Is using GrapheneOS perfectly legal and not violating any TOS or other terms?

Blastoidea

As long as there is “no intent to defraud” you can pretend to be anyone, short of impersonation.

Establishing that there is/was such an intent, makes lawyers’ eyes light up.

Encelados

Blastoidea As long as there is “no intent to defraud” you can pretend to be anyone, short of impersonation.

I have no such intentions. I'm a very careful person trying to not get into legal conflicts. Which is why I was insecure about using Aurora Store which seemed not fully legal to me.

Encelados

@fernlike
Wow! That's exactly the type of answer I was looking for! What a great committment of yours explaining it with such great detail! Thanks a lot!! Let me see if I got it, but first let me get back to your second answer as this is not as complex as the first one and can be quickly processed:

AI generated text is forbidden with the exception of automated translation.

Use of a translation tool must be marked in either your user bio or the first post in a thread where you're using it. Use a dedicated translation tool, not a generic text generator like ChatGPT.

For new members convenience, we have a dedicated post with a detailed explanation here.

ref: generated slop redacted

So what exactly do they mean by spoofing? What is being spoofed in terms of Play Integrity? And what exactly does Google know about it and allow on a "small-scale" but would block on a big scale in terms of Play Integrity?

Something tells me, they're referring to these 3 types of states: "basic integrity", "device integrity", "strong integrity".

Does GrapheneOS not meet any of them and thus violate Google's TOS?

Thanks a lot!

fernlike

Encelados Wait, maybe you misunderstood me. I was never speaking of the Aurora Store, what I meant was, if I have purchased apps that I want to use on a phone that doesn't have Google Play Services (e.g. GrapheneOS), I would simply install Google Play Services on GOS, then log in using their original Play Store and download these apps.

I understood you but it seems I wasn't quite clear enough ;)

I was giving a use case for why you'd might want to use Aurora Store while logged into your Play Store account. That is:

If you have a phone that doesn't have Play Services,
and you can't/won't install the Play Store,
and you want to install apps you have already bought,
then you can use Aurora Store to install them.

But doing so is against the ToS for using the Play Store (regardless of whether it's a paid for app or not), so you risk getting banned:

4. Rights and Restrictions

Restrictions: You may not:

[fourth bulletpoint] attempt to, or assist, authorize or encourage others to circumvent, disable or defeat any of the security features or components that protect, obfuscate or otherwise restrict access to any Content or Google Play.

If you're fine using Grapheneos' sandboxed Play Services/Store then you don't have anything to gain from using Aurora.

Encelados But the way I understand you, you're referring to Aurora Store here, right?

Yes, basically the whole point of the Aurora Store is to spoof the Play Store location restrictions and tracking, while still downloading apps from Google's servers.

Encelados If I use the Google Services installed on GrapheneOS all of this does not apply to me?

Correct.

Encelados I quickly abandoned Aurora Store because I was insecure about how legal and safe it is.

I don't believe it's illegal anywhere so that's not a risk. It is less secure though, see this comment for a more technical explanation of the issues with Aurora Store.

As for the tweet, let's me break it down a bit. Do note though that I don't know the technicals particularly well, so I'm likely getting it a bit wrong. But I belive I can explain the broad strokes.

GrapheneOS has working hardware-based attestation which shows that it's running GrapheneOS. Neither device or strong will pass because those check for Google certification and Google would quickly block it if it was deployed at scale. They know you're spoofing it but don't care.

What they're saying here is that when the Play Integrity API (PIA henceforth) tries to verify that your device is "legitimate", Grapheneos straight up says it is Grapheneos, i.e. the opposite of spoofing.

Device and strong are two of the things PIA can check to verify that your device is "legitimate". Grapheneos does not pass those checks (it passes the basic integrity check which I belive is what is mostly used by apps).
So if an app asks PIA to check that your device is "legitimate" it would get a negative back on device and strong. Depending on the apps requirements that would either lead to a "nope, you're not getting in" or "go on in" if they don't check those.

To reuse my bouncer analogy, the bouncer has a guest list with who's allowed in. If they only ask for your name and finds it on the list (i.e. the basic check), in you go. But if they ask for your name and your ID card (i.e. device and strong checks), and they aren't the same? You're not getting in.

