How safe are pixel 9 devices?

N3rdTek

Pixel 9 devices appear very unsafe and insecure. How protected area things wit GoS

lcalamar

N3rdTek Yeah - pretty much a nothing-burger.
Some critical thinking would be nice here...

Carlos-Anso

This is testing of the stock operating system. Its very well known and should be expected that stock PixelOS, run with the default configuration, is heavily tied to Google services.

Older Pixel devices running stock behave similarly.

All the connections GrapheneOS makes are documented on the website
https://grapheneos.org/faq#default-connections

Apps and services you add will likely add more connections.

maximus87

My issue with such articles is that they don´t explain the configurations and settings they are using. And they are mainly click bait in my book.

Yes, unfortunately, a lot of features/settings are opt out (and they should be opt in), but still. You can´t have the setting for telemetry and other stuff active and then complain the phone is sending Data.

admin

maximus87 Network location is provided as a clear choice during the initial setup. Every Android and iOS device has network location with opt-out in the same way. It's a feature included in other operating systems too. Their claims about it are complete nonsense and that reflects on the overall article. GrapheneOS isn't going to use network-based location by default but is going to be adding our own implementation with a choice between a GrapheneOS proxy for Apple's service or directly using Apple's service. It will then be extended with the option to use our own first party GrapheneOS database either via remote queries to our server or regional database downloads. Our database will be built by combining scraping Apple's data and combining that with open BeaconDB data. Apple's service is nicer for us than Google's service because Apple made it trivial to scrape huge amounts of data from their service, and data isn't copyrightable so we're free to do that and organize it in our own way. We haven't agreed to any Apple terms of service for it and it doesn't require any authentication to use. Anyway, portraying network location as some kind Pixel 9 flaw is genuinely ridiculous and is not the worst part of the article.

AlphaElwedritsch

this is journalism pornography

Rizzler

Even if we take the article at face value, its still way better than any other Android phone. These are all software related and they are eliminated by installing Graphene.

ignition

Why are you guys saying merely installing Graphene fixes the problem when prior research (pdf) shows Google siphons data via its Play Store?

Has anyone run a similar test on Graphene to see what data Google siphons via the sandboxed Play Store after its given the usual permissions necessary for most banking apps? Reading through the article, a couple of the things mentioned would still apply to Graphene. They obviously get your email but also your app list (a fingerprint vector). They get your real, general location if you follow this usually recommended guide, which is installed apps also get since there's no permission to control this. Network status and regularly pinging home is also fair to assume too especially if automatic and background updates are turned on for the store.

It's unclear for the used phone number and other SIM information, which are clearly the most important pieces there, but it's also true that Graphene currently provides no means to give fake data to apps needlessly requesting such information.

de0u

ignition Why are you guys saying merely installing Graphene fixes the problem when prior research (pdf) shows Google siphons data via its Play Store?

Which problem?

The article cited at the top of the thread made specific claims.

ignition Has anyone run a similar test on Graphene to see what data Google siphons via the sandboxed Play Store after its given the usual permissions necessary for most banking apps? Reading through the article, a couple of the things mentioned would still apply to Graphene.

Lots of GrapheneOS users don't install Play at all, or install it in a secondary user profile.

It would indeed be interesting to re-run the experiment reported on in the article on various GrapheneOS configurations. But it seems pretty clear that installing GrapheneOS and not installing Play would be quite effective at cutting off the telemetry reported in that article.

Some of the pushback on the article is that it was written as if the telemetry is a property of the device, when it is a property of the software some people choose to run on the device.

Rizzler

ignition Cuz GrapheneOS doesn't equal Play Store?? If you don't trust the software you install ontop of the OS, thats entirely on you. The OS still does its job.

Rizzler

ignition

Has anyone run a similar test on Graphene to see what data Google siphons via the sandboxed Play Store after its given the usual permissions necessary for most banking apps?

It has just as many privileges as any other app. So it will be collecting as much as this circumstance allows. For example, they won't be able to see your IMEI. In this regard it collects less data than on stockOS. This is just one example though. Many other ways of it collecting data has been shut down as well.

It's said that there are about 250,000 Graphene OS users. Can it be confidently said even 1% of those use their devices without the Play Store? Show the data then I'll happily stand corrected.

Its literally a selling point of the OS, that it doesn't include third party software. Your made a claim that goes against all logic, by doubting that even 1% of the users avoid Play Services and then you want us to show you data that disproves this insane claim? None of us have concrete data about this since Graphene doesn't collect data but it can be safely assumed based on community interactions etc. that its a way higher number than what you think.

Pacienco

ignition

ignition Has anyone run a similar test on Graphene to see what data Google siphons via the sandboxed Play Store after its given the usual permissions necessary for most banking apps? Reading through the article, a couple of the things mentioned would still apply to Graphene.

It would be interesting to see the results of that test, at least for people who use Google Play Services. No doubt someone like Leith or maybe Kuketz would put the time and effort into investigating and publishing it.

ignition It's unclear for the used phone number and other SIM information, which are clearly the most important pieces there, but it's also true that Graphene currently provides no means to give fake data to apps needlessly requesting such information.

