Is using sandboxed Google Play worth it when it comes to privacy/compatibility?

coral-mountain

After using GrapheneOS for a while I ran into cases where things don't work due to the missing Google Play Services. I would like to get enough convenience and compatibility without the need to carry an additional "vanilla" Android phone while minimising the amount of data being sent to Google.

Could you help me understand this feature more? While it seems that a lot of apps communicate with Google once Google Play and Google Play Services are installed, I'm curious about the specific advantages and disadvantages of this feature. As I understand it, one benefit is that Google apps will have lower permissions, preventing them from accessing certain files, such as photos. However, I'm wondering if this feature provides sufficient privacy, or if a significant amount of data is still being sent to Google. Additionally, could you help me understand what I should be careful about and in what ways could this feature be used to achieve the best convenience and privacy?

pxlkng

coral-mountain

Play Services are fully sandboxed on GrapheneOS and run completely unprivileged in the same app sandbox like everything else without any elevated permissions or system integration.

It only has access to what you specifically grant it via permissions. Apart from the permissions it only has very limited unprivileged access, hence the privacy impact is quite low.

If you are already using Play apps from insecure sources like Aurora Store, you already suffer this privacy reduction (as Aurora Store does not avoid Google and you having Google libraries still running on your phone without Play Services present) and installing Play Services to properly get those apps from the official Play Store would make no privacy reduction for you anymore, even improving your security and by extension privacy.

Read here for more information:
https://grapheneos.org/features#sandboxed-google-play
https://grapheneos.org/usage#sandboxed-google-play

And interesting as well:
https://grapheneos.org/faq#hardware-identifiers
https://grapheneos.org/faq#non-hardware-identifiers

grapheneos-enthusiast

In short, sandboxed google play means that once installed it operates in the standard android app sandbox (that requires apps to explicitly ask for permissions via toggles), while in "vanilla android" -not AOSP - it is usually installed as a system/admin application, with all the permissions granted by default.

The sandboxed-google-play compatibility-layer teaches the play store and play services how to work in the standard app sandbox, in practice it is how the aforementioned feature is implemented.

In general, you can achieve full compatibility in grapheneOS for almost any application, even via exceptional toggles to enable the compatibility mode (this disable some exploit protection features, which are not related to the google-compatibility layer). Only app that may not work are those that make use of the unfair Play Integrity API, specifically some banks (I suggested reading the bank compatibility reports in the PrivSecDev GitHub), while others specifically support GrapheneOS by implementing their attestation API.

I suggested reading the SePrAnd article on profile configurations to understand which setup might be the best for you. In short, you can have all the Google blootware installed in a separate profile and have control over which apps can access it and put the profile at the rest whenever you are done.

coral-mountain

grapheneos-enthusiast As I understood, you cannot really get the same level of convenience as vanilla Android.

I think of several levels of convenience/privacy:

Install Google Play on the same profile, allow network access, allow push notifications. This would be the most convenient but I assume that any app would then be able to talk to Google whether I want it or not.
Install Google Play on the same profile, block network access. This would mean no push notifications but at least those apps that need Google libraries could still work in the same profile.
Install Google Play and any apps that rely on it on a separate profile. This would be the least convenient way but the most private. Any important apps would be protected.

I wish there was an easier way 😿

Rand-Uzer

Do you require paid apps? If no, simply use Aurora store, get it in the F-Droid store

coral-mountain

Rand-Uzer Not really what I had in mind. Imagine I want to let grandma start using GrapheneOS when she knows only the basics of Android. I want her to have the most privacy without sacrificing convenience. Letting her use Aurora and F-Droid would probably mean no more of that sweet apple pie for me 😂

pxlkng

Rand-Uzer

F-Droid and Aurora Store are not recommended due to partly rather severe security issues. Aurora Store also has no privacy benefit over using sandboxed Play Services with an anonymous Google Account.

