• Off Topic
  • Setup for installing apps from Play Store with a throwaway Google account?

I'm reading posts warning people not to use F-Droid or the Aurora Store and that installing apps from the Play Store is the most secure. Numerous comments say to use a throwaway account. How does that work exactly? Are you using multiple profiles to do this? What does each profile look like? How does this affect battery life?

Also, how exactly do you get a throwaway Google account? Last time I tried to create a new Google account, they required a valid non-voip phone number as well as a valid recovery email. And wouldn't the throwaway Google account be linked to your non-throwaway account somehow anyway?

How necessary is all this? (Using the Aurora store seems like it would be a lot simpler). Is this like a super high threat model thing or something all users should be doing?

    • Edited

    Sbpr Numerous comments say to use a throwaway account. How does that work exactly?

    You create an account and log in so you can use the sandboxed Play Store. If you already have an account that you want to use (maybe because you bought apps or have files saved on Google Drive), you can simply use that as long as you are okay with the privacy implications (Google seeing which apps you install and when, plus they see pretty much everything in their own apps). It's all about your threat model and what you want to achieve, many people here want to avoid Google, but still desire the most security. So it's normal that you get a lot of advice regarding throwaway accounts here. In the end you'll have to decide what's the right approach for you.

    What you could do is having your owner account exclusively for installing/updating apps through Play Store with a throwaway and then push the apps to user profiles. On the user profiles you can then decide whether to use Play Services, which Google account to log in to etc. But this is just one of many ideas. Battery usage is slightly higher when using multiple profiles, especially if you let them run in the background (which is a setting you can disable).

    Sbpr Also, how exactly do you get a throwaway Google account?

    There's no guaranteed way to do this, but generally it works like this:

    • Register an account in a context with as few red flags enabled (VPN, script blockers etc.). That could be on unmodified Pixel OS and on a public network, but there are reports of successfully registering an account on GOS.
    • Once you managed to get an account registered without needing a cell phone number, quickly activate 2FA in the account settings (e.g. using TOTP via Aegis) to reduce the likelihood of being asked for a phone number later on.
    • You could also get an anonymous eSIM for money and use that, as long as it's not connected to your identity (silent.link is a service that works for me).

    Sbpr How necessary is all this? (Using the Aurora store seems like it would be a lot simpler)

    That is only depending in your threat model. If you are okay with Aurora Store and/or F-Droid via Droid-ify/NeoStore, you don't require a Google Account. Being on GOS will still allow you to have a much more secure setup than most Android phones that run privileged Play Services and delayed or old security patches.

      N1b Thank you so much for answering my questions so thoroughly!

      Your answer got me to come up with a few more questions:

      • What would be the minimum permissions needed for all the sandboxed services on the owner profile so i could use it exclusively for installing/updating apps?

      • Would you recommend installing all apps on the owner profile, or just the ones from the Play Store? I use a combination of Play Store, Obtainium, F-Droid Basic, and eventually Accrescent.

      • Is it possible to disable the owner profile from running in the background so I can save battery during the day? (I'd turn it on at night so it can install updates).
        ---
        If I use my main Google profile to install apps in the owner profile and then use the same profile in a separate user profile for other Google apps, am I accomplishing anything privacy wise?

      • I'd use 3 profiles:

        1. Owner for installing app

        2. Main profile (no play services)

        3. Google profile (play services installed, logged into Google account, Google apps + Apps requiring play services) My plan was to turn off the Google user profile from running in the background.

      • N1b replied to this.

        Sbpr What would be the minimum permissions needed for all the sandboxed services on the owner profile so i could use it exclusively for installing/updating apps?

        This is perfectly explained in the official guide, I recommend following it exactly.

        Sbpr Would you recommend installing all apps on the owner profile, or just the ones from the Play Store? I use a combination of Play Store, Obtainium, F-Droid Basic, and eventually Accrescent.

        As I understand it you want to use your owner profile exclusively for installing and updating apps. So yes all stores go in there so you don't need them on any user profile. This also avoids conflicts when trying to install or update different versions of the same app in a user profile.

        Sbpr Is it possible to disable the owner profile from running in the background so I can save battery during the day? (I'd turn it on at night so it can install updates).

        No, the owner profile must be unlocked first after reboot and keep running in the background. It will manage fundamental system tasks and is part of the Androis security model. Don't worry too much about battery usage, it's minimal.

        Sbpr If I use my main Google profile to install apps in the owner profile and then use the same profile in a separate user profile for other Google apps, am I accomplishing anything privacy wise?

        Depending on your app setup yes, a bit. Apps can only see and share data with apps in the same user profile. You also gain some security benefits this way, e.g. in case of device theft or over the shoulder attacks. That's at least how I understand it.

        Your setup looks good to me, try it and see how well it works for you. You can always delete the user profiles if you want to do go back to owner only.

        Sbpr Last time I tried to create a new Google account, they required a valid non-voip phone number as well as a valid recovery email.

        Try following these steps: https://discuss.grapheneos.org/d/3366-how-to-create-google-account-anonymous/66
        I have created many Google accounts this way without being required to provide a phone number. I'm always asked for a number, but I can press the Skip button lower-left corner to avoid it.
        I've seen people report that they'd have to use the stock OS to do this, but I've never had to do that.

