Well, I finally did it. Over a few years contemplating whether or not I should install Google Play in my main profile has come to a conclusion. I installed Play in my main profile and deleted the secondary user I used for Google Play. I disabled multiple users and now only use the main profile for everything. It took me a lot of time and courage to do it, but now I feel great about it. It's nice knowing Google Play services has no elevated privileges and is fully contained in its own sandbox. My Pixel 8 no longer feels constrained nor handicapped for my needs. I can now use some apps that make life a bit more enjoyable, such as Audible and Libby. I feel like I now have the best of both privacy and usability. I urge everyone to try it out!
Google Play in main profile 😱
I wouldn't have switched to GrapheneOS if it were not for Sandboxed Google Play. They have clearly done a lot of hard work on it.
I don't know whether this is for everybody - everyone has probably their own individual reasons and necessities for deciding against Google and/or in favor of separation through profiles.
However, there are probably some here who maybe have a security and privacy setup much more than their actual threat model requires and for whom it might do good to shift down a gear (privacy fatigue is also a threat) - so thank you for sharing your experience - less is perhaps sometimes more.
And as fid02 stated: Sandeboxed Google Play rocks 🤘
I don't have a strong reason to install it, but I would prefer it to be sandboxed rather than privileged. If my options were between GrapheneOS with sandboxed Google Play and stock OS, I would pick GrapheneOS every day.
Murcielago (privacy fatigue is also a threat)
I agree.
Murcielago Privacy fatigue is real. I almost bought an iPhone just before installing Google Play. A lot of people will drive themselves insane sacrificing usability for privacy. After a while there will be an app or a function you absolutely want/need to use requiring the Play store/services and switching between profiles is just too cumbersome. Having to unlock the Molly database after switching back to the main each time, and not having access to Molly in the secondary user. It all gets to you eventually. I may soon replace the pixel with an iphone despite the privacy concerns. Usability is nice. Face unlock in the dark and Lockdown mode are nice.
- Edited
I had reduced the number of profiles for a while due to an annoying fingerprint bug. Since the great workaround I've finally put some apps that I consider invasive (e.g. Google Maps) back into a separate profile - switching profiles is super smooth again.
For me personally, I don't see any usability advantage that iPhones would offer me - precisely not one for which I would want to sacrifice all the awesome security and privacy features a Pixel with GrapheneOS running on it offers (especially because you can easily regain nearly all the usability oft a non-customOS if you want - thanks to the one profile setup running sandboxed Google Play you mentioned above).
But that's finally a decision everyone has to make for themselves.
p338k I think it's quite ironic that alot of us don't trust the official Signal app even though we hail it as the most ideal app for private communications. As for my possible eventual switch to iPhone, I'm fully aware of the loss of privacy control and I'm okay with it. I'll just use the official Signal app if I ever do switch over. Limiting your life to achieve perfect privacy will drive you mad. I'm just an average piece of shit guy with average data. I'm nothing special. I bet all our browsing habits combined are just plain average. Pair paranoia with OCD and you get the endless quest for perfect privacy and madness.
Murcielago How many user profiles did you have before? If I ever do switch to iPhone, I'm still going to buy Pixels every now and then just for GrapheneOS because it's cool as hell to install a custom OS to your phone and be able to configure things that are not configurable on stock OS's. It's just too cool to not have around, but as for daily usability for a busy person, it's not quite there.
I don't think people choose Molly over the official Signal client due to distrust.
F0SSIL I feel like I now have the best of both privacy and usability. I urge everyone to try it out!
This is why I ask about what you are missing from GrapheneOS with Google Play. Is in NFC payments or something else?
- Edited
F0SSIL Privacy fatigue is real.
Yep.
When I migrated to GrapheneOS, the first few days I tried....
But honestly, sandboxed google play (and the rest) got installed almost instantly.
My threat model is
Keep it simple
security/usability/privacy.