The Grapheneos developers could start spoofing (i.e. lying) those checks, which would allow us users to install apps that require passing those. But it would be a very temporary solution, because Google would—and very much do—put a stop to any large scale spoofing. But as long as it's just a few here and there, it's just not worth the effort for Google. And it's not worth the effort for Grapheneos to implement bad temporary solutions.

If we take Aurora Store again as an example, it does spoof one or several of the checks by basically telling Play Store your're on a different device and in a different country than. While this works for a while and to an extent, it also breaks every now and then. Because the loopholes that Aurora Store uses are seen as bugs by Google, and they'll eventually get patched. then Aurora Store needs to find a new solution or give up. It's just a constant game of whack-a-mole.

Encelados which I got from ChatGPT asking about Play Integrity):

Please note that using LLMs/AI for anything but translating is not allowed on this forum. LLMs are not a trustworthy source of information and often will just make stuff up when answering questions.

Again, I'm probably getting the details wrong, but I think the general gist is correct. Hope it helps (otherwise just ask more questions)!

de0u

Encelados [...] ChatGPT [...]

Posting LLM output is a conduct violation on this forum, because posting LLM output on the Internet poisons the Internet.

https://discuss.grapheneos.org/d/28003-enable-the-erase-data-button-in-the-power-menu-on-grapheneos/7

Watermelon

Encelados I first used Aurora Store but then read that it might not be legal as Aurora Store uses a "fake Google account" to access Play Store

Aurora Store's anonymous account is probably violating Google's terms of service, but probably isn't breaking any state laws. It's a huge difference: if you break terms of a service, you're ineligible to use it; if you break state laws, you could be fined or jailed (or worse!). So please differentiate and don't call it “illegal”, call it a “violation” for example. (That's not to say I'm encouraging violating terms because it's not illegal.)

Encelados The discussion concerns "Google Play Integrity". […] GOS eventually responded saying something about "spoofing" and that "Permitting individuals to spoof it is fine to them [Google]". The word "spoofing" has a slight illegal ring to my ears so it now has me wondered what is actually being meant?

Play Integrity is a set of anti-competitive services offered by Google, marketed to app devs as security features, although they really don't enforce security, but rather enforce Google's monopolistic practices, which is blatantly illegal (disclaimer: I am not a lawyer).

Android that comes with Google Play Store, the largest app store for Android (not by chance, read on), must abide to Google's monopolistic policies. This includes, for example, the manufacturer being required to bundle all the Google bloatware preinstalled with invasive access (Chrome, Gmail, Google Drive, Google Photos, and all their other crap, Gemini too I think nowadays). This gives Google a business edge because users can install alternative services, but they already have Google preinstalled, so why should they? Google can't give Apple's excuse that it's their own proprietary OS, because it's not. Android is open source, it has always been since it's inception, and that's how it's been intended to be always, as far as I know. Android's source code is published as Android Open Source Project (AOSP). Manufacturers, and the GrapheneOS project, take AOSP and build upon it, having their own operating system derived from AOSP. Yet they all must preinstall Google's shit with invasive privileged access, or suffer the consequences. Manufacturers comply. GrapheneOS doesn't, and can't without reforming what it is, as per what they have said in their official posts in the past.

