New GOS-user questions

Clap2Grom673

Hello, I'm new to GrapheneOS and I want to use GOS without google services as a "privacy first and security second device".

I have some questions:

Which way is the best to download apps? I was thinking about downloading apps over github.
Is it okay to download and install apps without verifying them?

I don't want to be trackable by apps or while using a browser. Any suggestion how I can achieve that the best?

E24

Clap2Grom673 there is probably always going to be at least some level of trackibg, however there are a few things you could implement to attempt to mitigate this.

For apps, ensure each one only the the minimal amount of permissions required to function, and no network access when possible. Try to avoid google services if you can. The GOS team has a much more private sandboxed version of play services, which means the apps do not have system level integration like they would on stock os and they are like normal apps. However, unless you need play services for some reason, I have chosen not to install it. I do still use the google camera and clock however, both with minimal permissions.

As far as browsers, you could use two different ones if you wanted, alfhought I just use vanadium. Some browsers such as brave have built in fingerprint protection, but I do not believe vanadium currently has such a feature. So you could use vanadium for some web browsing then use another browser for other various activities. You can also use things like a VPN or a custom DNS provider

User2288

Clap2Grom673 I don't want to be trackable by apps or while using a browser. Any suggestion how I can achieve that the best?

Yes. But the answer to your questions is a 50 page book. While we have it, we can't exactly write it all down right here and now 😄.

I know exactly where you come from and where you're at. So let me get you started.

There are different ways to be tracked and therefore different actions are needed to deal with each one.

Where you get an app from could cause some tracking, and there are ways to deal with that. (Alternate download sources that don't track).

The app itself can track you, and there are ways to deal with that, like choosing alternative apps or using the app in an "anonymous" way by withholding your "identity".

Its quite important what the app itself does and is like. If its privacy respecting then there is much less to do and worry about. But if its a privacy-risky app then sometimes there are ways to still use it anonymously, but otherwise it should be avoided, or "fenced". Generally knowing each app's behaviour is critically important and more important than its source (at the moment).

When it comes to tracking the idea should not be to avoid all apps, rather to use them while withholding your " identity". Your identity is any of: your IP, phone number, email, browser fingerprint, device fingerprint, photo, location, metadata, etc.

If a tracking system cant get a hold of any identifying info about you then it doesn't matter how much tracking code it contains.

So a correct solution for each app is the point, but you have to know the app behaviour, and that takes time and personal research/education on each app. Unfortunately. You will learn this, just not over night.

Read the following links and follow through the subsequent links and read them ALL. Thoroughly. Also have a look at their entire threads not just the linked posts. They will answer almost every question you have.
https://discuss.grapheneos.org/d/9750-i-am-loving-grapheneos/2

For private browsing you gotta have a vpn and control your "browser fingerprint". Best browsers for fingerprint management are:

vanadium
brave
mull

Use the forum search feature and search for each subject you have questions about. You will find a wealth of information.

Carlos-Anso

Clap2Grom673 Is it okay to download and install apps without verifying them?

The new AppVerifier app made by a GrapheneOS community member provides a secure way to verify apps using the apk signing certificate hash. The apk signing certs are used within android to provide secure verification that an app update is from the same source as the installed app.

This is different to checking the file hash mentioned in other posts above.

App verifier includes a growing database of cert hashes for common apps. It checks apps that are already installed against that database. It can also be used to verify apk files before installation.

It is available from github or Accrescent. To ensure good security it is best to verify the fingerprint of either Accrescent or AppVerifier using the methods described in their documentation.

github.com/soupslurpr/AppVerifier

missing-root

Clap2Grom673

I recommend to use F-Droid Basic. Its an F-Droid client that uses modern dependencies.

Accrescent has nearly no apps. There are many developers that dont supply precombiled APKs, sobF-Droid is needed. This is true for a lot of my favourite ones.

With GrapheneOS you are never "security second". Even using the oh so insecure Firefox based Browsers like Torbrowser or Mull, with the Addons

Ublock Origin
noscript (with hardened settings)
"* fingerprint defender" addons for scrambling unique IDs (only on Mull I guess)

So this may be "security second" but Firefox Devs also rewrote big parts into Rust, which was causing many vulnerabilities. So it may be more secure than Chromium, and "Sandbox" may be a Buzzword.

