Most of my messenger apps have their own implementation of push notifications, but some (mostly non-messenger) apps require Firebase Cloud Messaging (i.e. Google) to get push notifications. Also, Signal in particular uses lots of battery when using its own push notifications (I don't know why, because e.g. Whatsapp or Kakaotalk don't have that problem). I don't require anything else from Google - I don't need the Play Store (using F-Droid + Obtainium + Aurora), I don't need Android Auto or Google Pay or Network-based Location Services.
So I was wondering - what's the minimal way to set up FCM push notifications without any other unnecessary connections to Google?
This is my idea, and I am looking for comments and corrections:
- Install Rethink from F-Droid or Github
- Install Play Services from the GrapheneOS App Store
- In Rethink, configure an always-on Wireguard VPN for all Google apps; or alternatively install Orbot and use it for all Google apps
- Start Play Store for initial setup (but don't log in) in order to enable FCM [possibly outdated info, is this step still needed?]
- Disable (not uninstall) Play Store, remove all permissions except Network from GooglePlayServices and GoogleServiceFramework [do both apps need the network to get push notifications working or is one enough?]
- In Rethink: In the firewall, put GooglePlayServices and GoogleServiceFramework in "isolate" mode and add mtalk.google.com as a trusted URL). What this does is that the app can only connect to that one domain and all other connections are blocked. [again, are both apps required for FCM notifications?] [are any other URLs needed for push notifications?]
- Allow unrestricted battery use for GooglePlayServices for timely push notifications
- Bonus: As you now have Rethink installed already, you can set up system-wide ad blocking, by setting up DNS-over-HTTPS in Rethink (e.g. with the Adguard DNS server) and/or adding local filter lists in Rethink
The aim here is basically that the Google apps can only connect to mtalk.google.com for push notifications, and that the IP is hidden as well. Does this approach achieve that?
If I'm not mistaken, because of the three-pronged isolation (GOS sandboxing, Firewall, VPN/Orbot), the only information Google can get is (a) what apps you have installed that talk to FCM (irrelevant imo as they don't even see who "you" are) and (b) for some apps the push notification contents (I think Signal and Whatsapp don't contain the content in the FCM notifications, but other apps may do).
Bonus question: could you also use Android Auto with this approach? It should be able to work completely offline, right?