Yes, not yet, although features to that effect are planned and the project definitely seems open to proper implementation and maintenance for those features: https://github.com/GrapheneOS/os-issue-tracker/issues/4075 & https://github.com/GrapheneOS/os-issue-tracker/issues/4076.

ignition

de0u Which problem?

In the article, reiterated below that sentence.

Lots of GrapheneOS users don't install Play at all

Not sure what this speculation is based on.

or install it in a secondary user profile.

Other than app list, using a secondary profile is irrelevant to the things listed.

But it seems pretty clear that installing GrapheneOS and not installing Play would be quite effective at cutting off the telemetry reported in that article.

Maybe, but not sure why that matters when the Play Store is the recommended way to install apps and is practically a requirement for banking and ID apps.

when it is a property of the software some people choose to run on the device.

People do not 'choose' to run the Play Store on a regular Pixel. They may 'choose' it with Graphene but unless you ignore developer recommendations, trying to use the device for ordinary banking or government ID apps will require its installation in the majority of cases.

de0u

de0u Which problem?

In the article, reiterated below that sentence.

I see a lot of things in that article, some of which I don't see reiterated in your post, e.g., "the phone periodically attempts to download and run new code, potentially opening up security risks". Also, "the Pixel device periodically contacted endpoints associated with Google Photos’ Face Grouping feature without asking for consent", and "Worryingly, we observed CloudDPC reaching out to Google’s servers". Hence my question.

de0u Lots of GrapheneOS users don't install Play at all

ignition Not sure what this speculation is based on.

Maybe people here (other than me) who don't have Play installed will chime in, in which case it won't be just speculation. But if the discussion is held to just speculation, there are a lot of posts from people who have installed messaging apps and/or e-mail apps and ask why notifications don't work, and are told that installing Play is necessary, and say they don't want to. There are also posts from people having issues with the ntfy variant of Molly, and people complaining that Proton, years after saying they were working on non-FCM notifications, are still doing only FCM notifications on Android. I admit I am merely speculating that those posts are substantially from people who don't have Play installed.

de0u or install it in a secondary user profile.

ignition Other than app list, using a secondary profile is irrelevant to the things listed.

If you say so! However, one of the upsides of secondary user profiles is that they can be stopped, so one can limit whatever surveillance one assumes the Play infrastructure is carrying out to specific times and places.

de0u But it seems pretty clear that installing GrapheneOS and not installing Play would be quite effective at cutting off the telemetry reported in that article.

ignition Maybe, but not sure why that matters when the Play Store is the recommended way to install apps and is practically a requirement for banking and ID apps.

I believe the position of the GrapheneOS project is that Accrescent is the most-recommended venue. I believe the project's position includes that apps available on the Google Play store are most reliably and securely installed via the Google Play store (as opposed to via Aurora or various "APK mirror" sites). I am unaware of a recommendation or expectation from the GrapheneOS project that all users install Play and install apps from the Play store.

ignition People do not 'choose' to run the Play Store on a regular Pixel. They may 'choose' it with Graphene but unless you ignore developer recommendations, trying to use the device for ordinary banking or government ID apps will require its installation in the majority of cases.

I think (or, if you prefer, I speculate, based on forum posts) that some users choose to bank via web app instead of via bank app. Perhaps that avenue will become less viable, or perhaps more banks will choose to improve their apps. Likewise, governments may increasingly require Play (and may increasingly require the stock OS), or not. People who have a government i.d. app may choose to mitigate tracking by isolating it in a secondary user profile that is activated only occasionally (something that is possible on GrapheneOS and not on the stock OS).

Overall, as I previously wrote, it would be great if somebody would re-run the experiment reported on in the article using GrapheneOS instead of the stock OS. Perhaps the researchers would be interested in doing a followup comparison study.

But it does seem very likely that some of the issues raised in the article (e.g., "CloudDPC") are 100% remedied by installing GrapheneOS, and it also seems very likely that Play tracking issues can be mitigated by users willing to isolate the Play code in a secondary profile (an enhancement of GrapheneOS over the stock OS), and that Play tracking issues can be completely avoided by users who are in a position to forgo banking apps, government i.d. apps, and Play, in favor of apps available on Accrescent, or obtained directly from developer web sites, or hand-built from GitHub, etc. (also an enhancement of GrapheneOS over the stock OS).

de0u

ignition Other than app list, using a secondary profile is irrelevant to the things listed.

de0u If you say so! However, one of the upsides of secondary user profiles is that they can be stopped, so one can limit whatever surveillance one assumes the Play infrastructure is carrying out to specific times and places.

ignition It has nothing to do with me saying so. The things mentioned are entirely profile independent and can be confirmed by even searching this forum.

The "if you say so" part was the part that you somehow chopped out (ignition), the part about how putting Play and Play apps in a secondary profile means that the telemetry can be stopped at will, which is not exactly "profile independent".

If you believe that being able to turn telemetry off at will on GrapheneOS, which is not possible on the stock OS, is irrelevant, that is up to you, but other people may see it as a significant reduction in tracking.

