• Off Topic

  • Pro and Cons of using Google Play vs. Aurora

Hello everybody,

i am relativley new to GOS and i have a bit of an understanding problem regarding the pro and cons of using the sandboxed google playstore vs the Aurora store.

I stumbled across this article:
https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/

it makes it sound like it is nothing at all a problem. But i was thinking if besides permissions there might be another problem with this.
I installed the PS in a separate Profile. But still is this now undermining the whole idea of GOS and ruins the privacy since Play service and framework are sniffing in the background the whole time?
I would use it a brand new google account that has no personal data in it.
Is it more dangerous to install it into the profile that i actually use?

What are the pros and cons of using the sandboxed version vs Aurora? Is aurora less secure due to Account sharing, and in case of update i read that signature spoofing could be more of a risk?
It rarely could happen that i would enter credit card data into an App but it could happen if that makes it a difference.

So i really tried to understand the pros and cons of both ways to install and maintain apps but don't really understand the full picture here...

big thanks and hello to the forum!

  • N1b replied to this.

    A bunch of really good questions! Let's see how good I can address them:

    BlueSky I installed the PS in a separate Profile. But still is this now undermining the whole idea of GOS and ruins the privacy since Play service and framework are sniffing in the background the whole time?

    It doesn't undermine the idea of GOS (otherwise it wouldn't be so deeply implemented). Google doesn't have privileged access (except optional eSIM activation in owner profile). In your example you're doing a good job at compartmentalization, so Google should only get the data other apps share over PS and GSF. If you don't depend on notification forwarding, you can also disable the profile running in the brackground.

    BlueSky Is it more dangerous to install it into the profile that i actually use?

    I don't think it's more "dangerous" regarding security, all apps stay sandboxed no matter the profile. You need to figure out in your threat model how important privacy towards Google is for you, since that is what you control with your decisions when and where to use Sandboxed PS. You probably need some kind of appstore in your profiles. Maybe you would entertain the idea of using Aurora Store in your owner profile to manage all apps, but push them to different user profiles where you actually use them (discussed in this thread)

    BlueSky What are the pros and cons of using the sandboxed version vs Aurora?

    There are many discussions on this forum about this (search "Aurora" and sort by latest). The short answer is that Play Store is more convenient (especially lately because Google is rate limiting Aurora to hell) but Aurora doesn't need PS or a Google Account from you. You should also check the other alternatives and supplements such as F-Droid (Droid-ify, Neo Store) and Obtainium. Pick what fits your use case the best, none of them are generally bad (as long as you don't use outdated apps such as Aurora Droid).

    BlueSky Is aurora less secure due to Account sharing, and in case of update i read that signature spoofing could be more of a risk?

    The account sharing is not a security risk to my knowledge, rather a privacy benefit. I'm not sure about signature spoofing, but I think the apks are signed by the Play Store and not Aurora (unlike apps from the F-Droid repository which are signed by F-Droid).

    BlueSky It rarely could happen that i would enter credit card data into an App but it could happen if that makes it a difference.

    Any app you give your credit card to is a potential risk (leaks, breaches etc), but I don't think it makes a difference where you install the app from as long as it's the most up to date version and you made sure it's the correct one (e.g. via pgp-signature when downloading via F-Droid or Obtainium). A general advice is to use virtual credit cards or even auto-disposable credit cards that are easier to destroy and recreate, and set a charge limit for them. You can generally use pseudonyms since names on credit cards rarely get verified.

    Hope this helps you. Please be aware that the article you linked is quite old by now and many things have changed or been added ever since. Check out the Features, Usage, FAQ and Releases sections on the official homepage to get up to date information.

    Edit: Typos

                N1b Awesome reply. Thank you.

                My setup so far is Play Store and Neo Store for maximum security and considerable privacy.

                  • [deleted]

                  • Post #5
                  • Edited

                  N1b The account sharing is not a security risk to my knowledge, rather a privacy benefit.

