Hey all

I am looking to install GOS on the new pixel 9 pro XL, and I was wondering, what tips do you have for someone new to the system?

I've had a quick look through the system, and was wondering mainly the following.

  1. Should I just get my apps via Google play? (I still need maps and some work apps which will be another profile).

  2. I was looking at the sensors feature, should I disable it from apps? Do I gain any privacy from it?

What other tips / settings do you recommend changing to help with security and privacy, dispite minimal Google apps.

Thanks all!

There's a lot in here if you search the forum. The main website also has a lot of good reading material.

PROFILES:
The easiest thing is to have one profile, have play services and play store on it with your old google account, and use it as a regular Pixel with additional security and a little extra privacy.
From there, it all depends on how much you are willing to put the effort - not only in setting it up, but in daily usage it may be a pain to juggle multiple profiles.
I have a main profile that's basically empty. A second profile that is my daily drive, a third with GPS for banking apps and a forth for reading news.

VPN:
Well, VPN is a transfer of trust. From your ISP to the VPN provider or to a cloud provider, if you host a VPS yourself. For me it's a no-brainer, since ISPs suck. Go with a VPS or a reputable VPN (IVPN, Mullvad, Proton or Windscribe).
I recommend against using a private DNS (NextDNS, quad9, adguard, etc) with a VPN, as it makes you more
But it's all about trade-offs. NextDNS and Quad9 update daily, so you'd have greater protection against phishing, malware, etc. Also with Rethink you're stuck with however many wiregard connections you set up, you can't just easily jump servers like you would with the VPN's app.

APPS:
The golden rule is: less is more. Stick to the essential. Replace what you can with reputable open-source alternatives, but remember open source doesn't mean secure or private. Run away from projects that are abandoned or have few users. Open source needs engagement (from the devs themselves and 3rd parties) to be constantly debugged and improved. Switch to webapps whenever possible. Webpages can access your browser, not your hardware.
Don't be afraid to have google apps (Gallery, Camera) in your phone if none of them has network permission (see explanation in keyboard about apps communicating). I'd separate apps which require permission in another profile (gmaps for example), but it's a pain to drive longer distances in another profile.
Check https://privacyguides.org/en/tools for good app recommendations.

KEYBOARD:
AOSP keyboard sucks. Two good keyboards are gboard or Microsoft swiftkey. SK has better word prediction and UX imo, but gboard has dictation (it takes some effort to get it working, I can look it up if you want). Remember apps can communicate (GOS does have an app communication scope feature in the pipeline iirc, but for today that's the reality) even if you remove network permission from gboard it can in theory still send all you type to mothership via GPS if you have it installed.

APP STORE:
they all suck. Play Store requires an account. You can try your luck creating one without giving a phone number, or use a number from https://smspool.net that you buy with Monero.
Aurora apparently doesn't verify apk signatures.
Fdroid faces criticism from a lot of people in the security world, and it's only for open-source apps anyway.
Obtanium is an option, but again, only for open-source apps.
GOS has a store in alpha, Accrescent, but it has like 10 apps and nothing guarantees that devs wont pull away support for an app store with a thousand users if much.

    Hb1hf

    oh yes, BROWSERS!
    GOS will tell you to use Vanadium and nothing else. I like to separate/isolate my browsing, so one browser wouldn't cut it. Luckily there's Mulch, which is basically Vanadium that the Divest project makes available for non GOS users via a repository at NeoStore. You can leave one browser for your signed-in websites (email, etc), and the other one for general browsing.
    Vanadium/Mulch are degoogled and hardened (things like disabling JIT which is the main attack vector on browsers nowadays).
    Brave, on the other hand, has no such thing, but has a nice content filtering and some fingerprinting protection. Trade-offs...
    Also Divest's Mull, which is a hardened Firefox (also with JIT disabled). Firefox is less secure than Chrome (worse site isolation and worse bug hunting - not being Google has its disadvantages), but you can add extensions, and using uBlock Origin in hard mode will dramatically reduce the amount of garbage that runs scripts in your browser. Also LibRedirect is a god send in your privacy journey. Bypass Paywalls Clean can also be handy.
    Remember (also for desktop), keep extensions to the absolute minimum (preferably uBO only), and never EVER use extensions that are not open source.

    My fear since I started this journey is that I wouldn't be doing enough and stress out over having too few or too many profiles. Not having the right apps in the right profiles. Did I set the correct permissions on ALL my apps? How would I know?

    Fortunately on iOS I've already started some habits to reduce my data footprint. Logging into "app" websites with Brave instead of downloading the app. Using a VPN. Email aliases. But you're limited on what you can do on iOS.

    Best of luck!

    Hb1hf Obtanium is an option, but again, only for open-source apps.

    I mean, technically not true. Any app can make APKs available through a website and Obtainium can use it. Very few apps besides open source apps do this however, instead they rely on GPlay.

    • Edited

    OMG!!

    DO NOT INSTALL WHATSAPP FROM PLAYSTORE/AURORA IF YOU DON'T HAVE PLAY SERVICES INSTALLED!

    WhatsApp suspends accounts for that. You need to download the APK from whatsapp.com instead!

    @Dumdum s reply reminded me of this. You can use Obtanium to download WA's apk, but I don't think it will update.

      Hb1hf on my other phone I'm using DOS without microG and/or any play services and installed WA via Aurora store without any issues

        AlphaElwedritsch I guess this means microg successfully fools WA. But in GOS you either have GPS or no GPS.
        But even if it works for some people, there are many cases of people in this and other fora whose accounts have been suspended. So why take the risk if the cost to mitigate is basically zero? You just download it once from the website, then the app store will update it.

        my comment was purely informal without judgment

          Hb1hf Thx for this information, didn't know. Have only used the APK from WhatsApp.

          AlphaElwedritsch oh mine too!

          But this thread is to help people who are just starting with GOS, so I thought it was important to reiterate that rhere's a way that's guaranteed not to get them a headache, even if the regular way is not 100% assured to get them suspended.

          Put as little on your phone as possible.

          Use Molly or Signal. (always)

          Hb1hf Aurora apparently doesn't verify apk signatures

          other than this, there are other apps that dont run on the phone unless it is verified to be downloaded to be from the google playstore.

          i had a banking app not work because i downloaded it from the aurora store

            4 days later

            0j923jd023j are you sure it's not a Google integrity API issue?

            Hb1hf

            this makes me wonder, since Meta, if this could also follow for instagram and or facebook

            would be lame to lose an important old account for something like this (but yeah it totally sucks that Meta is like this)