Carlos-Anso

Its a fact that many users dont use Play. Its not recommended by the project to do so, but the option to do so is made available. Its an easy way to move to GrapheneOS if you aren't already used to having a device without Play Services.

Unfortunately some apps will not work or lack features if you dont have Play Services. But there are huge amounts of apps that work fine without it.

Many banking apps work without Play or you can use the bank website. In most countries theres no need to use an app for government ID.

Ive never used Google Play. I also know many other people who do not have it on their phones. I think it would be nice if more people used less Googles apps and services. I find their monopoly position problematic.

Many people arent worried about Google having some, or even lots of their data. Ive got many friends like that. While Im happy to talk to people why I think using more diverse services is good. I think its OK to not be bothered or not have the capacity to figure out, migrate and learn to use alternatives.

Get your email

To use the Play Store you need to have a gmail account. The recommendation is to create a new one. Of course they know what account you use to access the Play Store

also your app list

Only for the user profile where Play is installed

They get your real, general location

The country of the SIM card. If for some reason thats a real bad problem can use one from a different country. There are options. IIRC jmp.chat , whos main market is US and Canda, sell data only SIMs into that market which are provided by a French carrier.

It's unclear for the used phone number and other SIM information

Its not unclear. If you avoid giving Google apps phone or sms permission they wont get those.

Other than app list, using a secondary profile is irrelevant

You can keep a limited amount of apps that need Play in a secondary profile. Maybe banking and government ID if you need to user those. Only have that profile active when you have to use those apps. This significantly reduces data collection opportunities.

Also you have to remember that many apps include Google libraries that connect to Google services even if you dont have Play Store. I use some. None have internet access.

ignition

Carlos-Anso Its a fact that many users dont use Play.

Is this from data collected somewhere or something we hope is true? I don't use it myself and know some people that don't but as much as I want it to be true, it's naive to think such anecdotes can be extrapolated to any significant figure. It's said that there are about 250,000 Graphene OS users. Can it be confidently said even 1% of those use their devices without the Play Store? Show the data then I'll happily stand corrected.

The country of the SIM card. If for some reason thats a real bad problem can use one from a different country.

This is such an amazing edge case I'm not sure how to respond.

Its not unclear. If you avoid giving Google apps phone or sms permission they wont get those.

Which Google apps? My question was very simple

Has anyone run a similar test on Graphene to see what data Google siphons via the sandboxed Play Store after its given the usual permissions necessary for most banking apps?

Not sure why I'm getting 'but if you lock yourself alone in a bunker' arguing to argue edge cases in response.

ignition

de0u Hence my question.

I don't understand this line of questioning. Isn't it obvious it is about the parts reiterated?

If you say so!

It has nothing to do with me saying so. The things mentioned are entirely profile independent and can be confirmed by even searching this forum.

ignition

Rizzler Cuz GrapheneOS doesn't equal Play Store??

Who said it did?

If you don't trust the software you install ontop of the OS, thats entirely on you.

What does this have to do with prerequisites for necessary apps you have no control over?

Your made a claim that goes against all logic, by doubting that even 1% of the users avoid Play Services

This might be the silliest thing I have read this year. Doubting and asking for data is the opposite of 'made a claim'. That you need this explained to you is what's 'insane' here.

None of us have concrete data about this

Then don't waste my time with headcanon. If you don't have data then drop it. It's been multiple posts now on headcanon. If I wanted to discuss headcanon distractions, I would've gone to a fanfiction forum.

de0u the part about how putting Play and Play apps in a secondary profile means that the telemetry can be stopped at will

Regular Pixels have a button to disable Google Play Services.

ignition

Pacienco No doubt someone like Leith or maybe Kuketz would put the time and effort into investigating and publishing it.

Great guys! Doug's papers in particular (two linked earlier) have been very useful for dispelling certain claims and beliefs about Google not siphoning data.

lost_cause

I will just chime in that I am not using Play Services on a personal device. I do occasionally use it on test devices but only for a limited time. Sandboxed Google Play was not always available.

Any longtime users will be familiar with using GrapheneOS without GPS. We may now be a minority, but I'm sure we are still out there.

[deleted]

lost_cause there are more of us than may meet the eye. It's because we are more accustomed to life without Google Play and we don't scream for help at first sign of inconvenience.

Rizzler

ignition

What does this have to do with prerequisites for necessary apps you have no control over?

Its not necessary at all. You can choose to install privacy invasive apps but its not the OS's job to protect you from yourself. They have as much access as any other apps. Wost case is that they collect as much data as available to any normal app. I don't understand play store related questions because they are literally just an app with no special access. They cant do anything weird.

If you use Facebook from Firefox, its not firefox's fault that they collect the data you give them.

de0u

ignition Regular Pixels have a button to disable Google Play Services.

Thanks for the update! I haven't used the stock Google OS since the Nexus 7.

What does that button do? Is it possible to turn off Play in one user profile while it's on in another? If it's off, are there app complaints or failures with built-in apps?

I ask because of some things seen online (some admittedly old):