Google Play on the owner profile and other questions regarding app stores

gvprtskvni

I've been reading a bit about the security concerns regarding the different app sources and hope to get some advice on improving the set up. The way I currently get my apps is:

1) Through Obtainium and Accrescent on the Owner profile, from where I install them on my secondary profiles. I use the Owner exclusively for managing apps, and secondary profiles for day-to-day use.
2) Through Aurora on one particular secondary profile where I have Google Play Services and Google Play Store installed but not logged in and denied network access. The profile is not allowed to run in the background. This is where I download apps that need Google Play Services, and non-open source apps in general.

From what I've read though, both Obtainium and Aurora have their problems.

Obtainium is supposed to be safe as long as you verify the apps with AppVerifier, but many apps are not in their database and the SHA-256 codes are usually nowhere to be found on the internet. Is there really no safe way to get an app that does not have a SHA-256 and is not available on Google Play Store (since apparently your not supposed to use F-droid either)?
Aurora is apparently not safe either for reasons that are probably beyond my technical understanding. That's a bit concerning since the apps I need from the Play store and that require Play Services are sensitive things like bank apps and in particular the BankID app.

I guess that leaves normal Google Play Store as the only viable option. That obviously entails signing in with an account and giving them internet access for updates. I have throwaway Google accounts that I could use, but from my previous experience, they usually don't let you log in from a VPN unless you give them your phone number for verification, which I obviously don't want to do, and I would like to avoid giving them my real IP address either. I guess I could log in on a public WiFi, but will they then block me when I switch back to VPN or Orbot?

Then there's the question of on which profile I should have the logged in Google Play. I could have it on the secondary profile where I already have Google Play Services. However there are certain open source apps that I haven't been able to verify with AppVerifier that I would like to use on other profiles such as AntennaPod, that I would have to get from the Play Store instead.

Therefore the most convenient option would be to have it on the Owner profile which, as previously stated, I only use for downloading/updating apps and installing them on other profiles. However I'm not sure how I feel about having this logged in, internet connected Google Play always running in the background. Maybe it wouldn't be so bad if I could run it through a VPN or Orbot, but like I said, I have a feeling they would block the account unless I verify it with personal information.

So, what tips do you guys have for dealing with these things? I'm thankful for any suggestions!

Psyonico

gvprtskvni I guess I could log in on a public WiFi, but will they then block me when I switch back to VPN or Orbot?

I logged in then activated my VPN. I have no issues using Google Play while connected to a VPN.

DeletedUser495

gvprtskvni I have another funny way of verifying apps frrom Aurora.

I extract the signatutes of the app with scanner of App Manager and compare them against the signatures published on Apkpure, ApkMirror or both. Done it with many apps and it always checks out, that is why I've had high trust that Aurora (Google Play frontend) serves me the right versions. No one is going to talk or beat it out of me. Goodbye Google Play.

harp

Psyonico I logged in then activated my VPN. I have no issues using Google Play while connected to a VPN.

Yes, with an existing active (throwaway) account it should work, also with Orbot.

gvprtskvni However I'm not sure how I feel about having this logged in, internet connected Google Play always running in the background.

If you want to use it in your owner profile only for installing and updating, you don't have to keep running sandboxed Google Play Services and Store all the time. You can keep them deactivated and just activate them from time to time to search for updates manually.

gvprtskvni

DeletedUser495

DeletedUser495 I extract the signatutes of the app with scanner of App Manager and compare them against the signatures published on Apkpure, ApkMirror or both.

Sorry, could you describe this in more detail? How exactly do I extract these signatures?

DeletedUser495

harp this is not the only way how tracking works. Various snippets can be written into files and conveniently sent off at any later time whenever app is reactivated or network access reestablished, even via IPC.

harp

DeletedUser495 I get a feeling you don't have an idea what purpose disabling of Play services serve. If you want to use it for pushing apps to other profiles, you might as well let it run all the time or you will have no idea when an apo actually receives an update.

That's absolutely for sure. I don't know how you can think I wouldn't be aware of that. That's why I wrote that in the first post you replied to:

harp You can keep them deactivated and just activate them from time to time to search for updates manually.

That's what I meant: because the lack of automatic update notification while Play Services disabled, you need to activate them frequently and push an update search manually (and update of course if available). Most people may be fine doing this once a day, some maybe even less frequently - as ever you like. That's still a better practice than e.g. on iPhones: There you don't get notifications for available updates though automatic app updates are active. When you look at the update section in their app store you see a couple of available updates listed, sometimes for a couple of days until they are updates automatically or you do it manually. For what reason ever...

harp

DeletedUser495 Don't know what you're referring to. I didn't write anything about tracking, just that there's no need to have play service running in background all the time just for installing and updating purposes.

DeletedUser495

gvprtskvni I should not describe the process further here as it is not a legit or accepted method of verifying installs and I don't want to receive any backlash from moderators, just wanted to give you a food for thought, but if you should insist on me doing that I can do that later when I find time to do it.

DeletedUser495

harp I obviously am no expert but apps can track actively (monitoring performance and stats while running) or passively (by writing them into files). User interaction in the process is not necessary and actually unwanted but some apps go out of the way to achieve it by adding these libraries into their code.

harp

DeletedUser495 It seems to me that we're talking different languages. Again your reply has nothing to do with the point I wrote about. I was never referring to tracking or something like that in any way.

DeletedUser495

harp I get a feeling you don't have an idea what purpose disabling of Play services serve. If you want to use it for pushing apps to other profiles, you might as well let it run all the time or you will have no idea when an apo actually receives an update.

And like I hinted in another discussion followed by another great post
https://discuss.grapheneos.org/d/24303-fingerprinting-across-different-profiles/8
you can't potentially prevent linking your activity in a long run by compartmentalizing it into profiles on the same device.

For me running several user profiles has another disadvantage and that is frequent upstream AOSP bugs and reduced convenience and higher battery drain. Hence I stick to running only one profile with a few quality selected apps with as minimal permissions as necessary, where I can avoid apps I use web service in Vanadium and wherever I can, disable Javascript.

Everyone has different understanding and need for privacy but having a good idea what can be expected is like @de0u said a good start in making an informed decision about your setup and future use of your device.