The most talked about feature in the Play Integrity suite is the Play Integrity API. It's an API that apps can call to check whether the operating system you're running is certified with the Google Play monopoly crap. Since GrapheneOS isn't, some apps, like bank apps, that use this API then tell you that your device is “insecure” or “rooted” or other nonsense, and tell you to revert to stock. Root is incompatible with the security model of Android and GrapheneOS. GrapheneOS tries hard to contain all OS components and user apps to the lowest privileges possible, and isolate them all from one another (this is called: “sandboxing”, because the sandboxed app/component is put into its own little playground), whereas “root” means that you can grant any app that you want complete unrestricted privileges on your device (which is obviously the opposite of putting something in a sandbox). GrapheneOS also tries hard to make sure that whenever you boot up your phone, you're running the authentic GrapheneOS, not modified by malware (this is called: “verified boot”, because you only boot verified software). (You could still have malware installed as an app, but any malware-made (or user-made) modifications to the OS are detected and rolles back, and if it's not possible to roll them back, your phone is prevented from booting to prevent the modifications from having further effect.) When GrapheneOS does this, it captures certain information about this and forwards it to a chip inside the phone called the “secure element” generically, or the specifically in Pixel 6 and later, the Titan M2 chip; since this chip is separate from the OS, it can create messages and sign them in a way that mathematically proves that the messages came from the chip rather than from the OS running on it — it uses that to create a message with info about the running OS after the OS has passed all these checks that it's authentic and all of that stuff (this is called: “attestation”, because the secure element attests info about the security of your device). This is meant to be used by apps that require online services, they send this signed message to the service (this is called: “remote attestation”, because you're attesting to a remote service that checks you), and the service only allows you to enter if you're running their app on a secure device where these checks are working properly, and the checked OS is known to not have this “root” feature. The thing you quoted talks about people who use the root access they have to install a key (the piece that's needed to create these mathematical signatures) that was stolen from the “secure elements” (not exactly, this feature can also work with something less secure than the secure element, but let's ignore it for simplicity) of some old insecure devices. When Google lets their Play Integrity API approve these users, it's because Google can see that these users are sending messages, containing info about widely varied and sometimes relatively up-to-date Android versions running on widely varying hardware, but signed by the same old devices, but Google lets them pass the highest grade in their Play Integrity API despite that. The Play Integrity API receives the raw signed attested info from the secure element, and based on this assignes the grade (strong, device, basic, or no) and returns the grade to the app service that requested your device to be checked. The fact that the app service gets only an opaque grade signed by Google's Play Integrity API servers rather than the raw info signed directly by the secure element on your device is one reason why the Play Integrity API is less secure. The fact that Google assigns the strong grade to known-insecure devices is another reason. GrapheneOS itself isn't interested in using stolen keys, and GrapheneOS itself provides a built-in app that they invented, called Auditor, that relies on the raw signed data to attest to you (yes, you the person) the raw security information of your device. This app obviously needs to tell you truthful information, otherwise it'd be pointless.

Another feature in the Play Integrity suite is something that app devs can activate that uses the Play Integrity API inside the Play Store even before the app is installed on your phone. If your phone doesn't pass, the app completely disappears from Play Store on your device and if you already had it installed you just silently stop receiving updates to the app, even if these updates contain security fixes to the version you're stuck with, and even if the version you have stops working. You don't get notified when this happens. If you happen to know the exact name of the app you want and search it, you'll get a message saying something like “Looking for (app name)? This app won't work for your device”. If you manage to open the app's Play Store page inside the Play Store app (such as by opening it from the web browser first), you'll see a red error text saying that the app “won't work” anymore (blatant lie).

And another feature that app devs can activate makes the Play Store automatically inject crap into the app when you run it that does checks. For example, one of the checks it does is whether you installed the app from the Play Store itself, or from another source. It doesn't check that the app is authentic, it could be the exact same unmodified app, but if you installed it from a source other than Play Store (for example to get around the crap in the previous paragraph) then it blocks you from opening the app. GrapheneOS patched this several months ago, you might be interested in their words:
https://grapheneos.org/releases#:~:text=2025052000%20release:-,disable,jailbreaking))

disable anti-competitive code being injected by the Play Store into apps choosing to enable "App integrity > Automatic protection" when there's a valid Play Store source stamp signature (proving that it's an unmodified app from the Play Store, so we aren't disabling an integrity check) since it prevents using the apps on GrapheneOS when apps also choose to enable "App integrity > Store listing visibility" with either the "Device integrity checks" or "Strong integrity checks" values enforcing having a device licensing Google Mobile Services and running the stock OS (circumventing this is protected by the DMCA exemption for jailbreaking)

(I added the emphasis.)

Encelados All I want to know basically is whether I myself am safe and fine using GOS and by doing so I'm not violating any TOS or even doing something that's illegal

GrapheneOS is open source, is itself based on the Android Open Source Project (AOSP), and only supports devices that let their users unlock them and replace their operating system with a custom OS, including the custom OS's ability to use the same hardware security features just as well as the stock OS can use them.
https://grapheneos.org/faq#future-devices

Encelados I could get into trouble by Google suing or anything. I quit using Aurora Store as soon as I found out that it could be considered copyright infringement

I'm not aware of Aurora Store being in violation of copyright. Aurora Store is open source btw. (It's also insecure, so it's good that you don't use it. Take in mind that Android apps cannot be updated if the updated version doesn't match the installed version with its signature, so installing updates through Aurora Store is probably safe, rather than new apps which is risky.)

