I'm unfamiliar with what's going on here. It sounds like this thing vends Google account credentials for a small pool of accounts to be used anonymously? I've gotta be misunderstanding something because that sounds like something that definitely should be blocked and would be wildly outside of Google's terms. How does this thingy work?
Yes, that's correct, and yes it's a massive violation of the terms. Aurora Store also lets you use your own Google account, which is also outside of Google's terms. But the only way to get apps from the Google Play Store without installing the entire set of Google Play Services is this, so the entire setup is outside of Google's terms
It is quite convenient both from the perspective of a stock Kindle Fire (commercial Android), and for LineageOS (non-commercial, unlocked, root available).
It will also indicate if the app requires Google Mobile Services, which would preclude correct functionality outside of MicroG or alternate implementations.
and without using something personal like your email address to download programs, which should be granted and was before mobile OSes. And still is on regular computers.
That's not really true, you can make a throwaway Gmail account in about 5 minutes. Make one per Android device, throw the login details into a password manager and forget about it. I've done this for several Android devices now and never run into any issues.
Ironically when I tried to set up a legitimate Gmail account for my business and used it to set up several accounts, within few days it got locked with no recourse for unlocking - there was a comment box where I could beg for an unlocking, never even got a response though. So Gmail is only for throwaway accounts from now on.
When two postal-code locations (e.g., day and night, home and work) are sufficient to specifically identify 90% of the population, and with Android devices being infested with location-tracking capabilities (above and beyond GPS), creating a pseudonymous account != hiding your identity from Google (or whomever else it shares data with, intentionally/willingly or otherwise).
Yes, if you control for your source IP address. For example, I couldn't find anything from a quick search on whether Tor exit nodes are blocked (or use requires other PII to be supplied).
All you get asked today (at least in Australia on a residential ISP) is a first name, last name, password, date of birth and gender (includes "prefer not to say").
Years ago I think you were correct, a phone number and SMS verification check was mandated, and each phone number could only be used so many times on different accounts.
No, I'm still required to provide a phone number. This has something to do with my browser/system/ip fingerprint, because a friend of mine can make a google account for me from his googled phone on chrome just fine, yet when I try to log into it from my degoogled phone on firefox from my place, it asks for a phone number.
It's about as awful as discord, who also locks account creation behind providing a phone number when an account is created from my residential IP. It almost feels like I've tripped some prevention mechanisms that all these companies are sharing and I have no idea of how to get my "goodness" score back up.
> But the only way to get apps from the Google Play Store without installing the entire set of Google Play Services is this, so the entire setup is outside of Google's terms
You're not wrong, but that method is way more involved in every way.
- You need a PC to run GooglePlay
- You need to install Golang on that PC
- You need a Google Account
- You need to sign into the actual Google Play Store from a real or virtual device using that account
- You need to know the Google Play Store package name (com.google.android.youtube) instead of just YouTube
- You then have to transfer the APK to your Android device and install it.
- You have to manually monitor your collection of apps on your device to see if there are updates and then go through the same process again to get the updated version.
With Aurora Store I had to
- Install F-Droid from https://f-droid.org/
- Install Aurora Store from within F-Droid
- Open Aurora Store where it logs me in with a random Google Account from their pool of accounts.
- Search for whatever app I want to install.
- Tap Install.
- For updates I tap on the Updates button and then tap Install All.
Unless I'm mistaken, there are no binary releases so you have to build it to use it.
I mostly wrote up that response because you took the time to post the link three different times in this thread, but there wasn't much elaboration about what was involved or why GooglePlay should be considered an alternative to Aurora Store.
The aurora client is open source, and you can see it fetches directly from the app store.
apkpure is proprietary and store the apk in a intermediary opaque server. So basically they can inject pretty much anything in the packages you install, and it's much harder to check than aurora if they do.
APKs from the google play store are signed by the developer. Apkpure would not be able to change the APKs without resigning the file, something that would be trivially detectable against an authentic APK.
