Help needed deciding what measures are needed for my threat model

bringbackmicrosd

I've looked into grapheneos features, I've done a lot of digging throughout the forums, and the number one recommendation I've seen is to have a threat model. After some thinking, I've done that, and now I come here for help outlining what steps I should take to secure myself.

With scales from 1 to 10, I want to lean in to about an 7-8/10 with regards to security, and a cool 5 or 6 with privacy. I want to protect my accounts as much as possible, hence why I use 2fa TOTP wherever possible, and use a password manager. To go a step further, I use grapheneOS to reduce my attack surface and protect myself from most 0 clicks that pop up, along with strong defaults.

With regards to privacy, here is where I'm not so sure. As far as I am concerned, most data I generate while using an app is theirs to keep. If I like a post, and they use it to target ads, I don't mind. After all, they gotta keep the lights on and I can't pay a subscription for everything.

Where I draw the line is borderline creepy behavior behind my back aka data they generate when I DO NOT use their service. Browsing history, pictures I never shared, background location (I never want anything shared to lexis nexis), etc.

What steps should I take to prevent this stuff from happening? Would using PWAs instead of apps help like for instagram or google maps? What about for discord? Does the app sandbox prevent this stuff from happening anyway? I know apps can communicate with mutual consent, but I'm having trouble wrapping my head around the actual impact this has on privacy. For now I just have every app in the Owner profile (along with PWAs wherever possible), but I'm wondering if the privacy benefits of multiple profiles would be worth the added hassle and battery drain.

FWIW I do try to use privacy respecting FOSS apps wherever possible. However, my social life does depend on non privacy respecting proprietary apps like Instagram and Discord, so I can't just not use them. I could limit what they can do to track me though (within reason).

elbert

bringbackmicrosd Does the app sandbox prevent this stuff from happening anyway?

Mostly yes. In order for an app on Android to access any of your personal data (such as pictures, location, ...) it needs a permission to do so. So if you don't grant the apps you're concerned about these permissions, they won't be able to access. Additionallly, GrapheneOS adds scopes for certain permissions like contacts or gallery so you can e.g. allow Instagram to see certain photos you selected.

bringbackmicrosd Would using PWAs instead of apps help like for instagram or google maps?

As I personally don't use Instagram nor Discord, I don't know how the PWA and the native app compare in terms of functionality. But if the PWAs are sufficient feature-wise you could use them to avoid having to install Google Play Services.
Google Maps on the other hand won't allow navigating in the web version, although there really good alternatives like Organic Maps or OsmAnd you should give a try. If you care about traffic warnings you can also have a look at Magic Earth, although it isn't open source, it has a far better privacy policy than Google Maps and works without Play Services.

bringbackmicrosd For now I just have every app in the Owner profile (along with PWAs wherever possible), but I'm wondering if the privacy benefits of multiple profiles would be worth the added hassle and battery drain.

In case you haven't stumbled upon it yourself already, there's this very good article about multiple profiles by some members of the community.

raccoondad

bringbackmicrosd

Your threat model is pretty reasonable, and easy to implement. My advice:

Use KeepassXC and an android client for the database. KeepassXC has clients for most devices, supports generating 2FA tokens, uses Argon2 with adjustable parameters, and is overall a nice password management system. All offline. Only issue is syncing with devices, that is a manual process (literally moving the file from device to device.)

Avoid downloading applications you don't trust, if you worry about data collection from trusted applications, use permissions to your advantage. For example, if you worry about Discord checking your files (not saying they do, just an example), you can disable file permissions or set up a scope for the files. That way, discord can only access files by having you choose files from the file explorer. I personally use discord this way to avoid sending photos I don't intend to send.

I use multiple profiles, its not horrible. Not a huge battery drain with my 6A. You get used to switching profiles quickly.

Just you using GrapheneOS helps a lot in exploit prevention, so overall you are set. Just keep in mind what you are doing, what apps you have installed, and what permissions those apps have.

bringbackmicrosd

elbert In case you haven't stumbled upon it yourself already, there's this very good article about multiple profiles by some members of the community.

I've read that article. It's a pretty good overview, and it's what got me to just install everything right now and just use my phone normally. It didn't go as in depth as I would like though into the pros and cons of the different setups and which one would be best for which type of person.

elbert Google Maps on the other hand won't allow navigating in the web version, although there really good alternatives like Organic Maps or OsmAnd you should give a try. If you care about traffic warnings you can also have a look at Magic Earth, although it isn't open source, it has a far better privacy policy than Google Maps and works without Play Services.

I installed organic maps through accrescent and it looks pretty good for car navigation. If my car had android auto I would probably use this all the time (next time I try to use navigation though I will try organic maps for sure). My biggest use case for google maps though is actually for bus times, so if you had any FOSS recommendations for that I'd be grateful.

elbert Mostly yes. In order for an app on Android to access any of your personal data (such as pictures, location, ...) it needs a permission to do so. So if you don't grant the apps you're concerned about these permissions, they won't be able to access. Additionallly, GrapheneOS adds scopes for certain permissions like contacts or gallery so you can e.g. allow Instagram to see certain photos you selected.

If I understand correctly, the only information sharing I therefore have no control is IPC, correct? Everything else they can collect is through permissions?

Thank you for taking the time to answer!

elbert

bringbackmicrosd My biggest use case for google maps though is actually for bus times, so if you had any FOSS recommendations for that I'd be grateful.

This largely depends on where you live and whether the region is covered. I personally use Öffi, if it doesn't have your region, you can try Transportr, which has slightly more networks supported. Overall, mostly European countries are covered. Alternatively you could have a look whether your local public transport agency provides its own app. Maybe they do better privacy wise than Google and might not need Play Services to work.

bringbackmicrosd If I understand correctly, the only information sharing I therefore have no control is IPC, correct? Everything else they can collect is through permissions?

Yes. GrapheneOS is working on app communication scopes, but it's not here yet.

bringbackmicrosd Thank you for taking the time to answer!

You're welcome!