Encelados I'm in Europe, so should be fine I guess.

France, by any chance?
https://grapheneos.social/@GrapheneOS/115575997104456188
https://grapheneos.social/@GrapheneOS/115583866253016416
https://grapheneos.social/@GrapheneOS/115589833471347871
https://grapheneos.social/@GrapheneOS/115594002434998739

Encelados (hopefully) original Play Store

The GrapheneOS team are professional experts. So when you install Google Play from their built-in App Store, you can be damn sure that they verified it beforehand that it's Google's official untampered Google Play. Although the OS itself doesn't currently block you from installing apps written by others than Google that impersonate Google Play. Although, in the recent weeks I've seen a few posts from the GrapheneOS project account where they say they've become convinced that this is a security issue, and they intend to patch it soon. I don't know how they're gonna handle users who already have installed an impersonation of Google Play (one such “impersonation” which is somewhat widely known in the privacy circles is called microG, an open source (yet also insecure and imperfect) reimplementation of Google Play that's specifically meant to not present itself deceptively as being the original Google Play). It would still not protect you from installing a malicious impersonation of Google Play, but the impersonation would work on you (which is still very dangerous) rather than fooling the apps on your device into thinking they're communicating with Google's official Google Play services.

Encelados Something tells me, they're referring to these 3 types of states: "basic integrity", "device integrity", "strong integrity".

Does GrapheneOS not meet any of them

GrapheneOS currently passes only the “basic” anti-competitive checks, simply because Google chooses to. It's very generous of them, I know. GrapheneOS doesn't pass neither the stronger “device” checks, nor the strongest “strong” checks. “Strong” is still an insecure check that lets insecure devices pass it (not just the old insecure devices I mentioned above), and the check itself and the way it's reported to the apps' services is less secure and less informative/rich than the info reported directly by the underlying feature (attestation). “Device” check is some bullshit between the “basic” and “strong” ones.

GrapheneOS doesn't spoof anything to the Play Integrity API. They say that if they did, their userbase is large enough that Google would notice and block it. As was said, Google can see everything, they just don't care about some people here and there doing it on their own.

Encelados I got confused by the word spoofing and thought, GOS was constantly spoofing / deceiving Google services and was worried that as soon as I log in with my actual Google account they will notice I'm using an OS that's not "playing right".

GrapheneOS includes a compatibility layer to allow Google Play to be installed as a normal app without invasive privileges. So basically it does deceive Google Play into falsely believinf that it has invasive access on your device, while not actually having any, for your protection. What's illegal here is Google's monopoly, not what GrapheneOS is doing. Disclaimer: I am not a lawyer. This might be a violation of Google's terms though, but I don't think so because I've never heard anyone saying that, and quite frankly I don't care, because it's our phones.

n3t_admin

Encelados I'm in Europe, so should be fine I guess.

Yep.

Encelados They don't really care about what exactly? Using GOS? Using Aurora Store? Using Play Integrity Services within GOS?

All of those.

The rest was already explained in detail.

Encelados

Thanks a lot again! So to sum it up, I don't need to worry using GOS and sandboxed Google services even though sandboxed Google will result in my device not passing the Play Integrity Certification and some apps might not run because of that.

I got confused by the word spoofing and thought, GOS was constantly spoofing / deceiving Google services and was worried that as soon as I log in with my actual Google account they will notice I'm using an OS that's not "playing right".

But this:

fernlike The Grapheneos developers could start spoofing (i.e. lying) those checks, which would allow us users to install apps that require passing those. But it would be a very temporary solution, because Google would—and very much do—put a stop to any large scale spoofing. But as long as it's just a few here and there, it's just not worth the effort for Google. And it's not worth the effort for Grapheneos to implement bad temporary solutions.

is the crucial information for me. If the GOS team decides not to implement "bad temporary solutions", as you say, I can now assume that using the GOS system is legally safe and not violating any Google TOS - in order to come back to my headline?

fernlike

Yes, the only issue is that we can't use certain apps due to not meeting the Play Integrity API requirements. And while the number of apps are likely to increase (as the tweet was about), banning Grapheneos outright from the Play Store is probably illegal, seeing how Apple has been forced to enable EU residents to use third party app stores on Ios. Eventually we'll probably have to complain officially to the EU that Google and app developers are essentially doing the same thing on Android.