This is no longer true as of 2021. You as a Google Play user with very limited exception (see next paragraph) have no assurance whether you've received the mobile application bundle (.aad) the developer intended you to have, nor are you receiving the same application bundle everyone else in the world receives. Signatures controlled by Google are now used to sign the application bundle sent to each device[2]. It's not quite as bad (yet) as the Apple situation, but not far off.
For a security conscious developer such as Signal who publish an APK (.apk) and signatures publicly[2], a user with a rooted device could theoretically unpack the official application bundle received from the Google Play Store and check the executable code and resources match those in the publicly available APK. Or just not use the Google Play Store and obtain your applications directly from the developer or an intermediary you place more trust in.
It's no longer true that APKs are signed by the developer, but it is still true that it is signed in such a way that a third party APK mirror site could not tamper with the file without being detectable.
Google could have tampered with the file before the mirror site got it, but you can verify that whatever a mirror site is offering was signed by them.
The aurora client is open source, and you can see it fetches directly from the app store.
Am I correct to assume that you have to compile it yourself in order to keep this trust? Otherwise, there's no way to know if the binary being distributed alongside the source fetches from the same place, and we're right back to untrusted apps.
You've got it exactly right. Unfortunately, Google's Play Store is the only source for a number of proprietary applications that work mostly okay on degoogled android systems, including:
* my bank app, and probably your's too
* iNaturalist
* various dating apps such as tinder, bumble, hinge, coffee meets bagel
Edit: wonder if I could use a mirror instead?
Edit2: ugh tried apkmirror. Might work. The client has ads (pretty sure google ads...) and popups. Some of the ads contained a download button? I got confused and concerned. Dipped out. I'll just be more dependent on my workstation(s). Phone still works as a phone, I presume.
I really wish commercial apps would support alternative app stores. There are far worse offenders than Google, but it's currently quite intrusive and who knows if it won't get worse. I doubt the billions in rent they must collect every year on app sales really go on improving the OS experience.
F-droid repository format would be easy enough to support a commercial repository you could manually activate, with signing and all.
> I doubt the billions in rent they must collect every year on app sales really go on improving the OS experience.
Google has huge numbers of engineers working on Android...
Although I do kinda wonder exactly what they're working on, considering each release of Android seems to be not very different from the previous one...
The larger the number of product devs, and the larger footprint of the product, the more people you need supporting them with tooling and infrastructure of various types.
It won't help with privacy, but if you want to use apps only sourced via the Google Play Store on degoogled, you can download the apk, extract it, and then load and install it on your device.
I use grapheneos and have a separate profile that has GPS installed which allows me to download the apks. Then I adb in and transfer them from alt_profile->computer->no_gps_profile and install it.
i just checked my banks, they are on google play and on the huawei app store, the latter though is not really an alternative i would trust any more than google, and i didn't see if it allows download without an account, but fortunately for myself i don't want banking on my phone anyways, as the phone is the most likely device to break, lost or stolen, nor do i care about those others. but that's just me.
i found apkmirror manageable, thanks to the adblocker i guess.
Maybe you're confused about the client and server parts.
The client for Google Play Store can be replaced by other apps like the one you linked. Though this is against Google's TOS.
The server part of Google Play Store is where all the applications live. It is the biggest app repository for Android and most commercial apps are uploaded there. What the GP is advocating for is having developers upload their app to other app repositories in addition to the Play Store.
I'm not really confused, the original comment is just vague. they are looking for these apps, and are only aware of the official client, and other shady sites. I am giving an alternative that can be trusted, since it downloads directly from Google, without using the official app.
Yes, that's exactly how it works, and yes, I install my banking app this way. It's not an issue from my perspective but I can see why Google doesn't like it.
I don't have a Google account and am unable to obtain Play Store APKs any other way, so Aurora Store fills an important niche for me.
I guess I will hold off on updating any Play Store apps until this is fixed or I can find another software/workaround.
For people that want to anonymously use Android...people using Graphene OS for example...it is endlessly useful. You get all the benefits of a mobile operating system without giving your private data to Google.