Both should be avoided for normal usage.
There are some niche special use cases for Aurora Store, like bypassing Play Integrity checks on App listings with it, but sandboxed Play Services is better in nearly every regard otherwise and should be preferred.

pxlkng

coral-mountain

IPC - apps communicating with each other - requires mutual consent from both apps.

Apps wanting to talk to Play Services in the first place will very likely already have Google libraries bundled. This would mean that they could still facilitate the same tracking and data collection even without Play Services present. (or with them unable to communicate with it)
So it doesn't make much difference to allow those to communicate with Play Services, or to allow Play Services internet permission.

Apps not bundling Google libraries, like FOSS apps, would have no reason to talk to Play Services; at least no reason to share any important data with it.

All this means that it isn't really necessary to choose one of the setups you described. You can simply just have all your apps along Play Services in your main profile without making life harder on yourself.

Open_Source_Enjoyer

pxlkng F-Droid and Aurora Store are not recommended due to partly rather severe security issues.

What are these security issues?
F-Droid is a lot more strict than Google Play Store when it comes to what apps they allow in.
If I remember it right, they only allow reproducible open source software in their official repository)
If you add third party F-Droid repository this can of course change.
Aurora Store just mirrors they Google Play Store.
Please correct me if I am wrong.

pxlkng Aurora Store also has no privacy benefit over using sandboxed Play Services with an anonymous Google Account.

Google Play Store is closed source software with network permission that then can extract data from every other closed source software over Inter Process Communication, for example from the Google Camera.

sophia_st

pxlkng using sandboxed Play Services with an anonymous Google Account

pxlkng Use an anonymous Google account without any PII or phone number associated for best privacy

Can you please explain? What is PII, how can I register there without a phone number or IMEI getting exposed exactly?

EDIT: regarding IMEI, I guess it can't access it: https://grapheneos.org/faq#hardware-identifiers

trashaccount

pxlkng Aurora Store also has no privacy benefit over using sandboxed Play Services with an anonymous Google Account.

Just spreading objectively false info at this point.

Open_Source_Enjoyer

pxlkng IPC - apps communicating with each other - requires mutual consent from both apps.

Apps wanting to talk to Play Services in the first place will very likely already have Google libraries bundled. This would mean that they could still facilitate the same tracking and data collection even without Play Services present. (or with them unable to communicate with it)
So it doesn't make much difference to allow those to communicate with Play Services, or to allow Play Services internet permission.

It doesn't matter if someone uses apps with Google libraries and all their tracking when these apps have no network permission and therefore can never extract their collected data from the device.
But if only one app with Google libaries gets network permission (and to install or update apps with the Google Play Store, you obviously have to give it network access) this principle is broken because all apps can use IPC to extract their data with the one app that has a network connection.

pxlkng

Open_Source_Enjoyer that then can extract data from every other closed source software over Inter Process Communication

This is completely wrong. This has nothing to do with licensing or source availability. There is no direct correlation between security/privacy and proprietary or FOSS. If something, proprietary is often more secure than FOSS.

Apps cannot just extract any data through IPC. Like I explained, IPC requires mutual consent. Google Camera talks with Play Services because it contains Google libraries and is from Google. It doesn't need Play Services to "exfiltrate" data or do tracking/data collection.

Proprietary and closed source code also is not a black box. It is perfectly possible to fully audit what closed source code does, the source does makes this easier but is in no way required.

Open_Source_Enjoyer What are these security issues?

https://xcancel.com/GrapheneOS/status/1883895255142932816#m
https://gitlab.com/ironfox-oss/IronFox/-/issues/7
https://privsec.dev/posts/android/f-droid-security-issues/

Open_Source_Enjoyer F-Droid is a lot more strict than Google Play Store when it comes to what apps they allow in.

Those are very flawed and many can be trivially bypassed. It has been shown in the past that those requirements can even be bypassed for months without anyone noticing. (Example wireguard)

Open_Source_Enjoyer Aurora Store just mirrors they Google Play Store.

