Sandboxed google play + location

flighty_sloth

*GPS = Google Play services
If I have "Reroute location requests to the OS" enabled and "Google Location Accuracy" disabled, and location permission on GPS disabled, is google still able to get my location while location is active? Is there any circumstance in which GPS could get my location without explicitly having location permission?

RRZishe

flighty_sloth maybe through IPC

GrapheneOS

flighty_sloth Only apps with the Location permission can obtain location data. The Google Location Accuracy toggle is irrelevant to this. The rerouting toggle is irrelevant to this.

RRZishe flighty_sloth Sandboxed Google Play are regular apps and cannot do more than regular apps, If you believe that there's a difference in how granting Location works with it or another app such as another Google app, then you've misunderstand sandboxed Google Play. There is nothing special to take into account for this. Communication with mutual consent between apps in the same profile is in no way specific to sandboxed Google Play. Sandboxed Google Play are regular apps.

flighty_sloth

RRZishe As in, if I grant another Google app location?

Tryptamine

flighty_sloth I have tested this quite a bit, with Google Location Services ON, so I can tell what Google gets ahold of. I can tell you with high confidence that using Google Maps with locations requests rerouted to the OS is an effective way to block what makes its way to your location history!

I used Google Maps quite a bit for a whole month with Location History ON and had absolutely 0 data saved in said location history. GPS and Google Services Framework didn't have location on, or nearby devices and scanning was disabled. I don't know if having those enabled would allow for GPS to get location history from scanning, I only tested GPS use.

After a while I disabled Reroute located requests and gave GPS location permission, and instantly it showed up on location history! I turned it off at that point and deleted the data. Felt better that I did it in a public place as well, though I do have to think that the paranoia over Google never actually deleting your data might be a bit overblown... Nevertheless I still follow best practices just in case...

One thing I did not test was navigation mode in Google Maps! I don't own a car currently, so haven't had the chance... I do remember hitting it by accident and seeing the disclaimer that seems like it pops up on first use saying it WILL use your location and speed for it's traffic data. Whether that makes its way onto your location history, gets paired with your Google account, profile, (if there even is a personal profile on "you" separate from a Google account I doubt, would be kinda pointless for their use as an ad company) or if GPS has Nearby Devices permission if it tries to connect to the vehicle's built-in telemetry system for better tracking, I have no idea. I doubt anyone outside of higher ups and some engineers at Google even know the answers to that question!

I do really think that the whole "inter-app communication sending heaps of data to Google" thing is a bit overblown... I don't think (but u haven't found proof either way yet) that IPC wasn't designed to bypass network blockage for just one app, so that app will use IPC to reroute that pending and blocked info to another app that has network access! In the stock OS, you would loose network in poor signal areas or when Airplane Mode was on. Apps are designed to buffer their data to send when connectivity resumes. THAT I do know.

In the stock OS, you cannot block network for apps one by one! Why would apps be designed for that scenario? Just in case they made their was to GrapheneOS, a system with a paltry 200k users, vs the well over 1-2 billion Android users? I doubt it!

Also almost all the tracing services, providers, and receivers I've seen, are about app measurement... That's about it, just analytics on how apps are used.

de0u

Tryptamine I do really think that the whole "inter-app communication sending heaps of data to Google" thing is a bit overblown...

The issue is technically valid. See this recent thread: https://discuss.grapheneos.org/d/12341-play-store-downloading-extension-for-app-doesnt-require-network-expected

The remaining question is whether Google would add a data exfiltration route via Play Services. It seems that some people feel this is a big risk despite a current lack of evidence and plausible reputational and regulatory risks to Google. And there is a gray area, where Google might consolidate telemetry for multiple apps into Play Services purely for convenience reasons.

I think maybe part of the problem is that many people seek to use Google's software in ways that Google does not wish to support. This may well work out sometimes, but at the end of the day Google spends lots of money developing their apps, and collecting data (e.g., map data) to make the apps work, and running the server farms that back the apps -- and they pay for that largely with targeted advertising revenue.

People who do not wish to be targeted in that way might be better off using software backed by a different funding approach. I think Magic Earth is non-Google payware, and there are open-source apps for many purposes.

Tryptamine One thing I did not test was navigation mode in Google Maps! I don't own a car currently, so haven't had the chance... I do remember hitting it by accident and seeing the disclaimer that seems like it pops up on first use saying it WILL use your location and speed for it's traffic data.

Indeed.

GrapheneOS

de0u There is nothing special about sandboxed Google Play in regards to app communication. People have severe misconceptions about what it means to give data to an app, grant a permission or grant other access. When you give something to software, it can do anything with it. This is not specific to sandboxed Google Play in any way.

Google is not doing collusion between apps to try to share permissions between them to bypass the app sandbox. Can apps do that? Of course, that's how software works. You grant something to them and they can decide how they do it.

