I did read two apps can share data through IPC.
My questions are:

  • Is there any way to check whether IPC between two applications happens?
  • Is it possible to block it as an extra permission node?
  • Is there a way to apply rules about this kind of communication?
  • Can two apps in the same user profile but different work profiles (regardless of where is which as long as they are different profiles) use IPC?
  • Can two apps within different user profiles use IPC?
  • Is a way to control IPC on the same work profile on the same user going to be implemented?
  • If checking or blocking is not possible and it is not gonna be implemented, is there an alternative to GMS to handle app notifications?

This question, while very similar to https://discuss.grapheneos.org/d/1517-gboard-and-google-play-services-check-ipc (GMS and GBoard) what I am talking about here is not limited to Google Apps themselves.

My concern, although a little paranoid in a way, rises from the following:

  • Some google apps won't start without play services.
  • Some apps (mainly google apps) require GMS to log in with my google account. This means google apps such as youtube (for example), have implemented the mutual consent required for IPC and could potentially share data through it.
  • A few apps that probably make use of Google's Ads are able to display advertisements even WITHOUT the network permission node. I've tried disabling the phone's network access and then GMS's network access and advertisement display only when the phone is connected to the internet and GMS has the network permission node enabled.

I do understand an app should not be able to connect without the network permission and they do show servers are unreachable without it, but as far as I can tell it is not ensured data cannot leave the device by using IPC with an app having network access (in this case GMS).
Please note that likewise in the linked post, I am not referring to GMS alone: Play Services can know what apps are installed on the device, and no way around it. However, it can retrieve data from any app if said app allows it to, could it not?
I am going to test it around and see if I can get more apps that, even with the network node disabled, are still acting differently between when the phone is connected to the internet and when it's not.

    Before answering some of these questions, I'd like to point out that IPC is integral to Android. It's not a bad thing. It's actually super helpful, and you benefit from it every time you use your phone. Opening links or files in one app that launches in another app is done via IPC. The share button in apps shows you a list of apps that accept that file/URL as data in IPC. Notifications, to an extent, work via IPC. The OS uses IPC to send global broadcasts.

    In Android, apps are all sandboxed, including system apps. IPC is one way they communicate.

    People shouldn't worry so much about IPC. IPC has restrictions. It's mostly used to send "messages" not "data" between apps. Like a valid IPC would be "hey, Vanadium, open www.youtube.com". Invalid IPC would be "hey, Google Play Services, here's this person's entire photos collection". IPC is limited to 1mb, which is enough to share some data, just not a lot of data.

    Honestly, if two different companies with different apps suck up your data, they're not going to share the data on the phone, they're just going to suck data off the phone and share it between themselves directly. It's cleaner that way. Google is also unlikely to use IPC. The majority of users don't block apps' access to the internet, only a small number of people do. As long as you use their apps but don't give them data to use, they have nothing to take from you anyway, so I'd stay away from cameras or keyboards if you're worried about this. Or use the camera in another profile.

    CoffeeTime03 Is there any way to check whether IPC between two applications happens?

    The only way to know is by reading the source code for an app.

    CoffeeTime03 Is it possible to block it as an extra permission node?

    Anything is possible I guess, but not sure if it's practical or worth pursuing.

    CoffeeTime03 Can two apps within different user profiles use IPC?

    no. Apps cannot communicate using IPC between profiles. I believe I read there's some ability to communicate between work profiles, but don't quote me on that.

    CoffeeTime03 Is a way to control IPC on the same work profile on the same user going to be implemented

    I don't know, but I doubt it for many of the reasons mentioned earlier. It's not that big of a problem if you use apps that you trust. Don't use Google apps for everything, and they have nothing to send back to Google servers.

    CoffeeTime03 is there an alternative to GMS to handle app notifications?

    I wish. But the problem is mostly it would be extremely difficult for something like that to be adopted by companies/app developers, let alone be used by end-users. Just think about it this way, outside of China, 99.99% (yes, this is a made up figure) of people have phones set up to receive notifications via either Google or Apple's push notification service. There' just isn't any reason for anyone to start a new notification service. There is no real need, from a business perspective.

    CoffeeTime03 Some google apps won't start without play services.

    That's just how it works with them. The only solution is to not use their apps.

    CoffeeTime03 This means google apps such as youtube (for example), have implemented the mutual consent required for IPC and could potentially share data through it.

    Why does that matter? If you're using a Google app that shares data with Google, then go use another Google app that shares data with Google, then why is there any problem with those apps sharing data? Google will be able to figure out you're the same person whether they use IPC or not. Also, of course they want you to use the same login for each service. It makes it easier to track provide you with high quality services.

    CoffeeTime03 A few apps that probably make use of Google's Ads are able to display advertisements even WITHOUT the network permission node.

    That shouldn't be possible unless Google Play Services is somehow caching and serving those ads. Can you provide examples of apps that's happened with?

    CoffeeTime03 However, it can retrieve data from any app if said app allows it to, could it not?

