I currently have Play Services and Store installed for notifications. I have not signed into a google account and get all my apps through Aurora or F-Droid stores.
If Play Store can already see all of the apps I have installed regardless of the source, I am not gaining any extra privacy by using Aurora store. I could just use the GOS recommended approach of using a throwaway google account and get all of my non-F-Droid apps from the Play Store. Is this the logic behind the recommendation?
AttemptUndertook you just answered your own question. I don't use Google Play in order to get just that extra bit of privacy.
Apps can see other apps in the same profile. It's not any different with Google Play, as they're in the same sandbox as all other apps.
[deleted] I don't use Google Play in order to get just that extra bit of privacy.
Technically Google could fingerprint you based on your throwaway account, but even if you don't sign into an account, I am assuming they have other device level identifiers that they could use to fingerprint you. Is that accurate?
If that is true, for folks like myself that use Play Service and Store for notification purposes (which I would think is a large user base) there is absolutely no advantage to using Aurora store.
AttemptUndertook I am assuming they have other device level identifiers that they could use to fingerprint you. Is that accurate?
Regular apps don't have access to device identifiers. https://grapheneos.org/faq#hardware-identifiers
Don't think of Google Play on GrapheneOS as different in any way. Everything that applies to regular apps applies to it too.
matchboxbananasynergy I heard this over and over. You can't see past the proprietary code, can you? Assume zero trust.
[deleted] That's not how it works, what code is behind it doesn't matter. The sandbox is forced onto apps, whether they like it or not. They have no say in that matter. The play store on GrapheneOS is just another ordinary app so the exact same restrictions are imposed onto it.
[deleted] Aside from the fact that you think closed source code cannot be inspected, which is false, it simply doesn't matter for what I'm trying to explain.
Regardless of the app's source model, it's still constrained by the same rules. The sandbox is open source, what apps are and are not allowed to do is open source, it's known, it's not an unknown thing.
You can use whatever you want, but let's please try to maintain accuracy when discussing these topics that are so often subject to misinformation.
edit: just noticed a fellow mod had already replied.
Thank you both for your time spent, I will try to process information given with my limited capabilities.
I have been a regular user of Aurora Store in the past, but hearing GrapheneOS' arguments for its insecurity, and knowing the fact that the Play Store on GrapheneOS is forced to run in the regular app sandbox, I struggle to see even the minor privacy benefits of using Aurora Store rather than Play Store. You do not need to give out your phone number and residential IP address in order to create an account.
If the aim of exclusively using Aurora Store instead of Play Store is to 'degoogle', i.e. to avoid Google apps and services as much as possible, then I personally believe that using Aurora also goes against such aim: consider that Aurora downloads directly from the Play Store, which is run by the company that one's trying to avoid. It makes more sense to get apps directly from the app developers, using something like Obtainium, and alternative app stores such as Accrescent, if the aim is to remove Google from one's life.
Thank you for that explanation. Can the Play Store see my IP address?
The only thing that I can think of (with my limited technical knowledge) is that if I use a throwaway account with the Play Store on GOS and I log into my personal Google account on another device on the same network, Google might be able to connect the two based on both logins coming from the same IP. I am assuming they won't be able to tell for sure that it is the same person, but perhaps they know that both logins came from the same house hold. Is this a valid concern?
AttemptUndertook Can the Play Store see my IP address?
It must be able to see you IP address as part of network traffic. You would need something like TOR or a VPN to prevent that.
