HypnoSloth I believe Google Play Store needs network permissions for all this to work properly but is that the only permission needed for the three google play apps?

For most apps, the Google apps only need the network permission, yes. Some apps will require giving Play Services the phone permission, and if you want to pair a smartwatch you might need to give Play Services the nearby devices permission, for example, but the majority of apps work fine with play services just having access to the netwokr.

HypnoSloth What permissions other than battery optimization do those google apps need to enable updates and push notifications for things like proton mail? Do these permissions allow google to get identifying information about the device like phone number, IMEI, or track the device based on cellular tower proximity?

Play Services needs unrestricted battery usage, and of course the network permission as stated above. No apps get access to the IMEI etc. I recommend reading this section of the docs:

https://grapheneos.org/faq#hardware-identifiers
https://grapheneos.org/faq#non-hardware-identifiers

HypnoSloth What are the actual security risks associated with using Aurora, from either their many users to few google accounts approach or any other issues they may have?

From https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do

If you don’t have Play services installed, you can use a third-party Play Store client called Aurora Store. Aurora Store has some issues of its own, and some of them overlap in fact with F-Droid. Aurora Store somehow still requires the legacy storage permission, has yet to implement certificate pinning, has been known to sometimes retrieve wrong versions of apps, and distributed account tokens over cleartext HTTP until fairly recently; not that it matters much since tokens were designed to be shared between users, which is already concerning. I’d recommend against using the shared “anonymous” accounts feature: you should make your own throwaway account with minimal information.

HypnoSloth Does Google Play Store need network permission for Aurora fetched apps to work?

If you use Sandboxed Google Play, the proper setup for it is to have the 3 apps with network permission and unrestricted battery for play services. Play Services and Play Store play off each other, and denying network to either will screw things up.

HypnoSloth Is the only benefit that Aurora provides over Google Play Store the ability to not use a google account?

Pretty much, yeah. Aurora Store can be a good choice if you're not using Sandboxed Google Play in general or a specific profile, but not something I'd recommend as the first choice or in all circumstances.

HypnoSloth Question: Is my understanding of the security issue correct and are there other issues?

https://privsec.dev/posts/android/f-droid-security-issues/ is a good starting point on the issues with F-Droid, but this article doesn't include everything. There are security and UX issues with F-Droid. I can't recommend F-Droid at this point, but if you insist on using it, at least use a relatively modern F-Droid client to interact with the F-Droid repo like Neo Store or Droid-ify.

How prevalent is the lack of push notifications for apps that offer an apk?

That depends entirely on the app. If an app provides a non-play version of getting notifications, that'll most likely be available in the GitHub APK, or the version with FCM might be available there. It highly depends so it's not a question that one can easily address.

HypnoSloth How difficult is it to set up and RSS feed? (Is this similar to a shell script or something?)

It's pretty simple. Process is explained here: https://www.youtube.com/watch?v=FFz57zNR_M0

HypnoSloth With an RSS feed, do apps update automatically or is that simply a notification system for when an update or change has been made?

The apps don't update automatically. You're just notified and can then go to the website to get the newest version.

There's also Obtainium which makes the process a little bit smoother from what I hear, but it also doesn't do automatic/unattended updates either.

HypnoSloth Is there any benefit in mixing these options on the same profile from a privacy and security perspective?

In my opinion, if you're using play store on a profile for some apps, use it for all.

HypnoSloth Am I missing any other good app repositories and what are their pros/cons?

Accrescent is very promising. You can think of it like a much better Play Store. The con of it is that it is still very new, so it's in alpha, and doesn't currently have many apps in it, as devs have to be whitelisted to submit their app at this point to make sure the kinks are ironed out before it goes fully public. Definitely something to keep an eye out for you, I definitely am.

I hope this helps!

                        Graphite I don't like the fdroid app, I use the droid-ify app. Its the same repository and IMO its better than the fdroid app and also the Neo Store app. So I do have droidify installed always because there are still apps that are best gotten from fdroid (ex: OsmAnd+) and droidify makes updates easy for those apps. It also helps with searching fdroid for fdroid apps when necessary.

                        If you want a complete "store" experience on your degoogled phone you should have all three of Aurora, Droidify, and Obtanium.

                        • Aurora for apps you want to or "have to" get from playstore (ex: brave).
                        • Droidify for apps you have to get from fdroid,
                        • Obtanium for direct download apps (so you can easily update them).

                        Also in my opinion, if you are getting apps from aurora store, get them using their anonymous system (don't login with your own account), unless absolutely necessary for the particular app to have a unique google account.

                            HypnoSloth May have security risks due to multiple individuals fetching apps using the same google account

                            Honestly, I think not really, unless for specific apps. If there is a security risk I'd like to hear it, beyond some general theoretical extremely niche scenarios.