                  Sharing what apps you install with random strangers is a 'privacy benefit'?

                  N1b via pgp-signature

                  Standard SHA-512 checksums are much stronger than pgp signatures.

                  • N1b replied to this.

                        [deleted] Sharing what apps you install with random strangers is a 'privacy benefit'?

                        I mean privacy towards Google which won't identify and monetize you when using Aurora or F-Droid wisely. Is there any reason/evidence to believe Aurora compromises your privacy compared to play store? For me this is like a watered down version of using the Tor Browser for privacy benefits compared to using Google Chrome. I have been wrong before though, so could you please elaborate what privacy risks you see?

                            • [deleted]

                            • Post #7
                            • Edited

                            N1b I mean privacy towards Google which won't identify and monetize you when using Aurora or F-Droid wisely.

                            Google will still get info about your device model unless you spoof it in Aurora store's settings, and Aurora store also connects to Google for Internet connectivity checks.

                            N1b Is there any reason/evidence to believe Aurora compromises your privacy compared to play store?

                            Using Play store on GrapheneOS with a throaway account is a lot better than using Aurora store, since you won't be giving random strangers history of what apps you install. No user app can access Hardware identifiers on Android 10 and above, So I don't really think there is a privacy risk with Play store if you use a throaway account on GrapheneOS.

                            N1b For me this is like a watered down version of using the Tor Browser for privacy benefits compared to using Google Chrome.

                            Lol Far from It. Tor browser's threat model is very, very and very different from Aurora store's. BTW Tor browser is for anonymity, anonymity and privacy are different.

                            • N1b likes this.

                                  N1b

                                  N1b so Google should only get the data other apps share over PS and GSF. If you don't depend on notification forwarding, you can also disable the profile running in the brackground.

                                  Really thank you for that reply!

                                  1. Oh so Apps share data over Play Service and Google Framework do you have some examples for this? I thought only the Keyboard App could access Clippboard and the active App in the foreground?

                                  2. I tried to find how to deactivate the profile running in the background. In FAQ it says something about ending session when you press the Power button while beeing in the Profile and chosing end session. So this is shutting the profile down? Vs what i did is the swiping 2 times down and then clicking on the profile icon down, that is more the "hot swap" where the profile keeps running in the background?

                                  Really thank you for posting the link to the discussion:
                                  https://discuss.grapheneos.org/d/6338-google-apps-and-google-accounts/23

                                  That is exactly the dead cat i was looking for. The sandboxed Google Playstore sounded to good to be true and here it is.
                                  it is a bit to much to digest all of this now, i will go back to this tomorrow when i am less tired, but one question i already have regarding this:
                                  It was a bit of back and forth in the other thread with the question whether the login will be shared exclusively with google apps (don't plan to use them except maybe maps) or if it will be shared with other apps/all the other apps? Do you know if there has been a more a definitive answer to this?

                                  Really thanks for the great answer so far!

                                  • N1b replied to this.

                                        It is important to note (due to the comment above regarding "Sandboxed Google Play sounded too good to be true") that on GrapheneOS, the Google Play apps can only access/do what every other app you install can. That's the entire point of the approach. They're made to work within the regular app sandbox. If Google Play can do it on GrapheneOS, so can any other app.

                                        Therefore, when evaluating whether it's the approach you want to go for, when asking a question about what Google Play can and cannot do on GrapheneOS, you can instead ask "can a regular app do X?" instead, and the same thing would apply.

                                        In my personal opinion, for the vast majority of people/use cases, using Sandboxed Google Play on GrapheneOS is the way to go. Using Aurora Store can make sense sometimes, but mostly doesn't, especially given how unreliable it is as of late (I'm only really evaluating Play Store and Aurora Store as a Play Store frontend here, because realistically almost everybody is going to need to download an app that's only available there at some point).