I do not recommend hunting down APKs from the web as its a total mess. But if you verify the first download, the following updates are safe. Its simply horrible for UX, and F-Droid really modernized things.

E24

(1) downloading apps through something like aurora for privacy or the play store if you want security. There is also github or a clint of fdroid (although fdroid does not exactly have the best security practices) you can still find very well maintained and updated apps

Clap2Grom673

E24

Thanks for your answer.

I don't want to use google services, I was wondering if it would make sense to download apps over github?

My main goal is not to be trackable.

I like the comparison that in the analog world I just can go somewhere e.g. into the forest without being watched by many eyes all the time that analyze what I am doing right now and what I'm going to do next etc etc. I can just go somewhere and do stuff without feeling watched and without being watched.

I want to achieve the same thing in the digital world as much as I can.

I hope that explains where I'm coming from.

So, I know the basic stuff you mentioned but I'm not that much knowledged beyond that...

N3rdTek

Clap2Grom673
Installing apps from GitHub does not mean you will not be tracked. Just because it is open source does not mean that it is not or potentially not malicious. It is up to the end user to do their due diligence and carefully examine and go over the services and features that are used in each app that they download. This does not necessarily mean you have to comb through the source code, you just need to be well informed about what it is that you're installing, what it is that they use services and protocol-wise, and see if it matches up with your security model.
In other words, you could very easily install an app from GitHub and still get tracked. If not tracked even more than simply using the Google service

Unless you bought your device with some form of crypto or in straight cash, you've already started to build a profile on yourself and have began a level of tracking. To what extent, I can't say for sure. But the overall idea or notion to completely and confidently avoid any and all google services and not be tracked and have complete privacy simply does not exist while using a smartphone.

If your phone even connects to a cell tower, you're being tracked. If your phone connects to anything really: Wi-Fi, Bluetooth, Wi-Fi direct, anything with a radio, you will be tracked. You could In theory, assuming it's a stock device, have all your radios off but the device on and just because you're around other devices your identifiers are still being collected.
I've read reports and I'm pretty sure it's still exists, you can have the phone completely off and or dead, and still have certain device identifiers leaked. Now whether this was intentional or not, it's not a coincidence that phones these days no longer have removable batteries

raccoondad

N3rdTek 'tracking' is also a very complex term and can mean basically any internet traffic, you will always have a trace/smell/footprint/whatever. What's important is how that effects your threat model

Clap2Grom673

User2288

User2288 Where you get an app from could cause some tracking, and there are ways to deal with that. (Alternate download sources that don't track).

What would you suggest? I was thinking about downloading apps over github or the developer website and track updates over RSS feed or obtanium. How important is it to verify the apps after the download?

User2288 The app itself can track you, and there are ways to deal with that, like choosing alternative apps or using the app in an "anonymous" way by withholding your "identity".

I would consider SimpleX Chat for all contacts that are willing to download it. Unfortunately I'm forced to use a sim card and in my country it isn't possible to get a anonymous one.

So I consider to use the sim card for mobile data only and from as few places as possible to keep location tracking on a minimum.

The phone will be in airplane mode and whenever I can I will use public WiFi over a trusted VPN.
Because I have to use a sim anyway I consider to use Molly for all other contacts.
I was thinking about using orbot as an always on VPN to lead any traffic through the tor network.

I would like to use the tor browser but I'm insecure about the security and I'm aware of the fact that the tor browser doesn't work with orbot enabled.

Are there any suggestions how to deal with that?

An idea that I had was to use the tor browser in a second user profile with a trusted VPN but I'm unsure how risky it is to use a gecko based browser on android and when it is better to use a chromium based browser like vanadium/brave instead.

Generally I just don't understand enough/have not enough technical background to understand many of the explanations that you can find in the forum or the internet.

I don't want to use social media - I want to use my phone to communicate with others over (in the best case encrypted) messages, calls, mails too (I'm forced to use mail).

I want to have the possibility to search the web and consume data (videos e.g.)

Dumdum

Clap2Grom673 the tor browser doesn't work with orbot enabled.

... why would it need to? Tor Browser already connects to the Tor network - that's the point. There's literally no need to use Orbot with the Tor Browser.

