Yes, that's correct, and yes it's a massive violation of the terms. Aurora Store also lets you use your own Google account, which is also outside of Google's terms. But the only way to get apps from the Google Play Store without installing the entire set of Google Play Services is this, so the entire setup is outside of Google's terms
It is quite convenient both from the perspective of a stock Kindle Fire (commercial Android), and for LineageOS (non-commercial, unlocked, root available).
It will also indicate if the app requires Google Mobile Services, which would preclude correct functionality outside of MicroG or alternate implementations.
and without using something personal like your email address to download programs, which should be granted and was before mobile OSes. And still is on regular computers.
That's not really true, you can make a throwaway Gmail account in about 5 minutes. Make one per Android device, throw the login details into a password manager and forget about it. I've done this for several Android devices now and never run into any issues.
Ironically when I tried to set up a legitimate Gmail account for my business and used it to set up several accounts, within few days it got locked with no recourse for unlocking - there was a comment box where I could beg for an unlocking, never even got a response though. So Gmail is only for throwaway accounts from now on.
When two postal-code locations (e.g., day and night, home and work) are sufficient to specifically identify 90% of the population, and with Android devices being infested with location-tracking capabilities (above and beyond GPS), creating a pseudonymous account != hiding your identity from Google (or whomever else it shares data with, intentionally/willingly or otherwise).
Yes, if you control for your source IP address. For example, I couldn't find anything from a quick search on whether Tor exit nodes are blocked (or use requires other PII to be supplied).
All you get asked today (at least in Australia on a residential ISP) is a first name, last name, password, date of birth and gender (includes "prefer not to say").
Years ago I think you were correct, a phone number and SMS verification check was mandated, and each phone number could only be used so many times on different accounts.
No, I'm still required to provide a phone number. This has something to do with my browser/system/ip fingerprint, because a friend of mine can make a google account for me from his googled phone on chrome just fine, yet when I try to log into it from my degoogled phone on firefox from my place, it asks for a phone number.
It's about as awful as discord, who also locks account creation behind providing a phone number when an account is created from my residential IP. It almost feels like I've tripped some prevention mechanisms that all these companies are sharing and I have no idea of how to get my "goodness" score back up.
> But the only way to get apps from the Google Play Store without installing the entire set of Google Play Services is this, so the entire setup is outside of Google's terms
You're not wrong, but that method is way more involved in every way.
- You need a PC to run GooglePlay
- You need to install Golang on that PC
- You need a Google Account
- You need to sign into the actual Google Play Store from a real or virtual device using that account
- You need to know the Google Play Store package name (com.google.android.youtube) instead of just YouTube
- You then have to transfer the APK to your Android device and install it.
- You have to manually monitor your collection of apps on your device to see if there are updates and then go through the same process again to get the updated version.
With Aurora Store I had to
- Install F-Droid from https://f-droid.org/
- Install Aurora Store from within F-Droid
- Open Aurora Store where it logs me in with a random Google Account from their pool of accounts.
- Search for whatever app I want to install.
- Tap Install.
- For updates I tap on the Updates button and then tap Install All.
Unless I'm mistaken, there are no binary releases so you have to build it to use it.
I mostly wrote up that response because you took the time to post the link three different times in this thread, but there wasn't much elaboration about what was involved or why GooglePlay should be considered an alternative to Aurora Store.
The aurora client is open source, and you can see it fetches directly from the app store.
apkpure is proprietary and store the apk in a intermediary opaque server. So basically they can inject pretty much anything in the packages you install, and it's much harder to check than aurora if they do.
APKs from the google play store are signed by the developer. Apkpure would not be able to change the APKs without resigning the file, something that would be trivially detectable against an authentic APK.
This is no longer true as of 2021. You as a Google Play user with very limited exception (see next paragraph) have no assurance whether you've received the mobile application bundle (.aad) the developer intended you to have, nor are you receiving the same application bundle everyone else in the world receives. Signatures controlled by Google are now used to sign the application bundle sent to each device[2]. It's not quite as bad (yet) as the Apple situation, but not far off.
For a security conscious developer such as Signal who publish an APK (.apk) and signatures publicly[2], a user with a rooted device could theoretically unpack the official application bundle received from the Google Play Store and check the executable code and resources match those in the publicly available APK. Or just not use the Google Play Store and obtain your applications directly from the developer or an intermediary you place more trust in.
It's no longer true that APKs are signed by the developer, but it is still true that it is signed in such a way that a third party APK mirror site could not tamper with the file without being detectable.
Google could have tampered with the file before the mirror site got it, but you can verify that whatever a mirror site is offering was signed by them.
The aurora client is open source, and you can see it fetches directly from the app store.
Am I correct to assume that you have to compile it yourself in order to keep this trust? Otherwise, there's no way to know if the binary being distributed alongside the source fetches from the same place, and we're right back to untrusted apps.
