• GeneralSolved
  • Can sandboxed Google Play Services collect data from Gboard?

In this case, there seems to be no point in using sandboxed play services. If any application does not have special network access for Graphene OS users, can it perform a lot of communication through play services? Could micro g make more sense for complete privacy? As far as I know, there is no unnecessary API for advertising communication etc. in micro g? I'm not sure, if I decide to use micro g, will there be any benefit in this regard? or not using sandboxed play services while on the main profile.

After reading this article, I was a little depressed, I felt like I had gone from stock firmware for nothing.

If there is no way to prevent this, I am thinking of switching to stock ROM, there seems no need to bother. :/

p338k

    kullanici32

    GrapheneOS is more secure than stock OS with its significant memory hardening.

    The application sandbox won't prevent Google from sending data from one of its applications from others, but it will prevent Google from collecting data from applications that don't give data to Google.

    kullanici32 I don't think IPC is designed to bypass network restrictions and transfer data. And if you are worried about it so much you should not use the google play service at all or remove its network access because many apps other than the google apps includes googles code or the app developers can choose make the app communicate with play services.
    There are no clear information about this IPC and what data is being shared, there maybe small amount of meta data share but very unlikely that it will share what photo you took, what you type etc.
    And finally if you don't use a gmail account, even if they collect it they cant link it to your real identity.
    I personally don't use any google app other than the pixel camera app, may consider other google apps after the app communication scope implementation.

    kullanici32 That just doesn't make sense. You seem to think only Play Services can communicate with mutual consent, but this is something that all apps in the same profile can do (with mutual consent).

    Google Play Services are sandboxed the same way as all other apps. Singling them out without thinking that other apps (which contain Google libraries) could do the same doesn't make sense.

    Our community explaining how things can technically work and what's possible doesn't mean this happens in practice, that it's a significant issue, or that even if you're really worked up about it, you can't work around it, including by using a separate user profile for sandboxed Google Play and some apps.

    Also, GrapheneOS is working on App Communication Scopes to prevent this kind of communication even in the same profile.

    Going to stock where Google Play has privileged access to your device is shooting yourself in the foot if you're worried about a theoretical.

      matchboxbananasynergy Now I understand it clearly, I didn't think of this situation like that (I thought of data communication as if it was a situation specific to Play Services, even WhatsApp and Gboard can exchange data with mutual consent). Normally there is nothing special in my threat model, even if they monitor all my usage it would be no problem, if I have the power to not give my personal data I would prefer to do that, but if I cannot achieve this using GOS it made sense to at least use the phone without suffering like a normal user (stock software), but it was a bit When I think about it, I can run Google services through a different profile maybe work profile, this makes sense, thank you for the explanatory answers.

        • [deleted]

        kullanici32 Just a food for thought. Despite all previously said and although I do not have a proof, do not make a mistake of not thinking that ALL Google apps were not pre-designed to communicate with each other and especially with Google Play Services which won't work without network access and predominantly if not exclusively communicate with Google or affiliate infrastructure. Always assume zero trust.

          [deleted] Currently I only use the Google versions of Gcam, Gboard, Photos (for Gcam preview) and Contacts (for setting personalized ringtones), unfortunately there are no alternatives. If I use them without play services, there will be no problem, because none of them will have network permissions.

            • [deleted]

            kullanici32 hint, this is for all those who use G.P.S.

            [deleted] Although I do not have a proof, do not make a mistake of not thinking that ALL Google apps were not pre-designed to communicate with each other and especially with Google Play Services [...]

            The forum moderators have expressed a distaste for unfounded claims. It is one thing to point out that something is technically possible, as opposed to suggesting, without evidence, that people should "think" certain things are true.

              It is reasonable to assume the Google apps are designed to communicate with Google Play Services for the purpose offloading certain common functions. It may allow significant code reuse depending on the implementation. I suspect that Google might use Google Play Services as a central application for sending metadata since that would be a reasonable design pattern, but that is merely speculation. I have no specific evidence.

              It is technically possible for all Google apps to be designed to use IPC to bypass network restrictions, but it is a highly niche case. Using other apps to send metadata for all other apps in the case where GPS lacks network permission (a non standard feature) is possible but is an unusual design. I would need evidence before having confidence that Google follows that sort of design.

              • [deleted]

              de0u unless opposite scenario can be confirmed by complete reverse engineering of said software which goes through frequent updates isn't it prudent to be careful and assume that such things happen rather than be sorry later?

                [deleted] The really powerful way to stop Google from seeing one's photos is to not use Google Camera. The really powerful way to stop Google from seeing one's contacts is to not use Google's dialer. The really powerful way to stop Google from seeing what one types is to not use Gboard. The really powerful way to stop Google from knowing one's whereabouts is to not use Google Maps for navigation.

                Various people suggest various tricks and rituals by which they hope it is possible to share data with Google apps while ensuring Google doesn't get their data.

                But on the one hand those suggestions often overlook that many of these applications inherently contain code to buffer data during brief network outages, so turning network access on and off is unlikely to thwart those apps from sneakily sharing data if -- hypothetically -- they contain code to do that.