Phead

Clap2Grom673 An idea that I had was to use the tor browser in a second user profile with a trusted VPN but I'm unsure how risky it is to use a gecko based browser on android and when it is better to use a chromium based browser like vanadium/brave instead.

In general gecko based browsers like Firefox are less secure compared to chromium based browsers and vanadium in particular. See https://grapheneos.org/usage#web-browsing and https://madaidans-insecurities.github.io/firefox-chromium.html for an in-depth comparison (the second link is more accurate for desktops but nonetheless a good read).

User2288

Clap2Grom673 What would you suggest? I was thinking about downloading apps over github or the developer website and track updates over RSS feed or obtanium.

It seems you didn't read through the links i posted for you. I have answered that question thoroughly in one of the posts.
Read this post, and then read its whole thread:
https://discuss.grapheneos.org/d/2299-install-apps-from-gplay-rep-fdoid-rep-or-githubwebsite/18

Also:
https://discuss.grapheneos.org/d/2962-app-repositories-google-vs-aurora-vs-apk-vs-fdroid

Where to get apps:
https://discuss.grapheneos.org/d/6095-what-is-a-good-appstore-to-use-on-graphene-considerations/39

Where you get an app from depends on the app. Some apps are exactly the same no matter where you download from. But some apps have different "blobs" packaged in them depending where you get them from. As for sources use a combination of all 3 sources (obtanium, fdroid, aurora). Each is good for some apps. Read my posts on this subject in the links for explanation.

Clap2Grom673 How important is it to verify the apps after the download?

Not really. No one bothers. You can if you are very picky. Generally not necessary. Your choice, if you feel its that important for you. I believe you only have to do on first install.

Clap2Grom673 So I consider to use the sim card for mobile data only and from as few places as possible to keep location tracking on a minimum.

I don't know what your plan is, but basically as long as your antenna is "on" (airplane mode off) you will be location tracked by cell towers. No way around this. No point in fighting this unnecessarily. Its very difficult to avoid.

Clap2Grom673 I would like to use the tor browser but I'm insecure about the security and I'm aware of the fact that the tor browser doesn't work with orbot enabled.

With tor browser you no longer need orbot. If you have orbot "on" then just use vanadium or brave. Don't make your browser settings too unique.

Clap2Grom673 but I'm unsure how risky it is to use a gecko based browser on android...

Its not. If you are visiting a website that you think is risky and might try to break out of the browser then use chrome-based for that site.

Do know that tor doesn't work for everything. Its very slow and gets blocked on some websites and some pages also break. Specially payment websites could cause problems.

Clap2Grom673 ...and when it is better to use a chromium based browser like vanadium/brave instead.

If you are unsure then don't sweet it too much. You'll learn in time. Read and research. In fact stop worrying about this.

User2288

Clap2Grom673
It seems that like me, when i got started, you are a bit paranoid. I understand. It comes from lack of knowledge.

I'll make it easier for you. Ask me specific questions and i'll tell you what do to so you dont have to read so much right now.

Tell me exactly what it is you want to hide/protect (your threat model).

Ask me about specific apps or actions you wanna achieve, i'll see if i can help.

Clap2Grom673 I want to have the possibility to search the web and consume data (videos e.g.)

If you want to watch youtube then definitely get newpipe (github or fdroid, don't matter) and use behind vpn. You are golden.

If other general websites, then just use vanadium or brave, but definitely behind vpn. You are good to go.

Make sure you erase your session data manually at end of each usage, this is important.

If you want to isolate sites while using concurrently then use a combination of private window browsing and multiple browsers (brave/vanadium). But generally limit to few concurrent sites so to keep things simple. If you are logging into a site then make sure its isolated from your general browsing so other sites cant see its cookies and detect its identity.

At this point don't bother about verifying apk downloads. You'd be going overboard. Its not for you at this time.

Clap2Grom673

User2288

User2288 It seems you didn't read through the links i posted for you

Yes, I have to admit you're right. I only read a little bit, had some trouble these days.

User2288 Read this post, and then read its whole thread:
https://discuss.grapheneos.org/d/2299-install-apps-from-gplay-rep-fdoid-rep-or-githubwebsite/18

Also:
https://discuss.grapheneos.org/d/2962-app-repositories-google-vs-aurora-vs-apk-vs-fdroid

Where to get apps:
https://discuss.grapheneos.org/d/6095-what-is-a-good-appstore-to-use-on-graphene-considerations/39

This was extremely helpful, thanks a lot!