If I understand correctly, people can use Graphene OS anonymously. This was a workaround to use Google Play Services (Store?) anonymously. So the users want to have a piece of cake and eat it too.
It's to allow them to get apps. I wouldn't describe being able to run apps without being involuntarily tracked by a third party as "having your cake and eating it too." It's just a basic expectation of privacy. As it happens, Google makes this basically impossible to do without running afoul of their TOS, but I would characterize that as Google being unreasonable, not the users.
With this turn of events I am considering just getting a GPS for navigation and using nothing but F-droid. Google is going to continue doing this nonsense since it is against the terms, so going full open source might be the answer for me
I did but it couldn't find my Church's address when I gave it a test run. It still had our old address, even though we moved to a new building in 2017. Not sure how it gets information, but I didn't feel that I could trust it if it was giving six year old information
This is a major problem for most people with a degoogled phone. Luckily I am using Graphene which provides a sandboxed Google Play services. This means that the only access you need to give it is network access rather than the promiscuous normal access it has to just about everything on your device. https://grapheneos.org/features#sandboxed-google-play
It would be helpful if others can share here how to extract and install APK's outside the Play store.
> It would be helpful if others can share here how to extract and install APK's outside the Play store.
I use APKPure. I have the suspicion that it must be some kind of malware/spying operation, but I couldn't find any proof so I kept it. Another HN user [1] followed up on a comment on mine on the topic and they didn't find anything particularly strange either.
Graphene OS is a very interesting option but it only runs in Google's Pixel phones for now, so I'm waiting for the day it could be installed in other devices.
You might be waiting a while. If you read the documentation I think they get into to the reasons for that pretty thoroughly. As a side note, I think the prices for 5's and 6's is pretty reasonable right now (they seem to have fallen a bit from a year or 2 ago).
Seems like Google is spending way more energy in preventing user to avoid being spied upon by them than they are actually moderating the app store against spywares and malwares.
Aurora wouldn't need to exist if they gave us an easy way to get apps from the Play store without giving control of our entire phone to the worst privacy offenders on earth.
Huge issue with those having to use a phone from one country with apps local to another country - very common for extensive travel, as the formal Google play store locality change is only allowed once per year.
Yeah, that's annoying. Public transport companies sometimes have this issue, where they don't offer travel planning on their normal website, but tell everyone to use their app, only you can't install it because you're not from that country nor in that country when you're preparing to travel there from the comforts of your home.
That's been available on their site for as long as I can remember. Long before they had an app that would tell you as well. Heck, I'm pretty sure before Twitter even existed.
You can change your account's country by opening the store and tapping on your avatar. It's a bit convoluted (requires you to make up an address) but it's not the end of the world.
I'm not sure how many different countries you visit, but if it's 2-3 you can set up multiple Google accounts and quickly switch between them in the Play Store by swiping up/down on your profile picture.
It's trivial to have multiple Google accounts, one from each country, on the same phone. The apps installed by any account will be accessible to all of them.
Obtainium is open source and can download/update directly from source on GitHub or GitLab—or even use directly F-Droid, IzzyOnDroid, Mullvad, Signal, APKMirror, APKPure, Steam, Telegram, VLC, Neutron.
I don't know when it started but I had the same issue on a Samsung tablet yesterday afternoon. If Google permanently blocks access to the Play Store from Aurora then that will be sufficient for me to finally spend the money to get an iPad.
I get that you want to send a message, but what problem does moving to iOS solve? You have the same restrictions, in fact even worse ones, with way fewer options for accountless downloads.
I am less concerned that Apple will exploit my data because they make plenty on the hardware; in the case of Android gear Google's whole point is exploit any data they can for profit. I have few use cases for a tablet as it is (photography being the big one: Canon Camera Connect) so if Google makes it impossible to get/update that app I'll just switch platforms. (If not an iPad then perhaps a laptop but that's far more bulky to take on a photo shoot.)
