• Off Topic
  • Privacy with Sandboxed Google Play Services and non-Google apps?

Sorry for the noob questions. I'm still trying to understand everything.

If I understand this correctly, due to Android's Interprocess Communications, it should be assumed that installed Google apps will be able to communicate with each other. So for example, even disallowing network access to one Google app might not accomplish anything if you have other Google apps installed on that profile that have network access, including sandboxed google play services? This is something GOS is trying to address with its planned App Communication Scopes feature?

But currently, when I'm using non-Google apps, what privacy am I sacrificing when installing them on a profile with google play services?

I keep reading that play services is sandboxed just like any other app. Ok...but play services can clearly access some things about my apps when all I've done is grant it network access. For example, some apps won't run at all unless you have Play Services installed. But once I install sandboxed play services, the app starts working. What information about that non-Google app is being sent back to Google? Similarly, when play services handles notifications, can Google read my notification content? What metadata are they receiving about my app usage, notifications, etc?

On the other way around, what information do non-Google apps see about my Google services? If I log into a Google app while using sandboxed play services, can third-party apps now identify me through my Google account?

If this is all protected, what's the threat model use case for running third-party apps, like Signal, only on a profile without play services as I see many people doing. How does using sandboxed play services go against that?

    Sbpr

    I've researched the same question several times and I don't think anyone has a super clear answer in terms of what privacy you ARE sacrificing, but rather can answer what privacy you COULD be sacrificing.

    The super straightforward answer AFAIK is that through IPC, anything can be transmitted back to google. It just depends on what your app decides to share with google, if anything.

    So you would need to research on an app by app basis what that app chooses to share with google (play services) via IPC. That information may or may not be easy to access, depending on if the app is open source and/or if you are capable of understanding code (I am not).

    Sbpr Based on your questions it looks like there's some confusion about how sandboxed Google Play works.

    Google apps on GrapheneOS don't have any special privileges. Any data they get was shared with them voluntarily. Google apps cannot force another app to share data. That's just not how it works.

    Google Play isn't even necessary in some cases. Apps can add Google libraries and those libraries can have fallback code that works without Google Play installed. Also, keep in mind that Google isn't the only company that attempts to collect and use data for whatever reason.

    It's easy to see Google as the "bad guy," but some apps use Google services and they get a little useful data when they do so. If you look at the big picture rather than just focus on apps interacting with Google Play, you'd see that on GrapheneOS Google Play has access to far, far less data than it does on OSes where their apps are privileged.

    As for notifications, it all depends on how they're set up. They can have sensitive data in plaintext, they can be encrypted, or they can be empty. Signal's notifications, for example, are basically empty. The FCM message wakes Signal up, Signal pulls the real data from Signal servers, then displays the notification.

      other8026

      But I think the reason many grapheneos users utilize a separate profile in which they install google play services and any apps they would like to utilize GPS is because ultimately we do not know exactly what is shared with google when google play services is installed.

      If you are OK with that level of uncertainty (which is probably OK), you can keep GPS installed in a main profile or in one with your 'sensitive' data/apps.

      But ultimately, many people are not comfortable with that uncertainty. Additionally, I think the fact that the graphene devs themselves are working on a scoping feature of interapp communications pretty much proves that this communication is a valid threat vector, otherwise they probably would have focused their precious limited resources on other upgrades.

        treenutz68 one of my points is that Google Play doesn't even need to be installed. Some Google libraries have fallback code. For people to think that they're only at risk of Google getting data when Google Play is installed isn't accurate. Also that Google isn't the only company that tries to collect and use data.

        treenutz68 ultimately we do not know exactly what is shared with google when google play services is installed.

        Apps cannot share data they don't have access to. So, if an app doesn't have access to anything, then it can't share anything with Google Play except for data collected in-app. We might not know what is shared, but if permissions are restricted, we know what can be shared, which isn't all that much.

        I'd like to think I approach/talk about this topic in a reasonable and level-headed way, but app communication scopes is still my most anticipated upcoming feature.

          other8026

          That makes sense. As someone who isn't capable of studying the underlying code of the mostly foss apps I run, I have to rely on minimizing the threat surface I can control/understand. Having google play services afaik can at best be equal to but is likely worse than not having it, when it comes to giving google data about yourself. In terms of what data they are getting, I literally have no clue. For example, my preferred camera or file browser may have access to my photos and files, I don't know if it is trying to feed any of that data to google play services. I understand GPS isn't privileged and that is a large positive, but what are my other apps feeding google play services ::shrug::

          That makes sense about what you're saying on google library fallback code as well. And although many on here argue for not using fdroid/neostore, I do think those app stores can reduce this threat vs. downloading apps from google play store and/or the aurora store.

          I agree on app communication scopes being highly anticipated. It is a gamechanger feature in my mind because it will allow me (and countless others) to use their phone in a more 'normal' way with google play services installed, with very little risk. I can't wait to be able to use gboard and google camera and have mysudo notifications and protonmail notifications all in my main profile, without having to choose between my privacy or the inconvenience of multiple profiles.