    For IPC to work, it has to be mutual. Google Play won't randomly make up some IPC call to a random app to get data from it, but even if it were to do that, that app would have to have that receiver set up, otherwise the IPC will be blocked by the OS. If my pretend app does intend to share data with Google via IPC, they can't be trusted anyway. They'd share the data regardless of how they got it.


    A couple final things to say after my long post here is this is why many who use GrapheneOS are so crazy about using only open source apps. You don't need to worry about these kinds of things with open source apps. If you can read code, you can find out yourself what's going on. If you can't read code, just know that there are others in the world who use the same app and have read the code and know the app is trustworthy.

    The issue is that so many people and so many companies all just let Apple or Google make their lives easier. These huge tech companies have the resources to make fantastic apps, services with 100% uptime and low latency, global reach and support, etc. Don't use their apps. Tell your friends not to use their apps. Contact developers and urge them to stop using Google libraries, or write their software in such a way that it supports those without Google Play stuff.

    Being smart about app permissions is your best defense. Storage Scopes everywhere. Decline everything unless absolutely necessary. If an app has no access to your phone, the only data they can get from you is what you do in the app. Maybe that data is useful and they want to share it, but it's very limited. GrapheneOS cannot protect you from this kind of data harvesting. Only you can by not using these kinds of apps, or not using your phone at all.

      unwat First things first, thank you for your long reply.
      I totally understand the fact that being able to read the source code is a great benefit.
      And of course, even if its a big app, I am sure they are safe if they have over 10k stars on github and so.
      I am also pretty happy about storage scopes and use practically everywhere. Thank you for bringing that one up too.

      CoffeeTime03 If checking or blocking is not possible and it is not gonna be implemented, is there an alternative to GMS to handle app notifications?

      I also forgot to mention that maybe there is a way to have microG and use that instead on a different work profile but I am not sure.

      unwat That shouldn't be possible unless Google Play Services is somehow caching and serving those ads. Can you provide examples of apps that's happened with?

      Please try "Photo resizer" from Seelye Engineering. An ad is displayed upon entering the app regardless of its network limitation.
      While I couldnt get it to work with apps from other people (archero, WPS office), the same thing happened with other apps from the same company so I am assuming it has something to do with their implementation.
      While a simple fix would be just using other apps, I would still like to know why something that shouldn't be possible is actually happening.
      It is NOT hardcoded like "DroidEdit Free", where it shows you about its pro version regardless of network status.

        CoffeeTime03 microG and use that instead on a different work profile but I am not sure.

        Oh. I didn't think of that because even with MicroG, notifications still go through Google.

        CoffeeTime03 Please try "Photo resizer" from Seelye Engineering. An ad is displayed upon entering the app regardless of its network limitation.

        I checked with NetGuard, and you're right, the ad is coming from Google. Tracking with NetGuard, the Photo Resizer app doesn't access the internet, but Google Play Services does. I block ads via my VPN so I never see ads. I don't know how many apps do it this way. It's so gross Google enables this.

        unwat caching

        I just saw that I wrote this. That was the wrong word, my bad.

          unwat I checked with NetGuard, and you're right, the ad is coming from Google. Tracking with NetGuard, the Photo Resizer app doesn't access the internet, but Google Play Services does. I block ads via my VPN so I never see ads. I don't know how many apps do it this way. It's so gross Google enables this.

          This is exactly why I don't want the Play Store and Play Services on my phones. We simply cannot trust that Google isn't side-loading telemetry and other data through these channels.

          As you've mentioned before, it may seem unlikely for Google to do this, since most Android phones don't have the same fine-grained control as GrapheneOS, but they clearly are taking advantage of these back channels for whatever reason.

            unwat Oh. I didn't think of that because even with MicroG, notifications still go through Google.

            Yes, but being open source I doubt they would allow connections to display ads.

            unwat Anything is possible I guess, but not sure if it's practical or worth pursuing.

            I did not think that if performing IPC is part an AOSP api call, it should be quite easy to implement.
            Sure, maybe not read it but checking for sure.

              mythodical We simply cannot trust that Google isn't side-loading telemetry and other data through these channels.

              Agreed, kind of. In this case I'm not really surprised Google serves ads this way. Disgusted, sure, but not surprised. Pushing ads is good for the business side of things.

              However, I don't believe (but nobody but Google devs can really know) that Google will put so much effort into pulling data off our phones the same way. Nowadays, if they did something especially invasive, deceptive to spy on us, we'd find out about it, i.e. the incognito thing.

              Regardless, there's little we can do about app developers including other Google packages (here's a list of some) in their code. Many of these packages have fallbacks in case GMS isn't installed on a phone, according to GrapheneOS's lead developer. Google is being invited to the data party by every app dev who adds this stuff.

              Also, building off of what the lead dev said, it's totally possible other apps include libraries from other sources that aren't Google, but also share data to also serve ads, etc., including to circumvent network blocks. Those other libraries could also potentially be more invasive without needing GMS to do it. They just don't have the same "Big Tech" recognition as Google, so they could harvest data with less "restrictions" than Google because they're under the collective public's radar.