RRZishe

I don't know what Google apps do or don't share with each other via IPC. But I do know that when I'm logged into a Google account in the play store and uninstall then reinstall Gboard, it remembers all my settings and preferred languages. So they have to be communicating at least a bit.

de0u

GrapheneOS People have severe misconceptions about what it means to give data to an app, grant a permission or grant other access. When you give something to software, it can do anything with it. This is not specific to sandboxed Google Play in any way.

Agreed. Constraining the flow of information is very hard. And an app that is successfully constrained can just refuse to function. Recently there are reports that some Google apps refuse to run without Play Services installed. If GrapheneOS were to implement IPC filtering, and such an app were filtered from communicating with Play Services, presumably that app would refuse to work, or would crash.

flighty_sloth

GrapheneOS I notice under "Google Location Accuracy" page it says if switched on Google may collect location data periodically. If I switch it on but don't grant location access to Google Play services, will I be getting more accurate location without sharing location data to Google?

GrapheneOS

If people are concerned about Google Play using collusion across apps to bypass the permission model, which it really doesn't do, that could happen between the Google Play libraries used by apps without involving sandboxed Google Play.

Chipper

It is good to know that if inter app commnication segregation is desired seperate accounts are the way to achieve this. Inter app communication permission seems missing from the aosp project to me, rather than being a issue specific to the known or unknown promiscuity of google apps.

Tryptamine

flighty_sloth
Google location accuracy has to do with WiFi and Bluetooth scanning to improve location accuracy. It also would need Nearby Devices permission for Google Play Services to work. According to the GrapheneOS Usage Guide section on Sandboxed Google Play,t would work correctly if GPS didn't have location permission...

Also, when Reroute location services to the OS is ON, the PSDS and GNSS (the assisted GPS toggles in Location Services) assist with getting location lock faster for GPS when the reroute toggle is on. Again according to the usage guide, it uses more power than Google location accuracy, but it doesn't send your device IMEI to the provider, which it does on the Stock OS! So it is very private compared with what you get on stock!

Probably9857

flighty_sloth I notice under "Google Location Accuracy" page it says if switched on Google may collect location data periodically. If I switch it on but don't grant location access to Google Play services, will I be getting more accurate location without sharing location data to Google?

Let me try this...I'm not sure @Tryptamine really answered the question.

It seems like Google Location Accuracy would have no effect with GOS default settings, because location requests are not routed to Google Play Services in the first place.

There would be no reason to turn Location Accuracy on unless you have flipped the setting to route location requests to Google Play Services. In that case, I think you would need to grant location permission to Google Play Services for it to work at all, and Nearby Devices if you want the improved accuracy.

So...I don't think there's any free lunch here. You want improved location accuracy from Google, you're going to be sharing location data with Google.

Tryptamine

Probably9857
Correct. According to the user's guide, and my personal experience backs this up, Google's location accuracy does have no effect unless Google Play Services has the location permission and the nearby devices permission. If other Google apps (tested with the Google app, and the Google Maps app) have the location permission, then it doesn't show up on Google's location history either, only if Google Play Services had the location permission! That's how it works for Android phones at least.

Google Location Accuracy also causes location to acquire a lock way faster if it is on and Google has the location and nearby devices permission and you turn ON WiFi and Bluetooth scanning as well! You are right, it has no effect unless Google Play Services has the location permission as well. The user guide clearly states this! It is a fantastic resource, I recommend every user of GrapheneOS read it through in it's entirety at least one.

Tryptamine

Missed the edit window...

I have been contributing as a Local Guide to Google Maps for over a decade, WAY before I knew about GrapheneOS, back when I was a jailbreaking iOS user (I jailbroke every iPhone ever had, form the iPhone 4 to 13 Pro Max) and way before I knew enough to care as deeply about my digital privacy and security like I do now. I still contribute, so I turn on location and nearby devices permission to Google Play Services sometimes when I'm away from my home and out so that Google Maps marks certain places I'm going to so I get prompts to review them and they attach to my account. I'm just incredibly selective of the place let it see me going to nowadays, and also selective about what I write down when reviewing in terms of personal information. I still do it though because I enjoy it!

That's why I have tested out so thoroughly when location is marked by Google on it's location history!

My view of GrapheneOS isn't to get rid of all the Google stuff, I see a lot of it as incredibly useful, I see GrapheneOS as a way to increase your privacy and security to acceptable levels (Stock Google and iOS don't do enough for privacy and security in my opinion) no matter how you use GrapheneOS. It is the only mobile operating system that gives you what I consider an acceptable level of privacy and security on your most private device with your most sensitive data! Basically, no matter how you choose to use GrapheneOS, it's a major win for your security and privacy.

IMO, Sandboxed Google Play is one of the "killer" features of GrapheneOS and not something to "get away from." It is the only sensible way to run with Google Play! It allows you to run a normally highly privileged system application, and gain massive benefits from it while minimizing just about all of it's usual drawbacks! If that isn't a killer feature, I don't know what is! I'm very proud to support GrapheneOS and quash misconceptions of it whenever I can, it deserves support.