- Edited
Something tells me without extensive support of Play services, Firebase and Google analytics those libraries are by far not as powerful as some claim them to be.
I'm confused about Google accounts
- Edited
They collect the same amount of data.
Stop hoping it to be otherwise, come on the matrix channels or on Discord and ask this question and many other knowledgeable community members will say the same as me.
Do I understand correctly: this risk that an Android app may have code to send telemetry data to Google, or anywhere else for that matter applies to any Android app downloaded via Aurora, Google Play, or direct APK download. So Aurora provides the benefit over Google Play of not requiring a Google account or google play services to download, but extends no protection over Google Play from telemetry. In theory Aurora adds no telemetry risk beyond Google Play, but only if Aurora pulls its APKs from the play store.
- Edited
There is no benefit in using Aurora Store as it is outright dangerous and insecure to use and overall just a dumpsterfire of an application.
It doesn't avoid any telemetry or data collection. Play Store apps bundling Googles libraries and those running and collecting data on their own is not a risk, but just normal and indeed happening.
Use an anonymous account with the official Play Store instead.
pxlkng there is no such thing as anonymous Google account since as you hinted yourself through tracking, telemetry (and fingerprinting) it will ultimately lead to your deanonymization.
There is such a thing.
It ultimately comes down to how you use it.
pxlkng There is no reason to avoid installing sandboxed Play Services
Mobile advertising ID? I've had instances of Play Services reenable it, after having deleted the MAID manually before. Since I never checked, I was running around for months with it (unknowningly) enabled. I assume you know about the possibilities of MAID tracking, especially for location.
Creating a new account or not creating one makes no tangible privacy difference
I'm a noob, but I think I'll disagree with that. Making a burner account seems a lot better than using my 15 years old Google account that has every single detail about my life for the past 15 years. But now I wonder if making a burner account even makes sense, since my old account has now been used on my Graphene phone. Wouldn't Google just "link" those two accounts since they've been on the same device?
pxlkng my luck is only one app from northern light store uses network. So they get very little. I also browse with mostly JS off. At least I know my material. Play services can buzz off.
I can understand that some people find the claim that Aurora offers no privacy benefit over Play Store to be counterintuitive. Lots of online privacy communities recommend avoiding Google as much as possible, and my overall impression is that those communities still recommend that people use Aurora instead. Being used to hearing that Play Store must be avoided at nearly all costs in order to "deGoogle" as much as possible, it's understandably a surprise for people who come to the GrapheneOS community to suddenly hear that Aurora must be avoided and Play Store should be used instead.
But the claim that Aurora offers no privacy benefit over Play Store is true, if the apps you download contain Google proprietary blobs, which a lot of them do. They can collect the same amount of information from your device as Sandboxed Play Store and Services can.
https://xcancel.com/GrapheneOS/status/1870213347188129811#m
Aurora Store is simply a way to obtain apps from the Play Store. Those apps still come from the Play Store and are still APKs generated/signed by the Play Store which often include the Google Play SDK / libraries. You are not actually avoiding Google Play by using Aurora Store.
But there is genuinely a security cost to using Aurora instead of Sandboxed Play: https://xcancel.com/GrapheneOS/status/1832861969851814268#m
Aurora Store doesn't verify the packages it downloads came from the Play Store via either the signed metadata in the APK or another way. That means it's only secured with WebPKI TLS without enforced Certificate Transparency, which is really not good enough for package downloads.
In practice, that means that there is a risk that an app you install from Aurora could turn out to not be the genuine app.
By the way, you can create a Google account without providing a phone number in this way: https://listed.to/p/vznkmwrV5w
If you want to minimize the amount of data that Google collects about you, it seems pretty clear that you'll have to avoid all apps that contain Google proprietary blobs. In practice, that might imply using only open source apps that can be verified to not send any data to Google.
https://xcancel.com/GrapheneOS/status/1810304517927231527#m
If you want to avoid the Play Store, then you're going to have to avoid Aurora store too.
We aren't going to endorse installing apps from the Play Store in a way that's less secure than getting an APK with a browser. We've always been against performative privacy/security...
When users who are new to GrapheneOS ask questions about Aurora, I find that some users in this community tend to simply state that Aurora is a security and privacy risk but without providing any sources or details. But new users who are used to seeing Aurora being recommended understandably want more details. When sources and details are not provided, I'm not surprised to see them express confusion or frustration.
On the other hand, it's understandable that community members are tired of repeatedly explaining the risks of using Aurora, since it's so often brought up in this forum. Perhaps members who have knowledge on the subject could compile an article on it, which could be referenced whenever the topic is brought up.
n3t_admin thanks for this, I checked my google settings in shelter work profile and nearly everything was set to default. Re google account I have it without phone number but if you dont use a vpn google will correlate behaviour based on ip. This is proven as my partner have a normie phone and gets ads on what I do in my work profile
- Edited
Browsing with JS off makes you stand out uniquely among all other users, as nearly everyone has JS enabled. It makes you easily trackable among sites. Disabling JS is anti-privacy, so you are obviously not "knowing your material".
Please stop attacking me like this.
matchboxbananasynergy added the Solved tag .
GrapheneOS I assume you mean if you have Play Services installed using an account there's little to no privacy differences to not using an account? That seems logical.
Clearly, no Google account, no Play Services and using apps without google (and other data collection) libraries will have a fairly substantial privacy benefit.
This discussion has made me nervous as I have installed the banking apps from the aurora store on a secondary profile with play services installed. They work normally without any problems. ( simply binance asks for play integrity api constantly even when not open) . do you think that with this setup there is a risk of installing an invalid application via update and possibly interception of data? If so, what do you suggest to fix this security issue? Perhaps installing the playstore and updating the apps there? Or uninstall and reinstall from the playstore?
Goseur7 I have done that. Moved everything that's not installable via Obtainium to the Play Store. I only use Aurora for apps I have to spoof my device so that they work.