• General
  • Questions Regarding Aurora Store vs. Google Play Store (+ Insular)

Hello, new Graphene (Pixel 7a) user here. I have been struggling to grasp the balance between using Aurora Store and Google Play Store/Service as Protonmail, Uber, etc. hard depends on the latter.

I'm trying to confirm a few details; any answers are kindly appreciated:

  1. Applications downloaded from Aurora Store/F-Droid are also completely sandboxed by Graphene and prevented of higher leverage, like those downloaded from Google's Play Store?
  2. Even if I must use a throwaway Google account for Aurora store, apps downloaded from Aurora will still leak less data than the same app downloaded from Google's Play Store? (This is because Aurora's anonymous login is currently down and I didn't install Aurora in time)
  3. Work profiles mean that I must trust the profile manager? Currently I'm able to get Insular to work, but I haven't settled down on it due to trust issues (I've heard that it could mess with my device; still FOSS, though)

These are my questions as I am finding my threat model. Thanks in advance.

    crimsonpython24 Applications downloaded from Aurora Store/F-Droid are also completely sandboxed by Graphene and prevented of higher leverage, like those downloaded from Google's Play Store?

    All user-installable apps on GrapheneOS have the same sandbox and permission controls, including Sandboxed Google Play. There is no difference. Permissions etc are requested by the apps and can be denied by the user.

    crimsonpython24 Even if I must use a throwaway Google account for Aurora store, apps downloaded from Aurora will still leak less data than the same app downloaded from Google's Play Store? (This is because Aurora's anonymous login is currently down and I didn't install Aurora in time)

    The source where you get the apps do not affect the privacy of the apps themselves, however they may influence other things such as how they get updated or the signing key of the apps (F-Droid apps are mostly signed by F-Droid's key, while on other places it's signed by the individual developer). Some sources may be less private than others, but they would not directly influence the other apps you downloaded. If you want a more private app, then simply download an app that is a more private alternative.

    The only case where this would be otherwise is sometimes Google Play versions of apps use Google specific services while their non-Google Play versions do not, however this is dependent on app (not many) and you should do your own research.

    crimsonpython24 Work profiles mean that I must trust the profile manager? Currently I'm able to get Insular to work, but I haven't settled down on it due to trust issues (I've heard that it could mess with my device; still FOSS, though)

    Work profiles involve trusting the application that creates the work profile. This can be avoided and is mainly suggested by GrapheneOS users to use a User Profile instead. This allows you to isolate apps in completely separate profiles by using the OS without trusting a profile manager or app to do so.

    Thank you for your response!

    So for questions 1 and 2, I believe that the download source doesn't matter for the same application as long as the source's trustworthy?

    Also, for question 3, I've heard that different user profiles are more effective in isolating Google Services as compared to work profiles? For apps that hard-depend on Google Services (e.g., Uber -- I don't have a car) I should leave it in a Google Service-enabled secondary profile, and for applications that do not need Google Services, I put them in the main user profile with Google Play Services and Store uninstalled to prevent Google from stealing info from my device?

    My objective in question 3 is simply to de-Google as much as possible since I've constantly had notifications of the sandboxed Play Store running in the background, and I became concerned that it's doing excessive tasks that not only drains battery but also transmits my device info/PII to third parties. I guess, then, my best bet will be to create:

    1. Main user profile: install applications through Google's Play Store, and uninstall the Play Store/Service components as soon as I finished installing the applications
    2. Secondary user profile: keep Google Play Store/Services running and forward the notifications to the main user profile

    Is this understanding correct?

      crimsonpython24 So for questions 1 and 2, I believe that the download source doesn't matter for the same application as long as the source's trustworthy?

      Yes + as long as the app is the exact same on both sources.

      crimsonpython24 Also, for question 3, I've heard that different user profiles are more effective in isolating Google Services as compared to work profiles? For apps that hard-depend on Google Services (e.g., Uber -- I don't have a car) I should leave it in a Google Service-enabled secondary profile, and for applications that do not need Google Services, I put them in the main user profile with Google Play Services disabled to prevent Google from stealing info from my device?

      User profiles are more effective, secure and reliable.

      By keeping Google services in a secondary profile you keep Google services and apps in their own environment, and they would only operate and use data stored in that profile. If Google Services have network access (You can disable internet access for Sandboxed Google Play at any time) then they would only be able to see or use data based on the permissions you allow them (example: Contacts). They already see a lot less data because Google Play are not running as an operating system component.

      Some may also choose to take advantage of Google Play compatibility by turning off network access for the services and keeping them in the main profile, but if you are keeping apps that dont need it in the other profile then it is irrelevant. How you use GrapheneOS is totally up to you anyway.

      crimsonpython24

      crimsonpython24 1. Applications downloaded from Aurora Store/F-Droid are also completely sandboxed by Graphene and prevented of higher leverage, like those downloaded from Google's Play Store?

      All apps from all sources are sandboxed the same.

      crimsonpython24 2. Even if I must use a throwaway Google account for Aurora store, apps downloaded from Aurora will still leak less data than the same app downloaded from Google's Play Store?

      No. Whether you download from Aurora store or Play store you are getting the exact same app. Whether you use an Aurora account or use your own account through Aurora you also still get the exact same app (both from the Play repository). This means the "app" itself doesn't leak any more or less data.

      However (I am not 100% sure of this but others can correct me if I'm wrong) , when you download an app through a particular google account, it is possible for google to attach a "unique" ID number to that app which associates it with that google account. So for example if I download app "X" with an Aurora account, and then I download the same app "X" with my own account through Aurora, the "execution code" of both apps are exactly the same, however their ID's are different. So the downloaded packages are not exactly the same, but the actual app inside the package is the same. This ID may also be passed to the app itself "somehow"! (I don't know how). Therefore, it can be concluded that every app can be associated with a particular google account (aurora@gmail.com, user@gmail.com, apkmirror@gmail.com, etc) if they are being downloaded from the Play repository. It is not possible to acquire an app without an account from the Play repository.

      Shared account apps is normally not a problem, except for some apps (financial, etc) that use this uniqueness to prevent multiple installs of the same package.

      So the only difference in downloading with own account or Aurora account (when downloading from Play repository) is that this ID can be known by the app and shared/leaked by the app to other places.

      Downloading apps using Playstore with "own account" compared to downloading with Aurora with "own account" doesn't make too much difference from the app's privacy perspective. The difference may be that if Playstore is present and active it can send more data about your system and can engage in IPC with some apps. For more info on Playstore's tracking read the GOS faq and documentation.

      crimsonpython24 So for questions 1 and 2, I believe that the download source doesn't matter for the same application as long as the source's trustworthy?

      Again no. This is not entirely true. There are some difference. Some app providers provide different versions of their app for different platforms. An example of this is OsmAnd+, Geometric Weather, and Simple Gallery. Apps sometimes include proprietary third-party libraries. In these 3 apps for example the included libraries can be different depending on whether you download them from Playstore, Fdroid or from Github. In the case of Geometric Weather for example, the most blob free version is the one from Fdroid (though it doesn't mean that the other versions are bad. One simply doesn't know their implications unless you investigate).

      So, the privacy of an app from a source is something you'd have to check for each app separately which is tedious task and there is no way around it.

      I recommend you read these threads:
      https://discuss.grapheneos.org/d/2299-install-apps-from-gplay-rep-fdoid-rep-or-githubwebsite/
      https://discuss.grapheneos.org/d/2962-app-repositories-google-vs-aurora-vs-apk-vs-fdroid