                            The security risk of Fdroid also IMO is a bit overblown. Its just not true for all apps. Its a very niche threat in practical terms for the average person, in my opinion.

                              • [deleted]

                              • Post #10

                              One of the main maintainers of F-Droid states that target sdk is only relevant to proprietary apps, which are untrustworthy.

                              https://twitter.com/PrivSec_Dev/status/1609199867179442179

                              It's enough to run away. It's impossible to trust a set of good security practices when you start from there.

                                User2288 Can you get away with using only aurora without any or all of the sandboxed google play apps? I assume push notifications wont work and some apps may not function properly but is it a hard dependency for all apps from Aurora (which would be play store)? Currently have a couple privacy respecting apps installed from play store via a fake account but a concern I have for other apps I have to have installed from play store (slack) is that they may have mutual consent with the Google Play Services and Google Play Store app which require network permissions (GSF seems to run fine with no permissions so not a big concern there). I'd love to be completely as google free or google anonymous as I can.

                                    • [deleted]

                                    • Post #12

                                    User2288 The Aurora Store does not pin the certificates which is a big problem. With aurora in anonymous mode you share your connection token with others... It's very anonymous ! Fdroid has its own application signature keys stored on debian server not even updated. All these systems have big security holes documented and known but if you have an opinion it's cool... On the other hand go share them elsewhere with other uneducated people like you. Thanks

                                        • [deleted]

                                        • Post #13

                                        HypnoSloth You will never be anonymous with a sim card, and yet... Even without you would not be anonymous

                                            [deleted] I am fully aware, but google is not my carrier and Grapheneos prevents apps from seeing the hardware identifiers. I am also aware my carrier can sell my data attached/associated with my sim that they have access to, which can be bought and aggregated with data from other sources to fingerprint me. I am merely trying to limit that data exposure where possible and make it harder for data collection operations to connect all the dots.

                                              [deleted] It's enough to run away. It's impossible to trust a set of good security practices when you start from there.

                                              Do you have an explanation or citation for this very strong statement? I'd like to understand the "why", as an increasing number of new GrapheneOS users are also trying to understand this.

                                              All I see in the twatter you linked to is complaining in response to a simple question. What am I missing?

                                                  • [deleted]

                                                  • Post #16

                                                  ve3jlg
                                                  Google imposes an SDK level on the playstore, because each new version requires improvements, on security, on privacy, for apps.
                                                  Using apps that aim for a low SDK level means that they don't benefit from the latest security improvements.

                                                  Imposing a lower SDK level than google's, can be understood. But, explaining that an app, doesn't need to meet security (and privacy) standards under the pretext that it's open source and that a human will read the code (partially, because no one fully audits the code and all the dependencies of an open source application, except to be paid to do a full audit) is totally ridiculous.
                                                  Open source applications have flaws, and they are more important on f-droid because updates are very often deployed late compared to github.

                                                  App's security shouldn't be based on ideology. All applications on a phone should be in a proper sandbox, have limited access to files, to the system, etc, etc, etc because there can always be a flaw.
                                                  The f-droid logic relies entirely on the skills and goodwill of the developer and the person who will review his code. This is not enough.

                                                  The F-droid application itself has a sdktarget of 25: This is for android 7, while we are on android 13, with the SDK 33 and google will soon impose the SDK 31 on its store.
                                                  Since android 7, there have been improvements that are beneficial to everyone, and to all applications.

                                                  And this is only one of the many bad points of f-droid

                                                      HypnoSloth Can you get away with using only aurora without any or all of the sandboxed google play apps?

                                                      Depends on the apps. Some apps absolutely require the presence of google components. More explanation below.

                                                      HypnoSloth I assume push notifications wont work and some apps may not function properly but is it a hard dependency for all apps?

                                                      No, not at all. Each app is different, its really a case by case here. a lot of apps don't need notifications at all and can even be blocked from the internet completely, even if they are from play store. You can even install apps that have ads and trackers, like a chess game, and block it from the internet permanently (assuming it still works, many do). You can even update the app without it ever regaining access to the internet. Apps that need push notifications are generally mostly chat/communication apps (signal, whatsapp, facebook, etc), and some "internet service" like email. But even then I don't always "need" the notification and the app still works. For example I don't need to know that I have an email "right now" for example. I can just check it manually when I want to. So it really depends on the app.

                                                      However some apps simply refuse to open without the presence of GSF or play services. Like perhaps facebook, or doordash, or maybe slack. In these cases if you want the app, you will have to install play services and in some cases both the app and play components can be internet blocked and in other cases one or both have to have internet access. So with uber for example you might have to give internet access to both. But profiles could help a bit here here to reduce data exposure.

