Hi!
I just wanted to ask you how safe and secure is to get my banking apps installed from Aurora Store.
I use several banking apps which in turn launch an identity verification app for letting me to log in.
I use a custom rom on a Pixel 4a phone without GAPPS so the only way that I can install these apps is via Aurora Store.
I need to be absolutely sure that these apps are safe and secure. My whole economy will be at risk otherwise.
Thanks for reading and looking forward to your replies!
Aurora Store gets apks directly from the Play Store, they are the exact same apks as in the Play Store. No idea if banking apps are gonna work as intended without Google services though, but that’s another problem. I hope this answers your question.
Hi @attempty!
Thanks for the reply!
That sounds reassuring. I should have said that I’ve got microg services running on this device and actually I have already installed the banking and the identity verification apps but I haven’t used them to log in. They seem though to be launching fine.
You can try microg if your banking apps aren’t working, but mostly work. Rooted phones don’t work well with these apps and ofcourse you shouldn’t be using banking apps in such a device.
Though it depends on the custom rom (device signature, safety net).
I have personally found pixel experience work well with banking apps.
Hi @lepras and thanks for the reply!
I do have microg running on this device. I’ve got my banking apps working now.
When I start them, they launch automatically the identity verification app. This one needs the google services to function. However it seems to be working fine with microg as well.
The strange thing is that it is working with microg disabled as well. when it launches, it asks for the "google service/microg " to be enabled and brings up the screen to enable it. I just swipe it away and go back to the application’s screen which after a couple of seconds loads just fine. I enter my password and then the originating bank apps logs me in.
I am content that it works now. Though my main concern was the safety and security of the downloaded APKs for these apps from Aurora Store.
By the way, I found your guide in the forum and will be reding it. Thanks!
Regarding your threat model, you cannot be absolutely sure your bank account is safe and secure. Besides malicious apps, there are many attack vectors someone could use to steal your money (e.g. stealing password, SIM swap attack to circumvent 2FA, friend-in-need scam). So you should really evaluate the risk (chance * consequence) of the attack vectors and act accordingly. Downloading the app from Aurora is probably almost as safe as downloading from the Google Play Store, but there are probably easier ways to steal your money.
If you’re really worried about security, I reccomend using the Google Advanced Protection Program (or Apple’s version) on a separate device you use solely for banking.
Yeah its just boilerplate code used for “security”, going around the banking scene.
It just checks if the API’s are available (on-device), doesn’t care about anything else.
These are google signed, no need to worry.
If they were changed in some way, the apps should not run (If I was the dev at least I would have that check)
I never saw anyone reporting aurora store for mal practice.
I myself switched to iPhone for banking apps lol.
Mine stopped working last year. I bank on PC.
There are certain functions not available on web apps, so sadly have to use mobile apps.
I’ve considered buying a cheap Android phone just for banking.
On Android you can have multiple user profiles. You could setup a user profile with google play services or microg and use it for banking, while keeping your main user profile clean without google play services or microg. It might be a good trade-off between privacy and security to use a pseudonymous google account for logging into the google play store and downloading the apk from there.
That’s what I’m doing. I have a separate user account for all my banking stuff but I actually downloaded the apk files from APKmirror. So I don’t even need to log into a google account.
I only use aurora store for updates and I’m not logged into any google account on that profile.
Hope this helps.
Thanks everybody for all the insights shared and all the suggestions made!
For now I am having only the identity verification app in a separate user profile and no other specific apps for the banks.
I’ll be using it to verify my identity in the websites for the banks I have an account with using my laptop running on Linux and a (somewhat) hardened user profile only for banking.
I could actually do without the identity verification app as well but then I would need to use Windows with the identity identification program installed and a usb input device for typing in my “secret” password. However I don’t really want to do this.
I leave this thread open in case anyone feels like to post comments, suggestions, ideas …
Thanks again!