Aurora store not secure?

Not microG itself.

But if you use Aurora, then the app list is reported to Google to fetch updates as they come from the same account. Can’t do much about that part.

Not sure what you mean. Block internet access for what? What are you relying on Graphene to update?

Block internet access to Google Play services and rely on system updates from graphene instead of OTA updates via Google play.

yes that is possible. GrapheneOS app store would then update play services for you.

Then why not use an official way. It seems good.

I dont get all my apps mainly from Aurora Store. I only have Aurora Store on the few profiles that need 1 or 2 play apps.

you would be surprised.

Could be off topic for this conversation but the more I think about it, the more I believe that Aurora Store does not offer any benefits compared to using a throwaway Google account.

Scenario 1: Stock Android with invasive system-level Play Services.

Aurora Store would offer no benefits as all your data is sent to Google anyway.

Scenario 2: GrapheneOS with no Play Services and no throwaway Google account

Aurora store would still provide no meaningful privacy benefits but would merely allow you to access the Play Store without an account.

For example, one could argue that Aurora allows you to hide your device info from Google using the spoof manager. This would be true if you are only installing offline apps or apps that do not have any proprietary Play libraries embedded. Otherwise, your device information is getting sent to Google anyway. (Something I have somehow come to realise just recently.)

Another argument could be that Aurora allows you to hide your apps from being sent to Google. Same counter-argument. Any network-enabled app with a Google Play library is going to report to Google that it is installed on X device.

Best case scenario, you are maybe making it harder for Google to tie all your app installations to a single, potentially anonymous user.

Scenario 3: Using Sandboxed Google Play

• You benefit from the increased security of Play Store verifying security metadata (something Aurora Store is yet to implement)
• You benefit from proper support for apps dynamically loading content (Play Feature Delivery and Play Asset Delivery), which is something Aurora Store developers have said is out of scope for the app.
• You benefit from passing license checks and app installation source checks.

Honestly the benefits of scenario 3 vastly outweigh any possible privacy benefits that can be achieved from scenario 2.

If there are any points/arguments that I may have not taken into account, please bring them up.

PS. Mainly just convincing myself to use Sandboxed Google Play with a throwaway account and get it over with lol.

Counter-argument: unless you’re very lucky, you won’t be able to create a new Google account without giving them your phone number

Creating a google account on a phone on public wifi seems to pretty reliably keep people from getting the phone number requirement.

Yeah thats the only valid argument tbh.

As @deviancy said, using public wifi without a vpn would probably work fine.

One thing I didn’t see mentioned is rotating and recycling accounts. Most likely if you’re using an anonymous google play throwaway, you’re not making a new one every week. With aurora store, you can change to a new account every time you open the app if you want, and accounts are recycled and used by other people, so the list of apps you use is diluted by other users’ app lists

Also aurora store can make the app think it was installed through Google play if you install through shizuku

What is your recommendation, then?

Google Play Services if you’re on stock OS and sandboxed Google Play Services if you’re on GrapheneOS.

Pro tip: You can now choose whether to install sandboxed Google Play Services in the owner profile or in the brand new Private Space.

I was totally expecting you to recommend an alternative app store.

I thought the point was to avoid Google Play Services? Also, what does sandboxed mean?

It depends if you’re Googlephobic or not.

It means that Google Play Services are sandboxed
like all the other regular apps.

I would want to avoid the Google Play Store on stock Android phone.
You didn’t really explain what sandbox means. I’m a newbie.

The sandbox that @Lukas is talking about is the app sandbox applied to all Android apps installed by an Android user.

As for Google Play Services and some other Google apps that you can install in a sandboxed manner, it just means that the Android app sandbox that is usually applied to all user installed apps is also applied to Google Play Services in case you decide to install them, instead of having the Google Play Services installed by default with system privileges, which would give Google Play Services more access to your device.

To my knowledge, this is only available in GrapheneOS, no other Android based operating system or custom ROM supports this feature (installation of Google Play Services under the normal Android app sandbox).

The GrapheneOS website explains this in more detail in the following section:

Also, the Android Open Source Project (AOSP) has official documentation about the Android app sandbox, in case someone is interested.

https://source.android.com/docs/security/app-sandbox

If you are on stock, you can’t actually avoid Play services or store, and you technically shouldn’t.

If you are in something like GrapheneOS, the recommended order for most people is Graphene App Store > Accrescent > Sandboxed Play Store. If you use apps that publish their verification signatures, you can also use RSS feeds/Obtainium along with App Verifier. Check this out for additional clarity: Obtaining Applications - Privacy Guides

You can mitigate not wanting play services across the GOS by, in order of preference:

1. Installing play store on a separate user
2. Using Private Spaces in Android ≥ 15
3. Using Work Profiles through apps like shelter

I’d recommend using Private spaces option. Use apps from accrescent and GitHub for most usecase, and install banking apps, etc. into Private space with play store.