Exactly this is the reason why it has no privacy benefit.
It also is way less secure than Play Store, in my opinion even dangerous to use it, due to it not properly verifying the authenticity and integrity of downloaded apps and not having working auto-updates, leaving you potentially without critical security updates. It also tends to download wrong versions of apps or mess other things up.

Open_Source_Enjoyer IPC to extract their data with the one app that has a network connection.

This may be true, but Google cannot collect much data in the first place. Apart from what the libraries can access unprivileged (like some nonpersistent identifiers and similar rather benign stuff), they can only access the data that apps bundling them explicitly give them.
For example, Signal uses empty messages for FCM push, instead of sending the message content over it. Therefore it at most leaks the time of messages being received to Google.
Use an anonymous Google account without any PII or phone number associated for best privacy.

The described approach feels way over exaggerated and is certainly not necessary for most people to have good privacy.

Open_Source_Enjoyer

pxlkng This is completely wrong. This has nothing to do with licensing or source availability. There is no direct correlation between security/privacy and proprietary or FOSS. If something, proprietary is often more secure than FOSS.

pxlkng Proprietary and closed source code also is not a black box. It is perfectly possible to fully audit what closed source code does, the source does makes this easier but is in no way required.

The effort to audit and find evidence for a privacy violation is 10x harder on proprietary apps than on closed source apps.
FOSS apps often have much better privacy policy then closed source apps. And if one writes source code that violates the privacy policy, its a lot easier to actually caught them and sue them.

pxlkng Apps cannot just extract any data through IPC. Like I explained, IPC requires mutual consent. Google Camera talks with Play Services because it contains Google libraries and is from Google. It doesn't need Play Services to "exfiltrate" data or do tracking/data collection.

Do extract data the Google camera needs to connect to a server.
If it doesn't has network permission by itself, it need another app to extract the data.

Open_Source_Enjoyer

pxlkng Open_Source_Enjoyer What are these security issues?

https://xcancel.com/GrapheneOS/status/1883895255142932816#m
https://gitlab.com/ironfox-oss/IronFox/-/issues/7
https://privsec.dev/posts/android/f-droid-security-issues/

Open_Source_Enjoyer F-Droid is a lot more strict than Google Play Store when it comes to what apps they allow in.

Those are very flawed and many can be trivially bypassed. It has been shown in the past that those requirements can even be bypassed for months without anyone noticing. (Example wireguard)
The strongest critique point seems to be that F-Droid can't always enforce their rules, but this doesn't make them more vulnerable then app stores like Google Play Store that don't have such rules in the first place.
This would only be a problem if one is assuming that all F-Droid apps are 100% trustworthy and give them every permission they ask for.

pxlkng Exactly this is the reason why it has no privacy benefit.
It also is way less secure than Play Store, in my opinion even dangerous to use it, due to it not properly verifying the authenticity and integrity of downloaded apps and not having working auto-updates, leaving you potentially without critical security updates. It also tends to download wrong versions of apps or mess other things up.

The privacy benefit is that you don't need to run proprietary software with network permission on your device to get apps.
Auto updates are not necessary for security. Aurora Store can just send you a notification if you need to update.

pxlkng This may be true, but Google cannot collect much data in the first place. Apart from what the libraries can access unprivileged (like some nonpersistent identifiers and similar rather benign stuff), they can only access the data that apps bundling them explicitly give them.

So you would say that apps with google libraries and closed source code can't collect and extract data?

pxlkng For example, Signal uses empty messages for FCM push, instead of sending the message content over it. Therefore it at most leaks the time of messages being received to Google.

Signal is FOSS already, but what is with apps like the Google Camera or Gboard (not me, but some people use it on GrapheneOS and think they are safe jsut because they remove network permission).

pxlkng

Also to add, there are more ways apps could exfiltrate data, than just IPC and network permission, in theory.

