Graphene1 Creating a new account or not creating one makes no tangible privacy difference since either way they have unique identifiers for the install. Every app can generate and store random numbers.

    Graphene1

    Even when using Aurora Store your usage can be linked together, this isn't any different that just using an anonymous Google account without any PII (no phone number, etc.)

    pxlkng I have to disagree, completely. I find it uncomfortable myself (I have bad experiences with Google services in general and want to avoid it outside of a independent profile)

      raccoondad

      There is nothing to agree or disagree on, here.

      Play Services are always sandboxed and confined on GrapheneOS and have absolutely no special permissions or elevated access, they are just like any other app.
      You don't need a profile to contain them, this doesn't change much.

        pxlkng "There is nothing to agree or disagree on, here.", making your opinion objective makes you a lot less trustworthy, just saying...

        "Play Services are always sandboxed and confined on GrapheneOS and have absolutely no special permissions or elevated access, they are just like any other app.", I did not claim otherwise, that's the idea of sandboxing, I still don't want it.

          • Edited

          raccoondad

          The fact that Play Services are sandboxed with no special privileges or access on GOS is not an opinion.

          The fact that Aurora Store reduces security and therefore also privacy (as security is a prerequisite to privacy) and shouldn't be used isn't an opinion either, it is based on facts and recommendations by the GrapheneOS project.

          Maybe I have worded myself poorly:
          It is a valid goal to completely avoid Play Services.
          But you are not doing that by using any apps that come from the Play Store or bundle Google libraries.
          Aurora Store doesn't change this, at all. It only makes you less secure and private, but it doesn't stop any Google telemetry or tracking or data collection.

          So there is no reason to prefer Aurora Store over sandboxed Google Play Services.

            pxlkng

            "The fact that Play Services are sandboxed with no special privileges or access on GOS is not an opinion.", I never claimed otherwise, you put words into my mouth.

            "it is based on facts and recommendations by the GrapheneOS project.", I also never stated otherwise

            If you want to pretend I said things I didn't, then its clear you are here to be bad faithed. I don't have time for this

              raccoondad

              I apologize that this came across this way. I was merely pointing out the issues with Aurora Store.

                pxlkng Its fine, and with the issues you brought up, you are correct. Aurora lacks a lot (Play Store metadata verification, reduced CA set or pinning, trusting every webPKI CA, among other issues that akc3n mentions I won't pretend IK all of it).

                I also wanted to mention, outside of sandboxed play, there isn't many safe alternatives and people are going to eventually have to make a decision based on their needs/paranoia. This is pretty much all I am saying

                I'm confused about recommendations in this thread. I do not have google play services installed on my phone nor do I have a google account. I use Aurora anonymously.

                How does it increase my privacy if I create a google account, load play services, and log in to the account to download apps? That does not make any sense to me. Apps I use have never required a google account login.

                  rambleon

                  Specifically to the reason that Aurora Store has no privacy benefit:
                  Many Play Store apps bundle Google libraries with them, those run on your phone even without Play Services installed and allow Google to collect the same amount of data it would be able to collect with Play Services installed, which is not much to begin with due to everything being sandboxed and confined.

                  So Aurora Store doesn't avoid Google or Googles data collection in any way.

                  You can create an anonymous Google account not linked to you and without a phone number to use the official Play Store anonymously.

                  Something tells me without extensive support of Play services, Firebase and Google analytics those libraries are by far not as powerful as some claim them to be.

                    DeletedUser227

                    They collect the same amount of data.
                    Stop hoping it to be otherwise, come on the matrix channels or on Discord and ask this question and many other knowledgeable community members will say the same as me.

                      Do I understand correctly: this risk that an Android app may have code to send telemetry data to Google, or anywhere else for that matter applies to any Android app downloaded via Aurora, Google Play, or direct APK download. So Aurora provides the benefit over Google Play of not requiring a Google account or google play services to download, but extends no protection over Google Play from telemetry. In theory Aurora adds no telemetry risk beyond Google Play, but only if Aurora pulls its APKs from the play store.

                        rambleon

                        There is no benefit in using Aurora Store as it is outright dangerous and insecure to use and overall just a dumpsterfire of an application.
                        It doesn't avoid any telemetry or data collection. Play Store apps bundling Googles libraries and those running and collecting data on their own is not a risk, but just normal and indeed happening.

                        Use an anonymous account with the official Play Store instead.

                          pxlkng there is no such thing as anonymous Google account since as you hinted yourself through tracking, telemetry (and fingerprinting) it will ultimately lead to your deanonymization.

                            DeletedUser227

                            There is such a thing.
                            It ultimately comes down to how you use it.

                            pxlkng There is no reason to avoid installing sandboxed Play Services

                            Mobile advertising ID? I've had instances of Play Services reenable it, after having deleted the MAID manually before. Since I never checked, I was running around for months with it (unknowningly) enabled. I assume you know about the possibilities of MAID tracking, especially for location.

                              de0u
                              Ah, shit, I'm signed into Maps. That's why. Guess I'll have to create a burner account.

                              • de0u replied to this.

                                GrapheneOS

                                Creating a new account or not creating one makes no tangible privacy difference

                                I'm a noob, but I think I'll disagree with that. Making a burner account seems a lot better than using my 15 years old Google account that has every single detail about my life for the past 15 years. But now I wonder if making a burner account even makes sense, since my old account has now been used on my Graphene phone. Wouldn't Google just "link" those two accounts since they've been on the same device?