                                        I'm assuming that you've read these already, but just in case you haven't done so yet, or for future reference for people who may find their way here in the future, please give two sections on the website a read to get a better understanding of the design philosophy and implementation of Sandboxed Google Play:

                                        https://grapheneos.org/features#sandboxed-google-play
                                        https://grapheneos.org/usage#sandboxed-google-play

                                          • [deleted]

                                          • Post #10

                                          matchboxbananasynergy Using Aurora Store can make sense sometimes, but mostly doesn't, especially given how unreliable it is as of late

                                          @BlueSky Especially when you consider that Play apps often run Google code irregardless of where you got them from, no Play services required. So you're getting questionable benefits at the cost of flaky and unreliable performance and less compatibility than when using Sandboxed Google Play.

                                            BlueSky I tried to find how to deactivate the profile running in the background. In FAQ it says something about ending session when you press the Power button while beeing in the Profile and chosing end session.

                                            In the owner profile, go Settings -> System -> Multiple Users -> <Username> -> Allow running in background

                                            The notification forwarding is in the same section, but you must navigate there when logged in to the user profile (since it can be allowed by all users independently).

                                                N1b
                                                Awesome thanks.

                                                Just to check that i understand this correctly. In the GOS help is written:
                                                GrapheneOS enables support for ending secondary user profile sessions after logging into them. It adds an end session button to the lockscreen and in the global action menu accessed by holding the power button. This fully purges the encryption keys and puts the profiles back at rest. This can't be done for the owner profile without rebooting due to it encrypting the sensitive system-wide operating system data.

                                                My understand of this would be that if i press the powerbutton and chose end session that the disk space where the secondary userprofile is stored, is fully encrypted again, and the keys are purgerd from the ram. So if the phone would get in the Hands of a malice actor the data in the 2nd Userprofile would completely encrypted.
                                                Right or wrong?

                                                The one thing that confuses me /why i am not sure if i understood this right is the sentence about the ownern profile. The system data in the Owner profile can't be encrypted and the keys purged?? i mean it needs those files to run GOS so the keys need to be there to unencrypt the files on the fly?

                                                Hope i described it right what i mean.

                                                    BlueSky My understand of this would be that if i press the powerbutton and chose end session that the disk space where the secondary userprofile is stored, is fully encrypted again, and the keys are purgerd from the ram. So if the phone would get in the Hands of a malice actor the data in the 2nd Userprofile would completely encrypted.
                                                    Right or wrong?

                                                    Correct. They would need to know your PIN / passcode to get in.

                                                    BlueSky The one thing that confuses me /why i am not sure if i understood this right is the sentence about the ownern profile. The system data in the Owner profile can't be encrypted and the keys purged?? i mean it needs those files to run GOS so the keys need to be there to unencrypt the files on the fly?

                                                    The Owner profile cannot end session since core operating system functions are in the Owner profile. You need to use it for certain global settings and to manage all other profiles. The Owner profile is encrypted but to purge the keys you need to turn the phone off or reboot it. Keys for Owner will not be on the system if the Owner profile was not unlocked once after boot.

                                                        Hi,
                                                        so there might be another "problem" as well: Apps can share data with each other.
                                                        One example: Someone uses Gboard without network permission to avoid sending all typed content to google. If that person also uses Sandboxed Play Store and Play Services he or she does not know what data Gboard shares with Play Services and what data Play Services then sends to goolge. Or am I wrong?
                                                        This problem would not appear with Aurora instead of Play Store.
                                                        Best regards

                                                        I miss Aurora as it was. It is now pretty useless except for updating installed apps. I've had to run with sandboxed Google (not that I understand it a lot). One difference for me using Aurora was having ratings by Exodus on each app letting me know how many trackers an app included. That was valuable. Exodus as a stand alone app doesn't seem to search new apps just the ones already installed. I may be wrong.
                                                        I absolutely hate both Google and Apple, I finally escaped the Apple Mafia and the less I have to do with Goolag the better.

                                                          Gray You can still find and install apps via Vanadium or Brave and the "Open Links" workaround. It's a bit less convenient, but for me still much better than using Sandboxed Play Services just for Play Store access...