The part where you said:"I am less concerned that Apple will exploit my data because they make plenty on the hardware." feels like such a naive way to think about Apple.
People switching from Android to iOS for privacy reasons seems myopic to me. Apple is, ultimately, a company. There is no such thing as them “making enough money.” If they can double-dip by both selling data and selling hardware, they will. It's not a matter of if, but when.
De-Googled Android is objectively a more privacy-friendly option than iOS.
> People switching from Android to iOS for privacy reasons seems myopic to me. Apple is, ultimately, a company.
They're not the same. Google generates ~80% of its revenue from an ads product built on user data. Apple has an ad product which generates ~5% of its revenue (mostly from App Store ads), collects far less info¹, does not share user info with third parties, and lets users turn off personalized ad targeting with a simple toggle².
My point is that Google's business model is intrinsically privacy-eroding¹, and Apple's business model is (for the foreseeable future) privacy-supporting¹. This is not to claim that Apple is "good", but that privacy is good business to Apple and is odious to Google. This is why switching is not myopic, in my estimation.
¹ (because that behavior supports their primary sources of revenue)
Both of them are trying to make as much money as they can from hardware and ads. Currently Apple is doing better at one and Google is doing better at the other, but that seems like a contingent fact rather than a deep difference.
I tried graphene for a while, and degoogled basically doesn’t work.
It almost works, but app developers don’t test with it, and also constantly push updates. The end result is that you never know which app is going to null pointer exception on startup this week (looking for unnecessary, but missing services), or which one will hellban your account for fraud false positives.
Also, for anything that wants google services, reading lat/long from the GPS is flaky at best. (Usually works, but sometimes puts you at a location from last week.)
it's also a lot more work. I have other interests than maintaining a degoogled phone and worrying if my banking app or trading app is going to fail in the middle of a transaction. Apple is a compromise for now.
iOS doesn't spy on you nearly as much google. They also don't sell your data to 3rd parties for a couple of pennies. They have their issues but google absolutely data mines everything on your phone to sell to their clients
That feels like cutting off your nose to spite your face, since iOS is still way more locked down than Android. If your employer cut your salary from $100k to $90k, would you respond by quitting and going to work somewhere else for $50k?
Per another comment, and keeping with your analogy, they think the work at the 50k$ employer is nicer | that Apple isn't as evil as Google.
Not saying they're right or wrong, but that's valid logic if true. Personally I find the other ways in which you get locked down+in to already be so not worth it that it's not even a question I've needed to consider.
I'm seriously not getting this POV, which I see a lot.
Yes, some apps are only available in the play store, and the maker of them does not publish them anywhere else. How's that google's fault again? Are you mad at Twitter because Starbucks doesn't sell their coffee there?
There is no vendor "duopoly" between google and apple. There are about a thousand flavors of Android, and a bunch of phone makers - and google isn't even the top Android seller. The only one I've used with a play store was for like a year in 2010.
There is a technology duopoly, but the technology part has nothing to do with google. Much like there's no triopoly between windows/macos/linux. Because "Linux" is not a vendor. Linux is like "car," not like "Toyota." Windows is like "bicycle with lawnmower engine held on with duct tape." Macos is like "you're eating this absolute shit, and it does taste good"
> Yes, some apps are only available in the play store, and the maker of them does not publish them anywhere else. How's that google's fault again? Are you mad at Twitter because Starbucks doesn't sell their coffee there?
I can buy from Starbucks anonymously, or give my friend money to buy something for me. If they're calling it a "store" then that comes with an implication that you don't have to consent to being creeped on to get stuff from there.
They also did a bait-and-switch where they initially touted android's openness, but then moved an increasing amount of core functionality into google play services and encouraged app makers to depend on that.
> There is no vendor "duopoly" between google and apple. There are about a thousand flavors of Android, and a bunch of phone makers - and google isn't even the top Android seller. The only one I've used with a play store was for like a year in 2010.