Encelados even though sandboxed Google will result in my device not passing the Play Integrity Certification

Bit of a correction here. It's running Grapheneos itself that doesn't pass the integrity checks, not sandboxed Play Services. As I understand it, Google basically has a list with allowed OSes (i.e. all the Android phone manufacturers) and Google refuses to add Grapheneos to it.

Encelados the GOS system is legally safe and not violating any Google TOS

Correct. For example, some months ago I had to send in my Pixel 8 for a free display replacement (through Google) and I did not reset it to stock beforehand. So Google doesn't really care at this point.

Probably9857

fernlike Google basically has a list with allowed OSes (i.e. all the Android phone manufacturers) and Google refuses to add Grapheneos to it.

The list is not arbitrary. It is OEMs who have licensed Google Mobile Services and agreed to comply with its terms.

Encelados

Also a big thank you to @Watermelon for this extremely detailed explanation on the core aspects of my question!!

Good to see that there's still a forum out there whose members are committed to help!!

Watermelon France, by any chance?

Nope, not from France, but from their neighbor to the right. I've read about the most recent developments in France regarding GOS... I do hope the same developments won't be forming here too...
The introduction of the EU-wide "chat control" is scary enough, as it is.

Watermelon GrapheneOS doesn't spoof anything to the Play Integrity API. They say that if they did, their userbase is large enough that Google would notice and block it. As was said, Google can see everything, they just don't care about some people here and there doing it on their own.

Good, that's important to me. I just want to be sure that by using GOS I'm not participating in anything that could get me into danger or conflict (legally or not). That's why I keep asking about Google's TOS and legal aspects.
Also, when I say "illegal" - by nature of my own mother tongue - I do not necessarily intend to mean "jailtime-worthy". Illegal in my understanding can be anything, not necessarily reserved to breaking (US) state law. Parking on the wrong side of the road is "illegal" too, technically but wouldn't encompass jailtime.

So just to clarify any misconceptions induced by language barriers.

Watermelon As was said, Google can see everything, they just don't care about some people here and there doing it on their own.

To get this right: but this refers only to those who deliberately spoof Google's Play Integrity API? This is not automatically the case by simply using GrapheneOS and the Google services they provide?

Watermelon GrapheneOS includes a compatibility layer to allow Google Play to be installed as a normal app without invasive privileges. So basically it does deceive Google Play into falsely believinf that it has invasive access on your device, while not actually having any, for your protection. What's illegal here is Google's monopoly, not what GrapheneOS is doing. Disclaimer: I am not a lawyer. This might be a violation of Google's terms though, but I don't think so because I've never heard anyone saying that, and quite frankly I don't care, because it's our phones.

This had me wondering so I did a little research on that trying to find more answers about "deceiving Google Play".
This is what I found:

Apparently, GrapheneOS developers would "not implement something (i.e. Sandboxed Google Play) that would result in users being banned because they (the users) are/were using GrapheneOS."

Also, Google does not prohibit other vendors from allowing users to install Google Play and other components on their devices according to this GOS twitter post.

Google's engineers support our work. Many of them use GrapheneOS. It's unfortunate their business side doesn't currently want to collaborate with open source projects instead of only working with Android OEMs. It's not an issue of them despising it but poor business decisions.

It would benefit them to collaborate with us since we would go back to making upstream contributions and we do a lot of innovation which ends up helping them by providing a roadmap for them to follow. Their business side just doesn't understand open source and sabotages it.

In addition, there's another thread on here discussing exactly my concerns: Has the GrapheneOS project ever run into any legal issues with Google because Play services, GApps, and the Play store is offered?

It is said there that

This was already to a degree addressed here (timestamp included) and elsewhere in Matrix rooms when the compatibility layer was new. I think I remember reading they even ran it by Google (but don't quote me on that).

Also in their whitepaper describing The Android Platform Security Model, authors even publicly acknowledge that approaches like microG exists and people use it, but that it "may not be complete or behave differently". GrapheneOS on the other hand includes a compatibility layer to use the official unmodified releases of Google Play as sandboxed apps and their app repo just has mirrors of those to make sandboxed Google Play easy to install.

Google only prohibits preloading Google Play and other components like Google Services Framework, Google Play Store, Google Backup Transport, Market Feedback Agent, etc. Google does not prohibit from non-certified OS vendors from letting users install Google Play and other components on their own.

