Aurora Store/F-Droid

snaz

I was mainly using Obtainium for most of my apps, but after a while it got extremely difficult to find the apps I needed without the Play Store.
So I installed Google services, Store, and framework to main profile, then made two users. One for banking, and one for social media...
I keep reading that people still use Aurora/F-Droid, but then I also see a side that says its dangerous.
I am aware GrapheneOS wants us to use the sandboxed Store/Services as it is safer, but something just tells me it completely defeats the purpose of de-googleing if I go ahead and continue using them?...

Ugh I need help I am going crazy lol

DeletedUser495

snaz from privacy standpoint it's true, you don't avoid Google by using Aurora, since many apps come with Google dependencies (but then again many don't which greatly expands your pool of available apps, so if you decide to use those or restrict apps network access, they won't be able to talk to Play services and contact those domains). You can use app like App Manager https://github.com/MuntashirAkon/AppManager to analyze the dependencies your apps use and decide what you are comfortable with.

From security standpoint it's true, Aurora is not deemed as safe, but what you can do is create separate user just for downloading and verifying those apps by comparing them with Play Store versions by checking their hashes for both versions again by using App Manager > Scanner > Signatures. I hope it makes sense to you. Doing that you can rest easy using Aurora is pretty safe.

GrouchyGrape

snaz using Google play store and services on GrapheneOS (GOS) is not the same as using it on a stock OS. On stock, it's a system level app, and can effectively see/do whatever it wants.

On GOS, it's just like any other app and has to respect the permissions that any other app has, including those regulated by the user (you).

Sure, this isn't perfect and things like IPC still exist, but it's still significantly better than on stock. If you still want some level of "isolation" put the play store and services, along with apps obtained through it in the private space. You can then kill it whenever you're not using it.

KCne

I’m pretty concerned by the misinformation on this thread

snaz I am aware GrapheneOS wants us to use the sandboxed Store/Services as it is safer, but something just tells me it completely defeats the purpose of de-googleing if I go ahead and continue using them?...

DeletedUser495 Play services are a far cry from private

GrapheneOS’s purpose isn’t to de-Google, it’s to limit tracking as a whole. Solely focusing on avoiding advertising networks like Google, may not be the best way to achieve privacy.

Bear in mind that companies can hide their ownership or share your information with data brokers, even if they are not in the advertising business. Thus, it makes little sense to solely focus on the “ad-tech” industry as a threat in your threat model. Rather, it makes a lot more sense to protect yourself from service providers as a whole, and any kind of corporate surveillance threat that most people are concerned about will be thwarted along with the rest.

Using a burner Google account can help increase privacy when using Google Play and Play Services.

GrapheneOS currently recommends the Accrescent App Store. Accrescent has modern security features without needing to rely on Plan Services, but it is currently in early alpha.

DeletedUser495 You can use app like App Manager https://github.com/MuntashirAkon/AppManager to analyze the dependencies your apps use and decide what you are comfortable with.

I haven’t tried out that app myself yet, but it seems unsafe to rely on third party services to manage all of your apps. It also seems like it relies on badness enumeration to identify app trackers. If you want a better way to verify apps, use AppVerifier

snaz Do you know anything about v2ray?

That might be too technical for beginners. Common recommendations for VPNs are Proton, Mullvad, and IVPN.

snaz

DeletedUser495 trying out the App Manager, what does it mean when it tells me in the signatures tab "Verified with -insert number- warnings"?

AU1qBjx4xTbKd

DeletedUser495

I only have a Google account for my banking app, this was just what I was looking for, thanks.

Just compared the signatures for the app from the Play Store and the apk from Aurora and they match, this now gives me the confidence to rid myself completely of Google, (I can live without banking notifications).

Thanks again for taking the time to explain.

DeletedUser495

snaz after briefly reading up on this, warnings come from older v1 signatures and/or apps targeting lower android versions. Since Play Store allows publishing such apps, you shouldn't get too worried.

snaz

DeletedUser495 okay so as long as it says verified i shouldn't need to worry about looking into what the warnings actually do?

Extensively going through every app right now.

DeletedUser495

snaz what can tell you, I am no expert. Download same app from Play Store and if it comes with the same warnings, would it be enough for you to stop using it? If you didn't see it there, you probably would have no idea.

snaz

DeletedUser495 idk anymore. I appreciate how responsive you are. I have gone through so many users, and configurations that I'm turning into a psychopath. Thank you for the info. I will use this App Manager to my advantage.

Do you know anything about v2ray? I keep reading that it's a good "alternative" to a VPN.

DeletedUser495

snaz I haven't heard about it before you mentioned it. I use Mullvad for one particular purpose of hiding my traffic from my ISP and I don't expect much more from it. I focus more on restricting my use of apps, switch to pwa wherever I can and permission control. To add, I use some proprietary apps with my other foss apps where I don't mind they can collect things about me and I run all in one profile, such is my threat model that doesn't permit Google unless I'm fine with it. But I am not fine with it running all the time, however sandboxed it may be and you shouldn't be either. Don't let the sandbox put you to sleep, Play services are a far cry from private and wherever I can disrupt Google dependencies I would do it.

snaz

DeletedUser495 I got 9 more hours of my shift so that is what I will be experimenting then! Thanks!

DeletedUser495

KCne it seems unsafe to rely on third party services to manage all of your apps

This is not to manage apps but analyze classes and libraries used and extract hashes for comparison. AppVerifier unfortunately can't verify 99.9999% of Play Store apps and yes, you are also entitled to your opinion.