As I had learned myself some time ago, the network permission being revoked does not completely and reliably restrict every access or prevent all data being sent to the internet. There are ways apps could still do it on other ways, if they really want to.

Though it is rather unlikely that apps will go such great lengths to send a bit of data to Google.

Open_Source_Enjoyer

pxlkng As I had learned myself some time ago, the network permission being revoked does not completely and reliably restrict every access or prevent all data being sent to the internet. There are ways apps could still do it on other ways, if they really want to.

pxlkng This is not true. While IPC is one possible vector, like I explained above, apps can still exfiltrate data over other means to the internet, bypassing the network permission's restriction, so they do not necessarily need another app or network permission.

Source?

trashaccount

pxlkng the network permission being revoked does not completely and reliably restrict every access or prevent all data being sent to the internet. There are ways apps could still do it on other ways, if they really want to.

How?

skywing

Aren't Playservices also a privacy issue in terms of notifications?
Aren't one giving Google more information that way, than with Aurora, because most (all?) notifications are handled by Playservices, when installed?

pxlkng

skywing

Depends on how an app implements this. I explained this on the example of Signal already.
I would expect many apps to use FCM only for wakeup and not actually transmitting sensitive data over it.

skywing

pxlkng Depends on how an app implements this. I explained this on the example of Signal already.
I would expect many apps to use FCM only for wakeup and not actually transmitting sensitive data over it.

And how am I able to know, which apps I can trust, that they act this way and do not send sensitive data by letting Playservices handle their notifications? This is a privacy impact I do not have to worry about, when I use Aurora.

pxlkng

Open_Source_Enjoyer The effort to audit and find evidence for a privacy violation is 10x harder on proprietary apps than on closed source apps.

This still has nothing to do with licensing.

Open_Source_Enjoyer If it doesn't has network permission by itself, it need another app to extract the data.

This is not true. While IPC is one possible vector, like I explained above, apps can still exfiltrate data over other means to the internet, bypassing the network permission's restriction, so they do not necessarily need another app or network permission.

DeletedUser338

pxlkng bypassing the network permission's restriction

Any proof on that?

Open_Source_Enjoyer

pxlkng This still has nothing to do with licensing.

Not with the legal licence but with the source availability that comes with it.

coral-mountain

pxlkng While IPC is one possible vector, like I explained above, apps can still exfiltrate data over other means to the internet, bypassing the network permission's restriction, so they do not necessarily need another app or network permission.

You have provided quite a lot of valuable information. Still, I don't know if I get it all.

It appears that having Google Play and Google Play Services with network permission enabled is not as bad as people usually think. However, didn't you imply that it is only okay if you use FOSS software or proprietary software that you trust? When you use FOSS apps, you can be sure they don't do IPC with Google and you said that proprietary apps can be reverse engineered at least to some extent to see what they share using IPC.

What about apps that I need to use daily and can't trust? Let's see a specific example. WhatsApp is hard to avoid. While the messages in WhatsApp itself are encrypted, what happens when you get a push notification? Can Google see those messages that appear in the notification area?

Also, what other ways can apps use to get the data out without network access? I couldn't think of anything besides Bluetooth. Have you heard of any popular apps that have been caught doing something like this?

DeletedUser203

Is using sandboxed Google Play worth it when it comes to privacy/compatibility?
Reading this thread just enforces the fact that G+#gle is an absolute nightmare privacy wise and in my opinion best avoided, but the often quoted options Fdroid and Aurora store are a nightmare security wise.
G+#gle is Big Brother and Fdroid and Aurora store are room 101, either go to the app developer direct or learn to live without it.

Open_Source_Enjoyer

DeletedUser203 but the often quoted options Fdroid and Aurora store are a nightmare security wise.

They are not a nightmare, you only need to do 2 things:

Don't assume that apps are secure jsut because they are in F-Droid
Check the stores regularly to get updates