Of course, most of these are answers from users not officially genuine answers by the GOS team themselves. So there's always the possibility to be wrong about some specific aspects.

The problem is: I hardly see any way to completely go without using Google (at least Google Play Store). f-droid may have some interesting apps but by far not as many as Play Store. I could try to find the APK files for the apps I want on sites such as apk mirror or anything, but the risk of catching one with malware would be higher, also, how would I get frequent app updates without using the Play Store? Would I have to update every app by hand on my own?

That's rather impractical. So unless there's a legal and safe alternative app store to Google Play Store (and I'm not speaking of Aurora Store here), I don't know how to get along without using Google on GOS.

fernlike

Encelados I just want to be sure that by using GOS I'm not participating in anything that could get me into danger or conflict (legally or not). That's why I keep asking about Google's TOS and legal aspects.
Also, when I say "illegal" - by nature of my own mother tongue - I do not necessarily intend to mean "jailtime-worthy". Illegal in my understanding can be anything, not necessarily reserved to breaking (US) state law. Parking on the wrong side of the road is "illegal" too, technically but wouldn't encompass jailtime.

So just to clarify any misconceptions induced by language barriers.

Ok so you don't seem to understand what ToS actually is. ToS is not a law, it is:

the legal terms (see term entry 1 sense 4) that set forth the nature, scope, and limits of a service (such as one offered through a website or an app) and the rules that the service's users must agree to follow.

If I invite you to my home for dinner, you are expected to have manners and behave while you're in my home. If you instead tell me my food is disgusting and my home looks like garbage, you will be told to leave and not be welcome back. But you're not breaking any laws. I can't call the police and have you arrested. That's what ToS are.

If Google wanted to stop Grapheneos, they could simply disable bootloader unlocking on Pixel devices (just like certain US phone operators do with OEM unlocking). By allowing it they are implicitly saying it's ok. The only thing you risk is potentially not being covered by the limited warranty:

This Limited Warranty only applies to hardware components (and not to any software elements) of the Phone and does not apply to damage caused by normal wear and tear, accidents, misuse (including failure to follow product documentation), neglect, disassembly, alterations and external causes, such as, but not limited to, exposure to sharp objects, exposure to excessive force, anomalies in the electrical current supplied to the device and extreme thermal or environmental conditions. This Limited Warranty does not guarantee that use of the Phone will be uninterrupted or error-free.

The function and purpose of a Terms of Service and Code of Conduct is to protect the business/organisation from any legal liability. Not for prosecuting it's users.

For more see:

Encelados I could try to find the APK files for the apps I want on sites such as apk mirror or anything, but the risk of catching one with malware would be higher, also, how would I get frequent app updates without using the Play Store? Would I have to update every app by hand on my own?

If you do not want to use Play Store, many Grapheneos users (including me) use Obtainium together with Appverifier. See this video for an explanation on how to use Obtainium and this video for Appverifier.

Watermelon

Encelados To get this right: but this refers only to those who deliberately spoof Google's Play Integrity API?

They're not spoofing the Play Integrity API, they're spoofing the attestation results to the Play Integrity API so the latter would give them a strong grade. The app service can detect whether the grade is signed by the Play Integrity API servers.

Encelados This is not automatically the case by simply using GrapheneOS and the Google services they provide?

Indeed, GrapheneOS doesn't currently spoof attestation to the Play Integrity API, nor any other app. Any app attempting to use attestation on GrapheneOS would get a truthful response. You can use the Auditor app to see what info they'd get if they use the attestation feature (instead of the Play Integrity API which gives an opaque grade).

Encelados f-droid may have some interesting apps

Encelados sites such as apk mirror

Encelados Would I have to update every app by hand on my own?

fernlike many Grapheneos users (including me) use Obtainium

F-Droid is insecure and causes issues deliberately for GrapheneOS users due to what seems like incompetence:
https://discuss.grapheneos.org/d/18731-f-droid-vulnerability-allows-bypassing-certificate-pinning
https://discuss.grapheneos.org/d/21773-unexpected-permission-detected-other-sensors/13
https://archive.is/2Q5zF (see the explanations from Daniel Micay)

Obtainium is untrustworthy:
https://discuss.grapheneos.org/d/20526-best-way-to-update-manually-installed-apks/8
I've also heard it's a very big and bloated app, but I don't use it myself so I'm not sure.

