"Controversy" around usage of Aurora Store

DeletedUser495

DeletedUser313 AS allows saving downloaded apks (Settings > Installation > Delete APK post-install > uncheck), you can cancel installation, check apk and install later.

monozygote

DeletedUser495 Since the intro of private spaces (or before that just use a throwaway profile) you can just install AS in there, install app normally using AS in private space, inspect apk and if everything's fine just install it in the main profile again and push it to whichever profile you want. At-least that way you won't have to actively monitor the installation process to then cancel it.

I also think instead of doing this for all app might be just easier to do it for AS itself. It's Open Source and well used and (mostly?) well received. So if an installation of AS is trustworthy you know it's doing the right thing until at-least the next update. FDROID builds apps from source so you could use FDROID only for AS if you want as there aren't frequent updates to AS anyway (because criticism of FDROID is that it's slow by a week or more to get you the updates).

DeletedUser495

monozygote First install of AS from
https://gitlab.com/AuroraOSS/AuroraStore/-/releases

Hashes provided on site
https://gitlab.com/AuroraOSS/AuroraStore

user539

In my case I can't install Revolut and Paypal from play store so I must use aurora for that. And to update this 2 apps only.

monozygote

DeletedUser495 True, I was meaning more for the paranoid who either don't trust AS (eg. compromised) or don't trust their release process or whatever but trust the source code that they understand. In that case either read the code and build it yourself or use FDROID and trust a wider community (including FDROID folks) to have built an audited code (or a code that can be audited even in the future).

Anyway, I think we all understand there are many ways to skin this cat and it's mostly a non-issue. What @raccoondad suggested is a really good way to do it too (assuming you trust AS is not malicious in general):

I would like to mention on the signature verification aspects, it would probably be fine to use Aurora as a update manager, but I'd avoid using it for first installs at the very least.

My understanding might be a bit wonky here so correct me if wrong, but Android model doesn't let you install separate versions/modifications of the same app as long as package name is the same (even in different user profiles). Assuming you haven't spoofed your hardware, both AS and playstore should in theory fetch exactly the same apk.

If this is correct, it in many ways answers (5) if you are willing to give play store a spin in a throwaway private space or user-profile. Eg just spin up a private space/user-profile, install playstore, install your app, go to main profile, "install" app again using AS, kill off the private space (or switch it off). Done! The second "installation" (done by AS) will just fail if it were trying to bring in a tampered/different app (signature mismatch etc covered in (5) in OP).

This means you don't even have to keep gplay in your main profile where AS is managing the updates and hence not even share the current set of installed apps with it or remember to cut off network access or disable it (point (1) in OP). All that'll be known is that at some point you installed some app foo. Whether you still have it, update it, uninstalled it etc should be unknown to play. If you used burner g-account (if you can get one) and vpn then it wouldn't even know it was you. The "bad" apps in point (3) will ofc id you to themselves and possibly to big-G, but that's covered in that point.

And now you don't even need AppVerifier, the usual TOFU will work naturally and fine! How is this not private OR not secure? Am I missing something?

m4ri0g

I did not read everything but nobody appears to mention that many apps are not usable if not installed by the play store. more and more apps require to be installed from the play store. and installing them from AS and trying to launch. you get the play integrity api kick in with a nice error asking you to install from the play store.
at some point i tried to spoof the installation buy using shikuzu or something to no avail.

Lucario1829

m4ri0g graphene should spoof the install source itself now, as of the last couple of versions

other8026

Lucario1829 Spoofing the install source hasn't been added yet. The feature you're probably thinking of is the OS checks if an app has the Play Store "stamp," and if so it'll block injected code from running to check for some licensing status. I believe the developers still plan on adding an option to spoof the installer, so the Play Store stamp check will be useful in that case as well.

Lucario1829

other8026 oh, thanks for the clarification

Van-de-GraaffeneOS

monozygote

Thank you for that very detailed rundown! That looks like an enormous amount of work to go through, all for the "reward" of less security, less privacy and less compatibility compared to the work required to use Sandboxed Google Play cleverly. This reaffirms my choice to never use Aurora Store. And here I thought my process took a lot of work!