There is absolutely an app store duopoly - it's a different duopoly in China than the rest of the world, but that's a distraction. The fact that they're able to sustain their 30% cut shows how much market power they have.
Starbucks (Google) and McDonalds (Apple) coffee are both available and control 98% of the coffee sales, with Starbucks owning about 70% by themselves. They each make their own special cups (hardware) that can only hold their coffee and require their special nozzles to fill, but Starbucks graciously allows a number of other retailers to make and sell compatible versions of their special cups. The fill nozzles of each require a special brewing process for the coffee to fit thru the nozzles, and a special grinding process for that brewing. Both own 99.9% of the market on services, tools, and aptents for the brewing and grinding. They also have 95% market share on bean buying and importing, and only ship to their own supply chains.
To help with harvesting, McDonalds offers nice tools but will only buy beans harvested with those tools and charge $99/year/worker for them. Starbucks offers theirs for free, but the tools have to be taken apart if you don't your harvested beans ending up in a Starbucks purchasing truck.
Not to be outdone by the lowly coffee farmers, both companies own large coffee plantations, and Starbucks owns 30% of the total coffee-growing land in the world and leases almost all of it to any type of farmer that will pay. Resultantly, it's less profitable and more work for farmers to not sell to Starbucks or McDonalds, even though they get paid very little for their beans.
Now you as a coffee drinker don't like that Starbucks is requiring you to provide 2 years of bank statements, your government ID card, birth certificate, body cam footage for the last 2 weeks, emails for the past 4 months, full text message history, and the passwords to every account you've had since you were 12 years old every time you want to buy a coffee. McDonalds is better, they only want the body cam footage, bank statements, and passwords, but you're not thrilled by that either. So you decide to find another coffee shop.
You discover there are only a few, and they mostly just serve gas station drip coffee because they can't get growers to sell to them. Some try to get the grower to sell, but require the grower to also handle shipping and importing, but most want the growers to include shipping, importing, grinding, and brewing. Needless to say, not many growers are interested, especially ones that already have big name recognition among coffee drinkers.
A couple enterprising companies however have figured out they can just resell the Starbucks coffee. Most of these just go buy all the types of coffees available and keep them on hand for anyone that wants them, but buyers are wary of whether they're really getting the Starbucks coffee or coffee with unknown fillers added. Only one company has decided they'll resell by offering to have a one of a dedicated team of people go buy the Starbucks for you while you watch (Aurora Store). Now Starbucks is getting angry because they specifically say you can't buy coffee for others, and they're banning the dedicated team of people from all Starbucks stores in retaliation.
To be clear, aurora store is an alternative method to access the google play store and download apps from it. This change isn't making sideloading more difficult, it is making it more difficult to access play store apps without installing the play store.
My daily driver is a Linux phone running Ubuntu Touch. Besides that I have three more phones running other Linux projects, basically to test them, and to report bugs.
In addition to those devices, I also have another one running Lineage OS because I need some apps that I can't run in any other way, v.gr. Monash University Low FODMAP Diet App.
It is just a deal breaker in my book, and likely for others.
It isn't even obviously stated on their documentation either, yet their homepage has "Keep your data private with an operating system that's fully secure."
I wish it were that simple, sometimes. Not everybody is in a position to, for varying reasons. We’re privileged to have that ability. There are entire groups of people who just can’t because of being “black listed” for one reason or another.
Initially this works, but unfortunately trends in society are making your options shrink over time.
I switched from the cheapest telco around (by a significant margin at the time, $10–25/month instead of $35–50 for what I needed), circles.life, in part because they had no website to control things, view usage, &c., but only exposed that stuff through a mobile app that I couldn’t run. (Also very clearly illegal conduct in matters like sending spam text messages from their service notifications number, which they refused to even acknowledge when directly confronted.) But the telco I’m on now, amaysim, introduced some new roaming arrangement a few months ago that you can only activate through their app, not their website. (I would like to use it next month, so hopefully talking to customer support will work. At least they actually let you talk to support without using their app, which circles.life made hard.) Also their website is painfully slow to log in: from hitting the login button to the next page starting to load takes fully 48 seconds, and their site is of the idiotic “insist on logging you out after ten minutes” variety (like most of these sorts of businesses, for baffling reasons), so viewing my usage is fairly painful. At least I can keep the tab open at the usage page, and then when I reload and get presented with the login form and press the login button, it’ll end up back at the usage page in a minute or so; some will lose what page you were on, so that you have to go through multiple steps each time.