                And on the other hand some Google apps refuse to run without network access, without a Google login, without IPC access to various parts of Google Play, etc.

                Do the tips and tricks and rituals work? Would IPC filtering stop undesired assumed-but-never-demonstrated sneaky leaking via IPC while leaving the apps usable?

                The really powerful way to avoid Google misusing one's data is to not process the data with Google's apps.

                  • [deleted]

                  de0u I do not disagree and it is an approach that I have taken and defended for a long while and I am more certain of as the time goes by.

                    [deleted] I do not disagree and it is an approach that I have taken and defended for a long while and I am more certain of as the time goes by.

                    If one has decided not to share data with the apps, then it is not clear there is a need to assume without proof that the apps collude with Play Services in certain sneaky ways.

                    Meanwhile, there are marketplace-reputation reasons and lawsuit/regulatory reasons why Google apps might well not harvest keystrokes (etc.). Sneaky phoning home via IPC to Play seems like a reputational risk and a regulatory risk.

                    All in all, while it is technically possible for Google apps to "phone home" via Play:

                    1. So far there is no evidence,
                    2. There are plausible reasons why it might well not be happening,
                    3. The problem is nonexistent if one just uses other apps.

                    Overall I do not think this particular class of suspicion is productive or prudent. People are free to suspect whatever they wish. But as long as there is no evidence I think the forum moderators are reasonable to classify these suspicions as unfounded, and to react negatively to the notion that it is only prudent to suspect that Play is a sneaky phone-home system.

                      • [deleted]

                      de0u this is all well and nice but the fact that any evidence hasn't been brought forward to date to support this alleged unwanted behaviour (whether it exists or not) doesn't mean that such evidence doesn't exist. A number of people is involved in direct development of this software yet there have been no leaks of source code which could mean that they honour their contractual restrictions or plainly fear for their lives if any such leak occurs. I will go ahead and distrust what I deem should not be trusted and I have full right to my opinion. I am not here to convince anybody to follow my belief just to bring a reasonable doubt. As an analogy, whole governments have been run for centuries on religious beliefs that can not be scientifically proven and it is not at all questioned. Or we follow a officially recommended low fat low cholesterol diet that is making whole populations metabolically ill. Think about it. I am not going to pursue this subject further, I have made up my mind already.

                        kullanici32 microG however requires signature spoofing. Allowing any app to spoof the signature of an other app is a major security risk, signatures are what the operating system uses to ensure apps and updates haven't been tampered with or infected with malware. I'm sure with that everyone can see why that mechanism wouldn't be allowed on GrapheneOS!

                        [Removed reply to removed comment]

                        If you are offline it will buffer and send when you are back online. These apps were designed for an Android operating system where network access cannot be blocked. Why would they pass on all their data to another app when that app has network access and this app has it blocked?

                        Also, for Maps, I gave tested the following extensively:

                        1. Have "reroute location requests to the OS" on in Sandboxed Google Play Settings in Apps (the default).

                        2. Sign into a Google account with Location History on. Location on for Google Maps, use Maps for a few hours.

                        3. Check Maps Timeline, or your location data @ activity.google.com . you will have none of it show. Take off "reroute location requests to the OS" and grant Play Services location, and you instantly show up!

                        So... Maps doesn't report location to Google while using it on an Android. If "Web and Apps Activity" is on, your searches in Maps will be saved by Google and I'm sure will be used to build a profile on you. So you don't want that happening? Turn off Web and Apps Activity! That same setting is also so they don't save your data from any of their apps, which is what this whole conversation is about...

                        Turn off Location History as well while your at it if you don't want them tracking your location. This topic cones up often, and I never see suggestions to turn off the privacy controls built into Google. They work, and they better, for Google's sake! They need to make sure they work, can't be getting YouTube ads for your searches after turning these off, Google would be called out for it within half a day in the public press that their privacy controls aren't being respected! They won't be willing to suffer that kind of reputational damage.

                          [deleted]

                          • The fact that any evidence hasn't been brought forward to date that "de0u" isn't an LLM chatbot written by an industrialist cabal to lull people into a false sense of security about big tech products doesn't mean that such evidence doesn't exist. A number of people are involved in direct development of chatbot software yet there there have been no leaks of OpenAI source code which could mean that the developers honor their contractual restrictions or plainly fear for their lives if any such leak occurs.

                          The problem with that line of argument is that it proves anything equally well (thus, not at all well).

                          • The fact that evidence hasn't been brought forward to date that Queen Elizabeth II was an invisible trans-dimensional lizard/human hybrid directing the global illegal drug trade doesn't mean that such evidence doesn't exist. A number of people are involved in the global illegal drug trade ... fear for their lives ... etc.

                          Historically a great way to rank hypothetical possibilities is to see which ones are supported by evidence. With respect to covert malware, there are outfits such as Citizen Lab that specialize in examining evidence of covert malware and reporting when they find evidence of covert malware.

                            de0u exactly. It is much more likely that the absence of evidence is evidence of absence