How I do it, for those curious:

I use a discrete "Play Store only" Google account with fake personal information to access the Play Store. I sign up for it on the Owner profile, over a "naked" connection (i.e. no Tor, no VPN, no DNS filter) on a coffee shop's free WI-FI so that I'm not asked for a phone number. Then the VPN goes back on, I sign in, install my apps (saying no to network access every time), disable all of them, then disable Play Store and Services.

Next, I sign into that same Google account in the VPN-protected private space of a secondary profile (let's call it "Being Evil"). I then install the same apps again into there, (not a big deal, I have less than ten apps from the Play Store). After that, I disable only the apps which are tracker-free, ad-free, potentially dangerous and VPN-hostile, I keep Play Store and Services enabled, then switch back to Owner.

The next thing I do is push the Play Store apps into their appropriate profiles via Settings → System → Users. Being Evil's "parent space" (for lack of a better term) does not have a VPN running. VPN-hostile apps, like banking apps, go here, along with Play Services (but not Play Store). VPN-friendly apps with ads and trackers stay enabled in the private space I installed them in. Potentially dangerous apps with insane permissions are pushed into an ephemeral Guest profile on the rare occasions when I absolutely need to use them. What remains are the immaculate apps, which are pushed into my non-evil secondary profile.

All of the above is a minor hassle, I'll admit, but from this point on, it's easy street. All I need to do to update my Play Store apps across all of my user profiles is to open Play Store in Being Evil's private space, manage apps, update all, and it's done. If I need a new app, I temporarily re-enable Play Store and Services in Owner and repeat the process.

Improvements, suggestions, warnings and criticisms are welcomed and appreciated. I'm drafting a step-by-step guide to this process and I want to ensure I have everything accounted for before I unleash it.

monozygote

Van-de-GraaffeneOS So compare that to say this point in the thread: https://discuss.grapheneos.org/d/23016-controversy-around-usage-of-aurora-store/23

In a private space anywhere use google (regular account, no vpn etc) to install all apps and disable the ones you won't use in that space. In main owner profile, install the same using AS and disable all of them. So AS can't get you malicious apps with the same package name (explained in that link - Android prevents it). You don't need AppVerifier etc to do any signature checking.

Then you just push the apps to whichever profile you want (like you mention). If apps need play services there, install it etc. Just goto owner profile once a day and manually press the "check updates" in AS and update all (point (6) in OP). That's all.

You don't need VPN (I don't have one or want to pay for one or even think it's useful for this), don't need to goto public-wifis for your setup or create fake accounts etc. I don't want to be anonymous - moment I install colluding apps like banking apps and I have cellular services on etc, I'm far from anonymous anyway, even to Google. I just don't want g-stuff in my owner profile which is always on. I want it somewhere I can just kill it without affecting most other things (specially the "good" apps). So I want to shove it to some profile or private space.

The only things I want in my owner profile are Accrescent, Obtanium (for well known/well followed Open Source apps when not in Accrescent) and AS (or whatever is a good play store alternative which doesn't track me, log all IPs wherever I go etc).

Now have said all that, I too am trying to see how to drop AS and bring in Play store. Which is why I'm exploring the best way to do it and asking questions like here: https://discuss.grapheneos.org/d/23112-enabledisable-or-blockunblock-network-access-apps-based-on-some-rules (how to enable/disable apps based on certain conditions etc).

Maybe I'll drop AS too in near future, but given my (probably flawed) understanding of things so far, I don't see AS being an absolute write-off in terms of both privacy (to me, it wins) and security (a minor hassle of manually pressing update-all once a day, otherwise Android has your back if you make sure the 1st install is always via play-store in some profile/priv-space).

Also I wish I could push apps from say private space in owner profile - that would be great as well lol - then I would just use play to install apps not on Accrescent or not famous enough (or available) for Obtanium, push them around and then lock that private space. Unlock it when home or once a day or whatever and let it update the apps.