Google Play Store and Accrescent have the advantage that they're offered in the built-in GrapheneOS App Store, which is covered by verified boot on GrapheneOS. These three app stores connect to their servers with a hardcoded TLS certificate, and verify with a hardcoded key that the apps/updates downloaded from them are properly signed by this key. This means that if someone compromises the servers of the GrapheneOS App Store, Google Play Store, or Accrescent and replace an app with a malicious version, the app store on your device would detect this and refuse to install the app/update. TLS is the standard protocol used to secure communication over the internet, including HTTPS (= HTTP+TLS). TLS has various modes but the common mode (such as in HTTPS) is that the site/server you connect to presents its certificate, and you verify the certificate's authenticity by checking that it's approved by any one of the certificate authorities (CAs) that come preloaded/prerecognized in the operating system's or browser's trust store. So these app stores are also secure in case a certificate authority (CA) is compromised/malicious and the app store's servers are impersonated by someone using a fake certificate that'd still get accepted by your web browser because the compromised/malicious CA approves it. By looking for a hardcoded certificate, this attack is prevented. (It's feasible for an app of a specific service, like an app store, to hardcode its own certificate. But we can't expect the browser to come hardcoded with certificates for all sites on the web, right?) Apps themselves are also signed with a key. Traditionally, the expectation is that the app dev holds this key. So if you already have the app installed, an attacker can't forge a fake update to the app that would install properly on your device, inheriting all the data and permissions from the previous version, unless the attacker manages to hack the app dev and steal their key (and even then there's no guarantee the attacker can deliver this forged update, for example because of the aforementioned protections). A problem with Google Play Store is that it requires app devs to upload their signing keys to Google Play, so Google Play could sign the apps on behalf of the app devs, outside of their control. The servers that serve apps are protected against compromise by the aforementioned protections, but someone could still compromise the other servers that hold the signing keys in order to forge malicious updates on apps on the Play Store. And of course, there's always the possibility that Google themselves would act maliciously and forge an update and deliver it to us the users. On the contrary, the GrapheneOS App Store only hosts apps created by themselves, and the Google Play Store and Accrescent offered there are copies of the authentic ones, not versions that the GrapheneOS team created and re-signed by themselves. And Accrescent has a stated purpose that they want app devs to remain in control of their signing keys to avoid this problem.

So, if an app is offered through the built-in GrapheneOS App Store, install it from there. Otherwise, Accrescent. Otherwise, Google Play Store. Otherwise, it depends. Apps that are only offered through a website (APK file download) are better downloaded directly from the app's official website (if you can figure out what's the official website) using Vanadium. As for automatic app updates, as I said, they're much safer than app installations, so it's probably safe to use F-Droid, Obtainium, Aurora Store, etc for updates only. There's another app I found called APKUpdater, but haven't tried it myself yet: https://github.com/rumboalla/apkupdater/releases/latest

You can also update apps using a web browser and/or any other shady source. With a browser it won't be automatic. And with shady sources, it's not advisable, app signing isn't perfect, for example if the app dev was compromised, as aforementioned. Among all of the third-party APK sites, I'd probably trust APKMirror the most, which should probably be safe for updates, but avoid installing new apps from it.

fernlike

Watermelon Obtainium is untrustworthy:
https://discuss.grapheneos.org/d/20526-best-way-to-update-manually-installed-apks/8

How so? Further down the thread one of the mods says it's fine as long as you verify the signature unless I'm misunderstanding.

Carlos-Anso User has to approve all app installs on GrapheneOS, app stores can not just install new apps without user consent.

Can download Accrescent from the GrapheneOS app store. Then get App Verifier from Accrescent which lets you check the hash of the signature for any apk you have downloaded or app you have installed. This makes it possible to confirm you have a genuine build of any app.

Watermelon

fernlike How so? Further down the thread one of the mods says it's fine as long as you verify the signature unless I'm misunderstanding.

That's not specific to Obtainium. For a scenario where an APK file is only offered through a website, and you have no way to cross-check what its signing certificate should be, I don't see how downloading and installing the app anew through Obtainium or any web browser is a better idea than through Vanadium.

fernlike

Watermelon Well it's more convenient and automated. It is a rather negligible difference in effort though, so I suppose it comes down to your threat model whether the slight increase in security is worth the effort.

chinook

fid03

I'm not sure why anyone would do that.