              Here's the lead dev quotes if you don't have Matrix (he wrote a lot, but I think it's worth recording here):

              strcat:

              Play services and the Play Store of course connect to their services, as do the Play SDK / Google libraries used by apps when Play services isn't present

              not having Play services doesn't mean Google apps / Google libraries can't connect to Google services....

              many of their libraries just choose not to implement fallback code for Play services being missing, but many of them do have fallback code, and there is no reason they can't do 100% of what can be done with sandboxed Google Play without it

              the whole point of sandboxed Google Play is that the Google Play apps are regular apps with absolutely zero special access or privileges and therefore there is absolutely nothing they can do which could not be done by the Play SDK / Google libraries in the apps using it

              that's the point of the approach

              this is a hard rule, not a simplification

              try Google Maps without Google Play

              it only uses Google Play as a way to integrate better with it

              for example Google Play supports compass calibration across apps, and Google Maps is the frontend to configure Play services compass calibration

              and without Google Play services, Google Maps doesn't bother supporting compass calibration, but it could, and their library for using the compass could fall back to using Google Maps if it's present but Google Play services isn't (it just doesn't in practice right now)

              same applies to everything else

              no reason the FCM library can't run a foreground service and ask for a battery optimization from each app using FCM

              no reason it couldn't detect other Google apps and reuse a shared connection via those apps without Play services

              they choose not to bother implementing fallback code for FCM

              of course, they obviously implemented fallback code for the Google Ads and analytics libraries

              they work fine in each app using them without Play services

              they aren't going to throw away ad income from people using apps using Google Ads SDK on devices without Google Play

              they don't care if you have push notifications though

              if they didn't use Google Play as a cudgel to force vendors to comply with compatibility / security standards as part of licensing it, they would probably implement support for sandboxed Google Play themselves without us needing to do anything

              it does not make business sense for them to not make it work to the extent possible on devices not integrating it other than as part of their licensing approach where [they] enforce rules on vendors through that

              Sorry for yet another super long post.

              CoffeeTime03 Yes, but being open source I doubt they would allow connections to display ads.

              Good point. I guess my only real issue with MicroG is that functionality could break at any moment if Google changes something. GrapheneOS's sandboxed Google Play paired with my VPN blocking ads limits Google's reach enough for me to be comfortable with it. I understand if others don't feel the same way.

              CoffeeTime03 I did not think that if performing IPC is part an AOSP api call, it should be quite easy to implement.
              Sure, maybe not read it but checking for sure.

              IPC is integral to Android in general. It's one way system services communicate while sandboxed.

                unwat IPC is integral to Android in general. It's one way system services communicate while sandboxed.

                What I mean is not removing IPC completely, that would be absurd indeed.
                I mean it would just be nice to have something similar to storage scopes but with IPC: Like being able to set that one app cannot communicate with another specific app or it can with only a small set of apps (system services + allowed)

                  CoffeeTime03

                  Maybe the devs can do that. I'm not as knowledgeable about Android source code as them, obviously, so only they can say whether it's possible or not.

                  They have a scoped apps enhancement listed in the issue tracker that "is worth thinking about". Not sure if or how they'll do it, but presumably this would still enable Google to send ads via Play Services for people with sandboxed Google Play set up.

                    mythodical This is exactly why I don't want the Play Store and Play Services on my phones. We simply cannot trust that Google isn't side-loading telemetry and other data through these channels.

                    In general, you are right. But not everyone can do this. I would even say it is not practical. I almost gave up on using GrapheneOS or any Android for that matter as I was considering my next phone.
                    If my old parents call me through one messenger App, I would better receive the call/notification in time. I never know when they need me urgently. With iPhones, I never had to worry about it, but Apple is for sure sucking up all Data behind my back (Ads is their next logical step to earn more money). A phone with Google Service would be even a bigger black hole for Data. So, not many choices left really...

                    unwat They have a scoped apps enhancement listed in the issue tracker that "is worth thinking about". Not sure if or how they'll do it, but presumably this would still enable Google to send ads via Play Services for people with sandboxed Google Play set up.

                    I quoted this post in the issue tracker as the last reply (11 days ago, I am not necroposting a thread from 2019) as that one reply was not really within what it has been talked about here.
                    Let's see how it develops.

                    CoffeeTime03 Please try "Photo resizer" from Seelye Engineering. An ad is displayed upon entering the app regardless of its network limitation.

                    I managed to get the same beheavior with "Black Notes" after a minute of creating notes.

                    6 days later

                    unwat They have a scoped apps enhancement listed in the issue tracker that "is worth thinking about". Not sure if or how they'll do it, but presumably this would still enable Google to send ads via Play Services for people with sandboxed Google Play set up.

                    I strongly believe this would have a bigger chance of being implemented if this thread made it to general instead of off topic.

                      CoffeeTime03

                      It's a big feature and it would require a smart solution.

                      I don't think they are ignoring this at all. It is just a super complicated thing to tackle. They'd want to do it right.