com.android.vending restriction

ngrigoriev

Hi!

For the first time after many months with GrapheneOS I have faced this issue: an app that I need refuses to launch because it requires to be installed from the official Google Play Store. And I used Aurora...

I did read all arguments about GPS, pros and cons, how Graphene makes it safer etc. I do not like the idea of having to fight with Google when creating a throw-away account that cannot easily be traced back to my real identity. But here is more practial question.

I have a separate profile for installing the apps and then I install the apps in several profiles, different apps according to the purpose of the profile. Theoretically, with Google spyware, I will have to install it not only in that "update" profile, but also in the profile where I need the app. And I specifically did not want that. Also, running GSF and Play Services in the admin profile (to get advantage of the ability to "push" the apps) does not seem like a good idea either. Admin profile is always active, and, thus, Google spyware will be always active too. Right now I keep that Google spyware in a profile that is NOT active.

I do not like the idea of adb-based installation (even if it works, did not try) because of the updates.

Modifying the installer package seems impossible because of the lack of root access.

Dead end?

de0u

ngrigoriev Contact the app developer? I think I've read that all that's necessary is unchecking a box in the developer console.

Probably9857

ngrigoriev I will have to install it not only in that "update" profile, but also in the profile where I need the app

Maybe, maybe not. Apps can see where they were installed from. Just because an app insists that it be installed from Play Store does not necessarily mean it requires Play services to function.

GrapheneOS has a planned feature to make apps look like they were installed from the Play Store when possible (when the necessary metadata is present). I don't know the timeframe, but I would imagine it will be relatively soon, as this is increasingly a problem, and app compatibility is a high priority for the project.

userofgos

ngrigoriev It is a major fintech app - crypto.com one.

ngrigoriev I do not like the idea of having to fight with Google when creating a throw-away account that cannot easily be traced back to my real identity.

I don't quite understand your reasoning here. In order to use any crypto exchange, like crypto.com, you have to verify your identity. What difference does it make if Google knows you installed the app (regardless of if it was tied to your real or dummy google account)?

Also, as other threads have discussed, you can connect to a public wifi network (McDonalds, Starbucks, etc.) to easily create a dummy google account, and enable 2fa via TOTP immediately after to avoid being forced to enter a phone number. Simple as that, done this numerous times.

ngrigoriev

de0u Unlikely. It is a major fintech app - crypto.com one.

ngrigoriev

Probably9857 Interesting, can you point to the feature if you have the link already? I was under impression that they were strictly against any form of spoofing.

Yes, I do think the app may function without Play Services, but it certainly has to be installed with them :) Are you suggesting to install all this Google stuff in the target profile just to install the app, and then remove it?

Probably9857

ngrigoriev

https://github.com/GrapheneOS/os-issue-tracker/issues/5406

Note: priority-high tag

I'm not advising you to do anything. Just correcting what appeared to be an incorrect assumption. You'll have to make your own decisions.

Byku

Currently most alternative app fronts (Obtainium, F-droid, Aurora Store) offer com.android.vendor spoofing with ADB if you have Shizuku running. I'm not sure how viable it is since the system can see if an app was installed via ADB so I guess it would be trivial to deny app working when it is installed in this way. If the OS itself could do it that it would be way smoother I guess.

ngrigoriev

userofgos Actually, I want Google to know as little about me as possible. Not to mention that Play Store requires the GSF running.

Have you created a Google account yourself lately? Because it does insist on verifying the phone number, even before you get to 2FA. At least last time I tried...

userofgos

ngrigoriev Actually, I want Google to know as little about me as possible.

Totally understandable and respect that.

ngrigoriev Not to mention that Play Store requires the GSF running.

Just and FYI, since the 2024101600 release, GSF has been removed.

Sandboxed Google Play compatibility layer: add stubs to fully remove the need for the Google Services Framework (GSF) app for fresh installs of sandboxed Google Play, which has been removed as a dependency in our app repository for Android 15+

Maybe you meant to say that Google Play Services is still required to run?

ngrigoriev Have you created a Google account yourself lately? Because it does insist on verifying the phone number, even before you get to 2FA. At least last time I tried...

I admit, I haven't tried recently, though I'm getting ready to setup a new user profile, so I will try then. Were you using a VPN?

ngrigoriev Bottom line, this app will require real Google Store.

This is a reality for a lot of apps unfortunately.

ngrigoriev

In fact, I have tried to install the app manually to see how far I can get it. No luck. This thing actually integrates with Google Play Store deeper than just checking the installer name. I was able to install it using "pm install -i". Here is what I see in the log now:

73511 08-26 16:03:12.818 16864 16914 W GooglePlayServicesUtil: co.mona.android requires the Google Play Store, but it is missing.

Bottom line, this app will require real Google Store.

Now I am asking myself if the company is unable to offer the Web-based service on par with their mobile app, do I actually want to use them at all?...

ngrigoriev

userofgos Thanks a lot for the pointers! I will try to do it all over the weekend, but it seems to me that the algo for getting these "problematic" apps will be more or less as follows:

Separate profile with Google Play Services, GFS (if the apps need it) and Google Play Store app.
This profile will not run in the background and I will be closing it when switching off
The profile will need an always-on VPN. VPN will have to use an endpoint that would be OK for the apps. I suspect some apps may not like the users connecting from odd locations ;)
a Google account needs to be created just for that Play Store, using another VPN location (TBD) that will allow to register it without the phone number. It seems that Google is less strict on the locations where cellular service is not so widely available.
Install the app in that profile with official Play Store app.
I will try to disallow Play Store to run in background or use background data.

Anything else I can think of to improve the isolation? It is not perfect, but at least makes me feel better :)

userofgos

ngrigoriev Google account needs to be created just for that Play Store, using another VPN location (TBD)

You're welcome to try with a VPN, but from what other users have reported, you are more likely to be asked for a phone number. I haven't had a problem yet when using public WiFi at a McDonald's without VPN.

In case that doesn't appeal to you, a different approach would be:

Create a Guest User profile
Connect to public wifi
Create the Google account there and setup 2FA, then logout
Delete the Guest user profile.
Create dedicated User profile
Setup Always on VPN
Then sign into the Google account.

Cumbersome approach that may or may not be effective at limiting the chance of being asked for a phone number, and may or may not limit the chance of tracing back to your identity.