Can Sandboxed Google Play Services access data of other GApps?

randomgosuser

Hi there,

I recently came around this post https://discuss.grapheneos.org/d/6046-can-an-app-denied-the-network-permission-exfiltrate-data-via-play-services on the forum that says that Google Play Services can receive data from other Google apps (Gboard, Gcam...) installed in the same user profile and send them to Google even if the original apps have network permission denied. Is this true?
Reading the "Sandboxed Google Play" section in the Usage guide on grapheneos.org it says that "Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play." Is there a way we can know which apps are communicating and how? For example, if I use Gcam with network access denied but have Google Play Services with network permission allowed, will Google receive data about how I use Gcam and/or the pictures that I take?

Thanks

de0u

randomgosuser The natural operation of Play Services is that apps outsource some of their work to Play. That includes outsourcing network activity, especially including push notifications. Apps talking to Play and Play using the network to do things for the apps is how the system is designed to work.

The safe way to keep your data out of Google's hands is to not give the data to apps written by Google.

GrapheneOS

randomgosuser There's nothing special in regard to Google Play services in regard to this, as explained in what you're quoting.

GrapheneOS

Creating a new thread about this doesn't seem necessary.

randomgosuser

Despite my best efforts, I still find very hard to understand exactly what Sandboxed Google Play Service can and cannot see.
I know that push notifications of many app rely on GPS, and that's the only reason I have them installed, but I never found clear information about what are the other implications of giving network access to the app.
If I deny network access to an app, and GPS runs in a sandbox, how can I now if an app is still sending data through it because it's designed to do so?
What are the privacy risks of running GPS with only network permission allowed? People on here always get very upset whenever someone asks these "dumb" questions, but understanding the EXACT intricancies of app network activities is not trivial, especially for people who don't work in the field.

de0u

randomgosuser Despite my best efforts, I still find very hard to understand exactly what Sandboxed Google Play Service can and cannot see.

Because it is sandboxed, Play can see exactly what any other app can see, including information shared with it voluntarily by other apps. This is the same as the system clipboard, which can see any information any app sends it when a user selects 'Copy". Cross-app information sharing is a normal part of Android operation.

randomgosuser If I deny network access to an app, and GPS runs in a sandbox, how can I [know] if an app is still sending data through it because it's designed to do so?

At present there is no general way to know. But if an app is installed from the Play Store it very likely is designed to use Play services, because over time Play contains more and more functionality.

randomgosuser People on here always get very upset whenever someone asks these "dumb" questions, but understanding the EXACT intricancies of app network activities is not trivial, especially for people who don't work in the field.

I think part of the problem is that some people are looking for a recipe for running privacy-invasive apps in a mode where they operate normally except that they preserve privacy. There is not a general way to do this. But people really want there to be a way (and for it to be as simple as revoking a couple of permissions). I think this is a major component of the ongoing surprise: people believe there is a way to do it, and think they have done it, even though it generally cannot be done.

Perhaps one believes that, hypothetically, Google Camera contains secret code to leak photos to Google in ways Google does not disclose. For reputational and legal and regulatory reasons, this is not all that likely, but there have been issues, so this is something some people believe is likely. In that case the key and effective defense is to not use Google Camera.

GrapheneOS

Sandboxed Google Play doesn't have any special access or capabilities. It doesn't run in a different sandbox from other apps. Each app using sandboxed Google Play contains the Google Play libraries. Only apps containing the Google Play SDK and FCM library are using FCM. It would be entirely possible for that library to function without Google Play services installed if they chose to implement fallback code running a foreground service and asking for a battery optimization exception. It's clear why they don't do that because it'd be inefficient having each app maintain a connection on their own and goes against how they want developers to do things.

I know that push notifications of many app rely on GPS, and that's the only reason I have them installed, but I never found clear information about what are the other implications of giving network access to the app.

Network toggle controls access to the network either via direct connections, or indirect access through OS components or other APIs which provide interfaces for usage by apps which require the permission. DownloadManager is an example within the OS, which performs downloads on behalf of apps. Browsers are an example which do not generally require the internet permission to open links in a new tab, although they could and probably should require it which is something we plan to address.

The Network toggle is not an overall data exfiltration toggle. It doesn't control non-network-related things. It doesn't stop an app putting data/metadata into a file it saves, doesn't stop it abusing permissions you grant it, doesn't stop playing audio, doesn't control other permissions, doesn't control file access (which is done by other permissions and case-by-case grants) and doesn't control app communication without a profile. It's a Network toggle, just like Contacts is a contacts toggle and doesn't stop 1 app given Contacts from sharing it with another app not given Contacts within the same profile. That's not something specific in any way to Network.

If I deny network access to an app, and GPS runs in a sandbox, how can I now if an app is still sending data through it because it's designed to do so?

It runs in the standard app sandbox, not simply a sandbox. This is part of your misunderstanding. You believe it works differently from other apps, but it doesn't. App communication within a profile doesn't depend on the network and that doesn't mean apps aren't sandboxed. Apps can't access each other's data. Apps can mutually consent to communicating with each other within the same profile. These things are stated repeatedly in what you're linking.

What are the privacy risks of running GPS with only network permission allowed? People on here always get very upset whenever someone asks these "dumb" questions, but understanding the EXACT intricancies of app network activities is not trivial, especially for people who don't work in the field.

No one is getting upset about asking "dumb" questions. This has all been asked and repeatedly answered in depth. Making new threads about it only makes it harder for people to find the existing responses and forces us to post the same answers again and again. It doesn't get easier for people to find the info if there are 100 threads with mostly lower quality answers instead of 1 thread with a very high quality, well explained answered that's therefore easier to find.

You're asking questions already answered by what you're linking and quoting.

GrapheneOS

This thread is reiterating the same stuff as the many previous threads about this. You're not going to gain more understanding reading new replies from us here than the existing replies elsewhere.

Sandboxed Google Play can't do more than any other app. It has no special access or capabilities. App communication is not specific to how Google Play services works. It's a common part of how apps work on Android. Network toggle is a network access control, not a toggle for app communication within profiles, which can be done both via standard app communication or through users granting access to shared resources whether it's the network (via Network), a file, contacts, etc.

randomgosuser

Ok, thank you both for taking the time to reply and explain, and sorry about my dumbness. If you think that having too many posts about the same topic creates confusion, feel free to delete this one.

Thank you for your great operating system and for everything you do for this community.
Take care.

de0u

randomgosuser Ok, thank you both for taking the time to reply and explain, and sorry about my dumbness.

It would be great if GrapheneOS could provide a "general privacy transformer" for arbitrary apps. It's natural for people to want that, and complicated to explain why it's not possible.

Arguably the closest thing to a "general privacy transformer", though it is not perfect, is running open-source apps.

GrapheneOS

If a camera app was malicious, it could make low resolution versions of each photo you take and store your 100 last photos as hidden encrypted data inside the metadata of each photo you take, so uploading any photo would upload low resolution copies of the last 100 ones. That's simply an example. If apps were very determined to communicate they could use other methods like side channels. There is no way to truly prevent two apps very determined to communicate from doing it when running on the same CPU, etc. They can prevented from communicating in normal non-side-channel ways which profiles already do and our future App Communication Scopes feature is meant to support that within profiles, but we've had trouble making it complete and may just need to offer flexible nested profiles for this purpose.