User2288 But some apps have different "blobs" packaged in them depending where you get them from

What are these blobs? I was guessing that they are in very simple words parts of the code or something like that. Is this assumption kinda right?

User2288 I believe you only have to do on first install

Thanks, that makes sense. I have a additional question about that: Normally you verify the hash, right? When you look at the hash of the downloaded apk you also see who signed it - is that also enough verification?

User2288 don't know what your plan is

Basically it's that my sim card provider only can see "this persons connections to cell towers appear only form this three places" or anything like that so I cannot be followed ALL around.
I thinks that's howim going to handle it, it's the best compromise of convenience and privacy for me :)

User2288 With tor browser you no longer need orbot. If you have orbot "on" then just use vanadium or brave. Don't make your browser settings too unique.

All right, makes sense

User2288 Its not. If you are visiting a website that you think is risky and might try to break out of the browser then use chrome-based for that site.

Okay, that it helpful. Now I know how to handle some things way better :)

User2288 I'll make it easier for you. Ask me specific questions and i'll tell you what do to so you dont have to read so much right now.

A BIG THANK YOU for this offer!! I will ask you things soon, just have to think through it so we can talk without misunderstanding :) Thank you!

User2288 If you want to watch youtube then definitely get newpipe (github or fdroid, don't matter) and use behind vpn. You are golden.

If other general websites, then just use vanadium or brave, but definitely behind vpn. You are good to go.

Make sure you erase your session data manually at end of each usage, this is important.

If you want to isolate sites while using concurrently then use a combination of private window browsing and multiple browsers (brave/vanadium). But generally limit to few concurrent sites so to keep things simple. If you are logging into a site then make sure its isolated from your general browsing so other sites cant see its cookies and detect its identity.

At this point don't bother about verifying apk downloads. You'd be going overboard. Its not for you at this time.

Thanks, that clears a lot and I now feel more secure about what I'm already doing.

I'm just curious: what's your opinion on invidious and the grayjay app?

So, that's it.

Almost.

Because I have to tell you this:

You are a deeply sympathetic person! I just want to appreciate that you take your time to answer questions so detailed and easy!

You know how to understand/feel (into) other people's needs and situations - not only mine, also in other threats and this is awesome!

You really helped me a lot already and I'm very thankful for that!

A just wanted to thank you from the bottom of my heart - hope this wasn't too weird or a anything. :)

Eagle_Owl

Clap2Grom673
You wrote:
“Thanks, that makes sense. I have an additional question about that: Normally you verify the hash, right? When you look at the hash of the downloaded apk you also see who signed it - is that also enough verification?”
That is (my understanding of the) verification.

I download apps directly from GitHub, if their developer is well-known and I get his/her apps and updates faster and the developer also provides the hash value for the file.

To check the hash value (file fingerprint) I use always the app Hash Droid from Hobby One, you find it on F-Droid.
Unfortunately his last version 4.3 is from June 2020, but only 155 kB file size and it works well, like the newer ones from other devs.
The newer ones I found have much bigger file size and are not better – and also not very recent.
So I stick with this little tool and check the hash value of the file after every download and let this app compare it with the download.
Occasionally I look to see if there is a better/newer app for it.

If you trust a software developer, see if they offer their files on GitHub or in their own repository on F-Droid. Use the hash check function anyway.
Install as few apps as possible, this also reduces vulnerability.

User2288

Clap2Grom673 What are these blobs? I was guessing that they are in very simple words parts of the code or something like that. Is this assumption kinda right?

Again in case you missed it this was also talked about somewhat in this thread that you may have already read:
https://discuss.grapheneos.org/d/2299-install-apps-from-gplay-rep-fdoid-rep-or-githubwebsite
@unwat discusses this.

Blobs or "binary blobs" are premade packages of codes that big companies write. These packages allow a lot of functionality which the developer doesn't have to personally write again. So developers include these premade packs of code in their software for their own ease. Some of these blobs are proprietary and could include invasive code. And since we cant see inside them, we can't verify them, so we call them "blobs". These blobs get integrated into the app's source code and get compiled together.