Banks, most of the biggest ones in Australia still have online banking, but it’s generally painful to log into and use compared to their mobile apps, and they all have a nasty habit of adding new stuff to mobile either first or only. And newer bank labels are commonly mobile-only. Internet banking is largely treated as a legacy matter which they’re all just not particularly interested in.
toy phones are mostly the Google pixel, and Fairphones
- You can flash anything on these.
- You have 5-10 years of update on the android out of the box
- huge communities.
- consistent VoLTE and VoWIFI support
- lines are easy to understand (only a few models in each generation)
Samsung offers no long term support of phone, do hardly any publication to help open source communities to make a new image of android, and have the knox thing that makes it harder that it could be to flash. They just poop billions of different models every year without further support.
Xiaomi is like Porsche with the 911, which means they brand all of their phones the same, even when they have very different processors, vowifi support or not,... So pay attention to your exact model (the "pro" keyword isn't marketing, it can make the difference between a locked in Mediatek processor and a open source snapdragon)
I'm annoyed to have got the only flavour of Mi10-something without Vowifi support, for example, because I didn't read properly.
Sony has some OK phones to hack as well. And they look good ! But I think there was an article on HN a few days ago, about the hardware of the XA2 that called home to send analytics even with a custom ROM.
I'm also annoyed because I have had that exact model with iodéOS.
So yeah, I'd recommend to just get a Pixel phone if you want something compact (the 6A is pretty narrow), or the Fairphone if you want something large that you can physically repair, and update for the longest even if you don't hack it.
(I now have a Mi10 Lite and a Pixel 6A. I just had the latter, so that I can use one of these to hack a bit.)
Samsung community support is pretty good if you stick to the flagships, it's true that you lose Knox in the process but Knox is pretty much useless in my opinion anyways.
for a toy project, the pinephone is on my shopping list.
for serious use i stick to /e/OS supported phones. /e/OS has its own store that also gets apps from google play using their API. i wonder if that will be affected too. so far it's still working
how bad is the performance really? the pinephone pro is twice as expensive. is it really worth the price difference? it certainly is beyond my budget for toys, and at that pricepoint i'd rather invest into a fairphone.
interesting, but even if they did update it more frequently, i think most people don't update their phone that often either. divestOS approach to update webview independent of the phone is actually a clever way to make it easier to update
Aurora isn't an alternative app store, it's an alternative method of accessing the Google Play Store. F-Droid is an alternative app store on Android usually used by degoogled phones.
With alternative stores, I'm hoping that we'll get a choice in where to install public transport apps, Spotify, Discord, games, et cetera from, rather than having the choice between Google and illegal mirroring sites (the app's owner holds copyright and didn't authorise something like apkmirror/apkpure to distribute with ads and potential malware, though they've proven more reliable on the latter front than early apk redistribution sites).
That's how I also read GP's comment, but your reading is also a valid one.
Correct and I do get most of my apps from f-droid but unfortunately majority of big apps (banks, IMs) are on Google play only... because there is no sane/official alternative now (even f-droid can't update the apps automatically... )
It's been a great app, but I've found myself relying on APK Mirror more and more. Would be nice if there was a more up-to-date APK Mirror client that can handle updates automatically.
Unfortunately this workaround doesn't seem to allow you to get the download button on Aurora Store for the searched app: "App purchases not available on Anonymous accounts"
But you'll get the Update tab for the already installed apps.
For those affected, I just tested, and there was a Signal update available which successfully completed. Perhaps updates for existing / old users will continue to work? Fingers crossed