Van-de-GraaffeneOS

monozygote AS (or whatever is a good play store alternative which doesn't track me, log all IPs wherever I go etc).

Secondary user profiles have discrete network namespaces. Would it even be possible for Play Store/Services — running on the Owner profile — to track the network activity happening on a secondary profile?

Not that Google would need to break profile isolation, of course. Anything you install from the Play Store's repositories — whether it's via Aurora Stora or the Play Store app — carries a high risk of including Google Analytics, not to mention probably having enough superfluous anti-privacy permissions to constitute a felony in an alternate version of reality¹ that respects digital security and privacy.

¹ [side-rant]: If I had a Zimbabwe dollar for every app I've seen on the Play Store that has completely unnecessary permissions (some of which don't have toggles), I could hire a team of theoretical physicists to invent transdimensional portal technology that can take me to such a place.

Christ, this app I use for trying on glasses with augmented reality is a perfect example of the ~~Play~~ Plague Store nightmare. It runs at startup, runs a foreground service, and can "directly call phone numbers" if you're crazy enough to grant it Phone permisions. Anyone with publisher-side access to that app could whip up a script that instructs every user's phone to dial *#*#7780#*#* (DO NOT DIAL THIS).

Motionsickness

Is there a way to tell which Play store apps communicate with Google or are less private? Where is this information available?

raccoondad

Motionsickness without checking the libraries from a database, you can use PCAdroid or similar software.

Fay_Wilmont

Van-de-GraaffeneOS The dialer code you shared will initiate a factory reset from what I can find. I think it's very irresponsible to mention it with only the remark DO NOT DIAL THIS. These days I'm just about wise enough to heed that warning, but even now, my gut reaction was “Okay, I should try this, it can't be that bad LOL!”

Maybe you're not that kind of person yourself, but for a lot of people, “do not do X” has the effect of them wanting to do X.

mmobder

Van-de-GraaffeneOS carries a high risk of including Google Analytics

that's why it's a good (but effort-consuming) thing to use RethinkDNS (not sure there are alternatives) to isolate apps only to access particular set of domains.

mmobder

Fay_Wilmont wanting to do X.

they will gain wisdom through this masked gem, so it's kinda positive dial code, isn't it?

Van-de-GraaffeneOS

Fay_Wilmont "it can't be that bad, LOL!"

Famous last words.

The reference to that code was there to drive the point home for those with knowledge of what that code does. The warning was put there for those who lack that knowledge. The code itself, the warning that followed it and the two paragraphs that preceded it were covered in spoiler text, marinated in context, and preceded with a disclaimer that it was just a side rant. If someone manages to make /h(is|er)/ way through all of that, gets overcome by curiosity regarding a dial code /s?he/ was told not to mess around with, and proceeds to satisfy that curiosity with a childishly defiant leap of blind faith instead of a search engine query, and does so on /h(is|er)/ daily driver, with no backups, there ain't no way I'm taking the blame for that. At worst, I've potentially accelerated the inevitable for the lowest common denominator of readers who like to run around with scissors in their hands and blindfolds on their eyes. For any of you fitting that description, please accept my sincerest "oops".

Anyway, the entire process I described in this post is already obsolete. Me and my entire household of GrapheneOS users woke up one morning to find that Google is now requiring a phone number from all of us. One of us even was hit within an account suspension after refusing to comply three times in a row. I managed to work around this problem without compromising our privacy, but I had to deploy a different strategy, and I'm a lot less keen on sharing the details this time around. Not yet, anyway. It's nothing especially clever, but they could analyze the behavior patterns if I lay it all out and people start copying it.

Fay_Wilmont

Van-de-GraaffeneOS I finally got around to testing the dialer code on the latest GrapheneOS. Sadly, it didn't do anything, what a bummer LOL. Not going to try it on my daily driver Motorola phone though :P

« Previous Page