https://xcancel.com/GrapheneOS/status/1817043028688642286#m
It is a bit hypocritical that Aurora store doesn’t get as much security concern warnings as F-droid does on PG.
Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet modern security standards.
All of that applies only to F-Droid, and not Aurora.
1 Like
Calyx frequently spreads misinformation about sandboxed Google Play and microG. They falsely claim the microG approach avoids running proprietary Google Play code, which is untrue. Reality is you give more access to proprietary Google Play code on CalyxOS than with GrapheneOS.
Maybe I’m confused, but the microG client which Calyx runs is open source (i.e GmsCore). microG can be a user app (see DivestOS), but for a lot of functionality microG needs system privileges (ex SafetyNet bypass).
What I know for a fact is proprietary is the DroidGuard system that microG uses to bypass SafetyNet. Also of course, for providing push notifications, microG contacts Google Firebase. But this is an issue for both Google Play Services (sandboxed) and microG, and the alternative is using apps supporting something like unifiedpush.org for push notifications.
We aren’t going to build entirely unnecessary and extremely problematic privileged access for poorly secured third party like F-Droid and Aurora Store in GrapheneOS as CalyxOS does. Those apps use privileged install access insecurely… and automatic updates work fine without it.
Also, this is outdated. Calyx has already removed the F-Droid Privileged extension moved away from including F-Droid as a system app. They switched to the Basic version which auto-updates without privileged services.
F-Droid Privileged extension and Aurora Services still exist, but they are planned to be removed soon. Currently they exist for the welcome wizard on Calyx that allows users to pre-install apps.
Oh and here’s the issue regarding deprecation - Privileged extension deprecation (F-Droid, Aurora Store update handling) (#1943) · Issues · CalyxOS / calyxos · GitLab
2 Likes
Wouldn’t recommend Aurora Store for several reasons.
My copypasta:
Aurora Store:
- Is unreliable and constantly breaks.
- Is buggy and doesn’t have good UX.
- Is completely reliant on Google, and Google could pull the plug at any moment, which would render Aurora Store unusable.
- Play App Signing.
- Some apps check if they’re installed from Play Store, and if they aren’t, they will not work.
- Services like Play Asset Delivery, Play Feature Delivery and app / content license checks aren’t available.
- A lot of data gets sent to Google, like your IP address, your device model, your app list, etc.
There are two more points that I should add:
- Aurora Store is known to retrieve wrong versions of apps.
- Doesn’t verify signed metadata.
- No certificate pinning.
“unreliable” Sound like you never used it.
“constantly breaks” is a lie. Yes Aurora Store breaks sometimes when play store has big update or google ban Aurora Store accounts has happened few times but it is normal for all frontends.
Non issue.
No sh*t statement.
explain
If you relies on google servies for apps, yeah Aurora Store is probably a bad choice. But I think Aurora Store is mostly for people who has a degoogled phone and just need 1 or 2 apps from play store. So yeah some apps doest works.
Sound like a feature. 
Ofc it is google after all but Aurora Store can spoof device and language.
4 Likes
It sounds like you started using Aurora Store recently and haven’t experienced the broken token dispenser. Google just lifted a finger, which broke the token dispenser and Aurora Store didn’t work for weeks if not months, don’t remember how long it took for them to fix this.
6 Likes
Happens all the time with frontends lol. I’ll say Aurora Store breaks way less then others frontends like newpipe, nitter.
I do remember the so called “broken token dispenser” there was a work around where you could go to play stores website with Firefox/mull open in app you could still use Aurora Store almost as normal.
I personally don’t use Aurora Store because I don’t need any apps from the play store. But I did use it for years.
2 Likes
That only worked when Aurora Store would get rate limited by Google. When the token dispender broke, Aurora Store became useless unless you used your own Google account.
I would not say it constantly breaks. There was the major breakage that occurred a while ago when Google decided to change something. One major problem Aurora Store had was that the accounts were constantly rate-limited but they have fixed this issue by generating the token on device as of the latest update. UX and UI have both vastly improved recently and I have not personally experienced any bugs.
Yes that is true for any front-end. Front-ends are merely band-aid solutions. A more long term solution would be something like Accrescent, which is already in the works.
This is not related to Aurora Store as all apps on Google Play use Play App Signing. Whether you use Sandboxed Google Play or Aurora Store, Play App signing is still an issue.
This is problematic yes, and there is no workaround. Another option other than Aurora Store should be considered if an app someone relies on does this check.
Device model can be spoofed in Aurora Store. Aurora Store has a blacklist feature which you can use before ever signing into the app to prevent your app list getting sent. All this info will be sent anyway when you use Sandboxed Google Play so in this context, it doesn’t make sense to list this as a con of Aurora Store.
I have read reports of this in the past but I do not know the details. I have not read any recent reports of this happening even though I see this specific criticism talked about a lot. My theory is that the people who experienced this issue had spoofed their device model to one with vastly different characteristics to their original device. For example, they have a Pixel 7 with arm64-v8a architecture and API level 34 but they chose to spoof as a device model that supports many different architectures and has a different API level and so, Aurora Store retrieved the wrong version of the app.
Both valid criticisms of Aurora Store.
2 Likes
I would be careful with this comparison because you are trusting Aurora Store to install other apps and deliver updates in a safe and timely manner.
This is not the case for the other frontends you mentioned.
6 Likes
This is true and should be something people consider before using Aurora Store. I personally would not use Aurora Store to download all my apps and would opt for Sandboxed Google Play instead as a form of future-proofing. However, if you are using a small number of apps from Aurora Store, then it should be fine as if breakage does occur, it will not be much of a hassle to migrate to something else.
1 Like
I agree but was only talking about “unreliable, constantly breaks” part not if it is safe or not.
Personally I think it’s better to use Aurora Store if you have 1-2 must have apps.
2 Likes
around 2 months
Some of these are solved when using FakeStore and microG respectively :
Though yes, nothing can be done about Play Asset Delivery and Play Feature delivery.
Btw, this would still happen on the Google Play Store client right? And Aurora has an option to change the presented device model, if that is of concern :
1 Like
Aurora store has implemented certificate pinning.
Relevant issue: [Security] Implement certificate pinning (#697) · Issues · Aurora OSS / AuroraStore · GitLab
4 Likes
That’s great.
1 Like
Aurora IS secure but not be private if used a gmail or not a VPN.
There is no such thing as private or not private, the world isn’t made from black and white.
4 Likes
Isn’t it possible to block internet access for it and just rely on Graphene for system updates considering you don’t use OTA updates ?
So, If I use MicroG, it would act as Google Play Services but won’t report to GPlay what app I am using or installed ?