Google Play Services Question - Zero Click Spyware Risk Mitigation

DeletedUser244

Hi!
My objective is to install very few selected safe apps such as signal, proton VPN and proton mail. With that being said I tried the way of downloading Accrescent then App Verifier then Obtainium and download the apps verifying the signatures - I am not very advanced with tech so I could not successfully verify the signatures with the GitHub downloads with download method already mention. THAT BEING SAID, while looking for an easy alternative to securely download the apps people told me that via google play services on Graphene OS I would NOT need to worry about app updates, nor verifying the signatures, and that google play services wouldn't weaken my device defense against spyware as long as I download secure apps - which I hope that is in fact the case. SO MY QUESTIONS ARE: I know I need a google account (with phone number) to access google play services SO can I be with peace of mind that this google play store would NOT be an attack vector for zero click exploit spyware (as whatsapp, for example, as we saw in the news coming from Italy) AND when setting up the log in at google play store - related to the first part of the question - would it be necessary to use a google account created with a burner phone, or could I use an account of mine that is related to my phone? So am I overthinking and can I just go the way of google play services with an account that is related to my phone, or go the google play services way with an account that is not related to my phone, OR google play services is safe (with an account related to my phone) in terms of not weaken my device defense against zero click exploit spyware as long as I only download safe apps such as signal, proton mail and VPN?
Many Thanks to everyone that helps!

DeletedUser495

DeletedUser244 using Google Play may be objectively most secure way to install apps but it nevetheless opens up way to installing apps that may not be as lucky in regards to zero-day exploits not least because of the the sheer number of apps you are able to obtain this way and the fact that malware is routinely discovered in Play Store despite all its security claims.

raccoondad

DeletedUser244 "that this google play store would NOT be an attack vector for zero click exploit spyware"

I mean there is genuinely zero way to assure this for anything ever, but in the case of sandboxed google play, it would be harder to do damage than any other android OS running google services (as an admin process)

In other words, everything could be an 'attack vector', in the sense anything could be exploited at some point for some reason, but if such an issue as found, it would effect every other android device running Google Play Services, before GOS.

I don't think you need a phone number, but its been a bit, probably an email tho.

You should only download "safe" apps, yes. I don't really know the definition of an 'unsafe' app but generally don't run untrusted code on any device. WhatsApp is a 'safe' app, it has trustable publishers, it had a vulnerablity however.

If you REALLY are scared of zero click exploits (and to be clear, these are fairly rare. And get patched quickly):

Keep GOS updated, try to avoid disabling exploit prevention features on apps (not always possible), keep your apps updated, keep up to date with android app CVEs.

DeletedUser244

DeletedUser495 Thank you for your response. Suppose I strictly narrow my apps to those 3 (signal, proton vpn and proton mail) what approach would you take to get them and at the same time not weaken your defense against zero click spyware? Any idea would be greatly appreciated!

DeletedUser495

I think your deciding factor for getting an app should be memory tagging errors and some recent posts suggest some of the Proton apps do exhibit them. I personally use Proton Mail and Drive as a web app.