                                                      An app like Slack is very likely a privacy invasive app; not to the extent of facebook, but still. And likely you need to be internet connected and "need" notifications for sure as my guess is that you likely need it for communication with colleagues and need to respond with immediacy. In such a case, depending on how much you use it, installing on a second profile might be a bit of a hassle (if you use it constantly), but might also be ok and might solve your issue. Worst case is you install all on the same profile.

                                                      The main problem here is that if Slack has your "Identity" then that Identity will be connected to the installed instance of google services of the current profile. This instance has access to your IP address and slack, but beyond that it doesn't know much else about your phone, unless you have installed other "google co-operating" apps in the same profile, in which case they'll share data (I think).

                                                      The best way to deal with this is to write a list of all the "privacy problematic" apps that you "have to have" and build your strategy around that. You may be able to get away with creating one or two extra profiles and that might solve your problem. And then you can try to utilize foss apps for your other needs.

                                                      Lastly the question "Can you get away with using only aurora apps" , I think this might have been a question. Answer is yes but again depends on the app. For example a particular banking app might not work if its not strictly locked to an exclusive google account (detects account sharing and refuses to work).
                                                      Also some great apps are not available in play store at all (NewPipe, Bromite, adblockers), so you'd still benefit from diversifying your sources. My previous post explained that.

                                                          [deleted] The Aurora Store does not pin the certificates which is a big problem.

                                                          I actually didn't know that. But here is the thing, how is it a "big problem". I'd really like to hear how exactly this is a "big problem". and I bet if and once you do give the correct explanation, it will demonstrate a very narrow attack surface and an "extremely niche scenarios" which exactly makes my point.

                                                          [deleted] With aurora in anonymous mode you share your connection token with others... It's very anonymous!

                                                          So?
                                                          whats is the MASSIVE threat that I am facing? Do please enlighten me, I'm all ears.

                                                          [deleted] Fdroid has its own application signature keys stored on debian server not even updated.

                                                          Yeah, and its air gapped. Even if the key was compromised (which only can be done by physical attack or their own staff), can you explain to me how its gonna affect my internet blocked AND sandboxed app that I don't even update cause there is no need? And how thats gonna poke a hole in my "security" to the extent that would "outrageously" compromise me?
                                                          Please, ...I'm all ears. And I hope your answer doesn't demonstrate the "extremely niche scenarios" that I was referring to.

                                                          [deleted] All these systems have big security holes documented and known

                                                          Great. Tell me one.

                                                          Please go ahead, I'm all ears, I'd LOVE to be educated on this. Educate me.

                                                          [deleted] ut if you have an opinion it's cool... On the other hand go share them elsewhere with other uneducated people like you.

                                                          Look in the mirror.

                                                          BTW, please do tell us your education. I'm now interested to know.

                                                                      [deleted]

                                                                      Here is the thing Mello non of that matters from a user perspective such as me (and many others). Its entirely dependent on which apps you are installing. I for example have only 5 apps from Fdroid. All of them have higher SDK conformity than google play store requirements itself. Three of those apps are networked blocked (they dont even use it in fact) and don't even need to be updated (no key pinning threat). (VLC, metro, ImagePipe).

                                                                      Everything you said may be absolutely true, and it is true, but the point is, it does not equate to a security or privacy problem for "me".

                                                                      My issue with these blanket "fdroid - BAD" statements is that they are just not "categorically" true. They are "situationally" true. So the categorical alarmist attitude is I think incorrect. That's all.

                                                                        6 months later

                                                                        • [deleted]

                                                                        • Post #20
                                                                        • Edited

                                                                        User2288 If you want a complete "store" experience on your degoogled phone

                                                                        BTW They never said they want a "degoogled" phone.

                                                                        User2288 (don't login with your own account), unless absolutely necessary for the particular app to have a unique google account.

                                                                        No app will somehow access the Google account token/cookie from Aurora store. Android doesn't allow apps to read each other's internal private data (data/user/0/<package_name>) without mutual consent.

                                                                              • [deleted]

                                                                              • Post #21
                                                                              • Edited

                                                                              User2288 whats is the MASSIVE threat that I am facing?

                                                                              Random persons can know what apps you have installed, your device model, etc. Its not MASSIVE though, but you dont want Strangers knowing which apps you install on your phone.

                                                                              User2288 how exactly this is a "big problem"

                                                                              Certificate pinning is a feature that reduces the risk of a man-in-the-middle attack, compromise of certificate authorities, mis-issuance of a certificate. Not implementing Certificate pinning in Aurora store actually makes sense, since We can't expect Aurora store developers to decompile every new Google Play store version and Check Its NetworkSecurityConfig to check whether Google has added or removed an certificate.