So while I'm using my phone for 99% of what I do online I don't want to give away as much data about myself as I did back then, what has been solved by using GrapheneOS.
But I don't have the nerves / time to f.ck around too much, maby it's the age of over 40? Dunno...
Backing up my stuff manually over Cryptomator, and not having autocorrect in German on my keyboard, is about as far as I want to go.
FlipSid You nailed it. Your threat model is my new threat model. I'm a lot happier now not having to switch profiles just to use Audible. I love listening to audiobooks. It was worth sacrificing some privacy for the convenience of my audiobook listening. I'm happier and less stressed out as a result of it.
F0SSIL Just to briefly butt in to say that NFC/contactless payments work fine on GrapheneOS. Google Pay just restricts itself to only working on certified OSes. That might not make a material difference to you, and it might be something you already know, but for people reading who might have other options, I want to stress that GrapheneOS isn't missing functionality in this regard.
@F0SSIL I've removed your latest post as I don't want it to lead to any drama. Additionally, it's not quite correct.
I believe that GrapheneOS has wanted Google Play compatibility, but as with everything else implemented into the project, it had to be done right, rather than using whatever was available at the time, despite its issues.
I agree with FOSSIL, I stopped using secondary profiles to go back to my starting configuration, everything in the main profile, the simplest use is actually the best choice for most people, I definitely don't recommend secondary profiles unless you clearly have a reason to use them and if using the main profile instead can cause an unexpected result, for my part, I had no real reason to do so.
Regarding profiles, and whether one should use them, my advice over time has been that unless you know why you're using them, you probably shouldn't be, especially if you're just starting with GrapheneOS.
A lot of people get the idea to GrapheneOS is more daunting or harder to use because of the way they approach it, not because it actually is. People start using GrapheneOS and start doing complex things like setting up 5 user profiles, or trying to replace all of the apps they were using previously with completely new ones, etc.
My advice to people starting out is to simply use GrapheneOS as they have been using their other devices. The benefit is already immense. If you find yourself having a reason to go beyond that, feel free to do so, but give yourself time to make conscious decisions instead of burning yourself out doing things with unclear benefits which lead to you thinking that GrapheneOS is complex to use.
This is an interesting topic. I've struggled a bit with separate profiles because they are not as convenient as having a single profile. I ultimately ended up using Shelter in my owner profile. Within Shelter, I've installed Google Play Services and have a handful of apps that either need it, or are privacy invasive, and I don't want them to have IPC with apps in my "main" profile. This has been working flawlessly. For apps that need to provide notifications, I let them run in the background. I freeze all other apps so they're effectively disabled until I need them. As soon as the app is dismissed or I lock my screen, the app(s) is(are) frozen automatically.
I'll also say the line for the "average piece of shit guy with average data" moves closer and closer to the "center" everyday in the USA. Average piece of shit guy today becomes public enemy #1 tomorrow. My 2¢.
- Edited
I ike to play around and try out different things. Due to the mentioned fingerprint bug, I previously only had the owner profile and a user profile for banking.
My current setup is:
- owner profile (sandboxed Google Play)
- invasive apps (social media, Google Maps, if I get stuck with Organic Maps)
- banking
Works great, 95% of the time I am in the owner profile - so I don't have to push everything into a profile, but as I said, I also support the keep it simple approach.
What I'm still thinking about:
Set up Owner Profile completely without Google Play (I only need it for three apps, I could also move these to the invasive profile) - but have to figure out if unlocking via fingerprint remains stable.
In the beginning I had a Pixel 4a and I used a different user profile for each individual app I didn't trust. Why? I guess I thought I was someone so important to warrant that level of safety, but I'm not. Whenever I browse through posts on reddit and see recommendations about privacy software to use, I get a hearty chuckle when people say they use Qubes. Using Qubes is a great way to burn yourself out. I've tried using Qubes and got burnt quick. It's like having a separate refridgerator for every item of food. I feel the same with user profiles. I have a phone to help me live my life and I don't live my life for my phone.