          • [deleted]

          • Edited

          Maybe GOS should offer sandbox the Aurora store like they do with Play store.
          https://www.auroraoss.com/ has a tracker app called app warden.

            [deleted] Maybe GOS should offer sandbox the Aurora store like they do with Play store.

            Aurora store is simply a front end for the Play store. It's quite problematic. The reasons are explained in my previous comment links.

            GrapheneOS is focused on substance rather than branding and marketing. It doesn't take the typical approach of piling on a bunch of insecure features depending on the adversaries not knowing about them and regressing actual privacy/security. It's a very technical project building privacy and security into the OS rather than including assorted unhelpful frills or bundling subjective third party apps choices.

            See https://grapheneos.org/features

            [deleted] https://www.auroraoss.com/ has a tracker app called app warden

            Warden hasn't been updated in 3 years and unsure in what context you're referencing it's relevancy here?

              • [deleted]

              • Edited

              akc3n

              Thanks for them insights, in past years I've not have any problems with Aurora , so I'll stick with it.

              As for warden, I've be looking for app , besides DuckDuckgo, to block trackers, looks like I'll have revert from vanadium.

              fid02 Thanks to your helpful instructions, I was finally able to create a throwaway G account without tying it to my phone number. Thank you!

              I immediately switched the G account of Play Store from my previous throwaway account (account A) that was tied to my phone number to the new throwaway account that is NOT tied to my phone number (account B), then deleted account A.

              But now the issue is that when I go to the Play Store, click the account icon on the top right, click Manage apps & devices, I get the message Something went wrong. Try again. under the Updates section.

              When I click Free up space, none of the apps I previously installed using account A show up, and the list of Apps installed using the Play Store is blank. I assume this is because the metadata of the apps I previously downloaded using account A is tied to the now-deleted account A, which is why nothing is showing up as installed under account B.

              The biggest advantage of using sandboxed Play Store for app installs is seamless app downloads and updates, but it seems like I'm no longer able to do this with this fragmentation of G accounts between the app's associated account A and the Play Store's account B.

              I searched various resources (link1, link2, link3), and the possible solutions seem to be:

              1. Clear cache & storage of Play Store and relaunch
              2. Uninstall app installed using previous account, login to Play Store with the new account, re-download same app with new account

              I tried approach 1, but that didn't work, even after a device restart. I also tried downloading a random app (tried with AccuWeather) with account B, and while that resolves the Something went wrong. Try again. error of the Updates section, only AccuWeather shows up on the list of installed apps, so I assume I won't get updates for my other apps already downloaded with account A.

              Based on my experiment with AccuWeather, I assume approach 2 would work, but that means I have to go through the process of re-installing and re-configuring every app installed from the Play Store, so I would like to leave this as an absolute last resort if nothing else works.

              Does anyone have any advice of how to resolve this without needing to re-install every app using the new account?

                Vagabond8630 Self-update regarding this issue: I found one way to fix this issue that doesn't necessitate uninstalling & re-installing all apps using account B.

                I can manually search for an app while logged into account B, and if the app has an update, Play Store will re-assign the associated Google account for the installed app.

                Afterwards, I can see the re-assigned app in the Apps list under the Free up space menu, and any available updates for the re-assigned apps will show up under the updates section inside the Manage apps & device menu.

                It's still tedious to search through your app list and hope that the app has an update to fix this misalignment, but I suppose it's better than uninstalling & re-installing & re-configuring each app.

                • Edited

                [deleted] Do NOT download Aurora Store from that site!
                It is certainly a very shady site. The download links on that site redirects you to very shady domains. It is certainly not safe to use that site as a source for Aurora Store. That FAQ is just copied from the official website anyway...
                Here is the official site for Aurora Store: https://gitlab.com/AuroraOSS/AuroraStore

                  • [deleted]

                  • Edited

                  fid02
                  Where did you get
                  "Do NOT download Aurora Store from that site!"
                  It does not appear in the link and web search did not find it!
                  How do you know it's shady!

                  Version 4.4.4 (58) suggested Added on Apr 27, 2024
                  This version requires Android 5.0 or newer.
                  It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.

                  Are you saying not to trust f-droid as well

                    [deleted] What on earth are you talking about? I have never mentioned "F-Droid".

                      • [deleted]

                      fid02

                      [deleted] Aurora is built and signed by F-Droid, and guaranteed to correspond to this source tarball.

                      So if Aurora isnt safe in your opinion the inference is that F-Droid is also isn't safe as they endorse Aurora.

                        [deleted] What? I was referring to the specific URL from the post that I quoted, which is not the official Aurora Store site. You seem to be conflating me with someone else.

                        N1b hi, so I finally managed to create a Google account without it asking for a phone number (tried a combination of VPN and public wifi dozens of times over multiple days until it randomly worked). I quickly assigned a TOTP for the account. However, in order to actually turn on 2FA so I can use the totp, it's now requiring I first give them a valid phone number. It seems it wants to first activate 2FA through text message before it will allow me to use my authenticator app for 2FA.