For example the official telegram app provided on playstore and their website includes google "blobs" that allow it to integrate location sharing and rendering the image in the chat using google maps. The "Telegram-FOSS" app available on fdroid has these blobs removed. So its a more foss version of the same telegram app.

Another example is that i think pretty much all apps that use google notification service (fcm?) use google blobs for the notification system. If a person is concerned about this then they should look for a version that doesn't have these.

Clap2Grom673 Normally you verify the hash, right? When you look at the hash of the downloaded apk you also see who signed it - is that also enough verification?

I've never done this so I am not sure. But i believe the program you use for verifying signatures produces a "hash" for any apk you give it, and the app publisher also discloses their app's hash on their website. You compare the two visually and if they are the same then you are good to go.

Clap2Grom673 what's your opinion on invidious and the grayjay app?

Not familiar with grayjay, can't comment.

Invidious is the best thing since sliced bread. Its wonderful. Its a frontend for yt. Basically you can watch youtube with no tracking at all and without the need of vpn or newpipe. Its a great option for browser use for yt. Although yt is starting to crackdown on it. Its speed also lacks some times.

There are also other frontends for other things. Checkout libredirect, and this:
https://github.com/mendel5/alternative-front-ends

User2288

Clap2Grom673 Because I have to tell you this:

You are a deeply sympathetic person! I just want to appreciate that you take your time to answer questions so detailed and easy!

You know how to understand/feel (into) other people's needs and situations - not only mine, also in other threats and this is awesome!

You really helped me a lot already and I'm very thankful for that!

A just wanted to thank you from the bottom of my heart - hope this wasn't too weird or a anything. :)

No its not weird 😊.

Taking the time to leave someone else feeling appreciated for their efforts is the fruit of maturity and wisdom. Thank you for your kind words. I will savour them 😊. Your observation is a sign of your own insightful-ness and your words a testament to your own kindness.

I try my best to help people in the privacy endeavour as my personal commitment to carrying my part of the weight of the social responsibly to this social challenge.

Pass it on someday.

User2288

Clap2Grom673 Basically it's that my sim card provider only can see "this persons connections to cell towers appear only form this three places" or anything like that so I cannot be followed ALL around.

Just FYI, being tracked by cellular towers happens when your radio is on, regardless of whether you have a sim or not. Once you insert a sim with an "identity" then that phone gets permanently connected to that "identity" even if you take the sim out later. So if someone wants to avoid a phone being connected to them then they should never insert a sim that is in their name or paid for under their name "somehow".

So to clarify, being cell tracked is about the radio, not the sim.

Trena

User2288 regarding this, if I were to operate using only personal hotspot over WiFi, with aeroplane mode switched on, and the personal hotspot was from an iPhone with a SIM card registered in my name, would that matter? Would the pixel essentially remain anonymous (other things being equal)? It’s impossible to buy a SIM card without verification in my country.

Clap2Grom673

User2288

Yes, i know. I always have airplane mode on - except for when I have to use the cellular network at these few places :)

User2288

Trena
Yes the pixel would remain anonymous. But this is the same as connecting to any other wifi. Pixel is able to stay anonymous when connecting to a wifi. As long as you are ok with the apps on your pixel seeing that particular IP.

Your iphone would be tracked with your sim as normal. You iphone will see a device connected to it but can only see the random MAC. What part of your traffic it can see i can't speak to.

One caveat however here. I've heard about some wonkyness in regards to hotspots and pixel with graphene. I can't recall what the problem was. vpn getting bypassed maybe?

do look into that.

Trena

User2288 thanks. I’ll take a look. Regarding vpn, I assume if I wanted to use a vpn I’ll need to use it on both devices? Again, all other things being equal and ignoring the potential pitfall you mentioned I should look into.

Clap2Grom673

Trena
User2288

As far as I know, a problem only appears when the pixel (or any other android phone - it's a by design android thing) PROVIDES the hotspot. Then the VPN gets bypassed.

That may not appear if the pixel uses the hotspot but to be totally secure @Trena you would have to research a bit or use - as you said - VPN on both devices.

User2288

Trena
Again, this is an iffy subject and I have no experience with it. I can't comment. Perhaps someone else can help

Carlos-Anso

Trena
As is standard in Android if a GrapheneOS device has an active VPN and is acting as a hotspot then any device connecting to it will not be routed via the VPN. They will need their own VPN setup.