I have purchased apps which I'm now not allowed to install or update, because developers asked google play to bar certain devices (like GoS; don't know what exactly is the semaphore, Play Integrity API or Play Protect certification)

So I'll have to try it soon.

Encelados

So, to sum up what I've learned so far:

Aurora Store isn't recommended because it might violate Google's TOS and I don't want to do that.
Obtainium isn't recommended either as it is untrustworthy according to @Watermelon
F-Droid isn't recommended either as it is insecure and causes issues according to @Watermelon

Which leaves us with GOS-built-in Accrescent or using original built-in / sandboxed Google Play Store services.

Accrescent is for FOSS apps only, I suppose. Most of the apps I use aren't FOSS though. Especially when it comes to banking apps such as PayPal and such (which happen to all run for me on GOS. I seem to be lucky here)

However, @fernlike says it's OK to use Obtainium in combination with app veryfier.

So... What to do? I'm not tech-savy (well I am, but not with regards to this specific kind of field), so is there a way to use GOS normally like any other phone while at the same time completely avoiding any Google services, especially Play Store? From what I've learned so far, it doesn't seem like it. If I want access to all the apps, like I've had before on other phones, there seems to be no way around using Google Play Store?

Novalissoide

Encelados you could also get many apps through Vanadium, surfing to developer sources on Github, Gitlab, Codeberg, or some developers personal webpage, download the app and verify. Just a few common apps do need to be installed through Sandboxed Play Store.
Keep Sandboxed Google Services installed, with its permissions in order, it then doesn't even need to be enabled all the time. (Correct me if this is malpractice, but i've done it for months without issues)

de0u

Encelados There can't be a single "right answer" as long as people prefer different features.

Some people want access to lots of proprietary apps with whizzy AI features; some people want only open-source apps; some people trust developers more than app stores; some people trust app stores more than developers. Some people want repeatable builds, others don't know what that means.

Encelados Is there a way to use GOS normally like any other phone while at the same time completely avoiding any Google services, especially Play Store?

I hear that Huawei phones have an app store with lots of apps that don't report to Google (but probably do report to Huawei).

Watermelon

Encelados Aurora Store isn't recommended because it might violate Google's TOS

The main reason it's not recommended is because it's insecure. It lacks some of the protections I've explained to you. Some people use Aurora Store to install or update apps from the Play Store more conveniently when the Play Store blocks them from installing/updating them.

Encelados Obtainium isn't recommended either as it is untrustworthy according to @Watermelon

And potentially insecure due to being bloated, and undoubtedly less secure than Vanadium.

Encelados Which leaves us with GOS-built-in Accrescent or using original built-in / sandboxed Google Play Store services.

I think downloading APK files can be a legitimate way to download apps too, as long as you only download from the official website of the app, and only if it isn't available in a secure app store.

Encelados Accrescent is for FOSS apps only

No. Accrescent is itself open source, but it aims to be inclusive to both open source and proprietary apps. It aims to be a more secure alternative to Google Play Store, so it has to fulfill the same purpose.

Encelados Especially when it comes to banking apps such as PayPal and such (which happen to all run for me on GOS. I seem to be lucky here)

I've recently seen posts from the GrapheneOS team saying that only about 10% of banking apps don't work on GrapheneOS, so you're not lucky, you're just not unlucky :)

Encelados However, @fernlike says it's OK to use Obtainium in combination with app veryfier.

If you verify the authenticity of an app (by using AppVerifier, which isn't magic because you still need to have AppVerifier compare the app you select against the authentic fingerprint), and ignoring the possibility of an attacker stealing the signing keys from the app developer to create a malicious but properly signed version, you can download apps from anywhere, not just Obtainium. If you want to try and prevent the possibility of an attacker delivering you a malicious but properly signed version of an app, you need to install and update it from a secure app store.

Encelados is there a way to use GOS normally like any other phone while at the same time completely avoiding any Google services, especially Play Store? From what I've learned so far, it doesn't seem like it. If I want access to all the apps, like I've had before on other phones, there seems to be no way around using Google Play Store?

You don't have to install apps from Google Play Store. But if an app is only available on Google Play Store, then there isn't much you can do to install it while avoiding the Play Store, and it's not something specific to GrapheneOS or something that GrapheneOS can solve.