such and such>, ..." and so on. I don't think all the points I've raised have been addressed in prior discussions (or at-least it's difficult to see without point-wise labelling of what is being discussed). Folks have raised questions about IPC and those have been answered but I think I'm not contesting the points which already have a settled upon answer (like AS vs Play store doesn't make any diff if the trackers and collusion is a part of an app - I ack that in point (3) in the post).

other8026

monozygote been invited to chat room

Sorry, but this seems strange. Did someone track you down and invite you to some random chat room because you're talking about Aurora here?

wizoatk

other8026

FYI. https://discuss.grapheneos.org/d/23016-controversy-around-usage-of-aurora-store/3

On a side note, I invite you to join the official chat rooms on either Discord, Matrix or Telegram and ask your questions there. The chat rooms are much more active and better to do live discussions, and I feel you will get your questions answered there more extensively and by more people than just me and some few others.

DeletedUser495

DeletedUser313 AS allows saving downloaded apks (Settings > Installation > Delete APK post-install > uncheck), you can cancel installation, check apk and install later.

monozygote

DeletedUser495 Since the intro of private spaces (or before that just use a throwaway profile) you can just install AS in there, install app normally using AS in private space, inspect apk and if everything's fine just install it in the main profile again and push it to whichever profile you want. At-least that way you won't have to actively monitor the installation process to then cancel it.

I also think instead of doing this for all app might be just easier to do it for AS itself. It's Open Source and well used and (mostly?) well received. So if an installation of AS is trustworthy you know it's doing the right thing until at-least the next update. FDROID builds apps from source so you could use FDROID only for AS if you want as there aren't frequent updates to AS anyway (because criticism of FDROID is that it's slow by a week or more to get you the updates).

DeletedUser495

monozygote First install of AS from
https://gitlab.com/AuroraOSS/AuroraStore/-/releases

Hashes provided on site
https://gitlab.com/AuroraOSS/AuroraStore

user539

In my case I can't install Revolut and Paypal from play store so I must use aurora for that. And to update this 2 apps only.

monozygote

DeletedUser495 True, I was meaning more for the paranoid who either don't trust AS (eg. compromised) or don't trust their release process or whatever but trust the source code that they understand. In that case either read the code and build it yourself or use FDROID and trust a wider community (including FDROID folks) to have built an audited code (or a code that can be audited even in the future).

Anyway, I think we all understand there are many ways to skin this cat and it's mostly a non-issue. What @raccoondad suggested is a really good way to do it too (assuming you trust AS is not malicious in general):

I would like to mention on the signature verification aspects, it would probably be fine to use Aurora as a update manager, but I'd avoid using it for first installs at the very least.

My understanding might be a bit wonky here so correct me if wrong, but Android model doesn't let you install separate versions/modifications of the same app as long as package name is the same (even in different user profiles). Assuming you haven't spoofed your hardware, both AS and playstore should in theory fetch exactly the same apk.

If this is correct, it in many ways answers (5) if you are willing to give play store a spin in a throwaway private space or user-profile. Eg just spin up a private space/user-profile, install playstore, install your app, go to main profile, "install" app again using AS, kill off the private space (or switch it off). Done! The second "installation" (done by AS) will just fail if it were trying to bring in a tampered/different app (signature mismatch etc covered in (5) in OP).

This means you don't even have to keep gplay in your main profile where AS is managing the updates and hence not even share the current set of installed apps with it or remember to cut off network access or disable it (point (1) in OP). All that'll be known is that at some point you installed some app foo. Whether you still have it, update it, uninstalled it etc should be unknown to play. If you used burner g-account (if you can get one) and vpn then it wouldn't even know it was you. The "bad" apps in point (3) will ofc id you to themselves and possibly to big-G, but that's covered in that point.

And now you don't even need AppVerifier, the usual TOFU will work naturally and fine! How is this not private OR not secure? Am I missing something?