Feedback / input on my spite model

SorryImLate

As the title says, I don't have a threat model so much as I have a spite model. Specifically, I want to minimise the income big tech companies (or anyone else who is monetising my personal data) make off me, and I'm willing to give up some convenience to achieve this. Also, f** AI and spiralling enshittification.

Switching to GOS is my first step on this journey and it's honestly taking me a lot longer to set up my new phone than I expected, because I keep going down rabbit holes trying to figure out the privacy and security implications of various choices. I would therefore really appreciate some feedback and input on where I'm at. This is a very long post, so thanks in advance.

Useful context:

I have no formal IT education. I'm more tech savvy than the average consumer but please ELI5
I live in Switzerland, so decent privacy laws
I'm not on a tight budget, and I'll be donating to any FOSS services I end up using. However, functionality needs to be good enough.
I'm switching from an iPhone and some Android specific things have been tripping me up

Main profile (Owner profile)

App Store
My apps are downloaded primarily from the sandboxed google play store. For this, I've created a new google account without my phone number, primary email, or payment information. I've opted out of every kind of history and tracking that I could, and deleted the advertising ID in the store.

I'm refusing to download any apps that require purchases via the google store, or apps that require play integrity. In these few cases I'm either using a Web App, or downloading the apps using Obtainium and confirming them with App Verifier.

Questions:
1) Am I only fooling myself with this new google account? I figure this wouldn't stop anyone from identifying me if they physically searched but hopefully this will make it more difficult for their system to automatically connect my old and new accounts, since I'm switching from apple to android, from google maps to organic maps, from outlook mail to a new provider (eventually), I've started using Adguard DNS, etc. so my fingerprint should be very different.

2) How risky is it to use Obtainium? I've seen lots of comments regarding security issues with F-Droid but not much about Obtainium. In particular, are there any additional risks and / or benefits to downloading an F-Droid APK via Obtainium?

VPN and DNS
I have an AdGuard VPN subscription but, after reading this awesome article, I've concluded that it's only useful to me if I use an unsecured wifi, or I want to hide my country for some reason i.e. rarely. My ISP uses CGNAT, and I'm pretty sure it's illegal for them to track me, so I have no reason to trust AdGuard over them with regards to my IP address.

I also have AdGuard DNS which provides private DNS as well as filtering out trackers and ads. (Here's a useful article for any future readers of this thread who, like me, had no idea what the Private DNS Mode setting was about: A cartoon intro to DOH)

I've therefore decided to set the Private DNS Mode to enabled, with the AdGuard Host entered.

Questions:
3) Am I right that a setup with a Private DNS that also filters ads and trackers is sufficient for my purposes?

4) I automatically received a personal AdGuard DNS subscription with my VPN subscription. This provides the ability to add blocklists, as well as a dashboard showing what traffic has been blocked, etc. However, in order for these add-ons to work, I have to enter a specific DNS host name, instead of Adguard's public DNS host name. It seems to me this is exactly what I don't want, since it makes it easy for Adguard to track my activity across all my devices. Yes, I can opt out of logging my DNS data, but again, I have no need to trust Adguard in this way. I'm therefore opting to use their public DNS instead. Does this make sense, or am I missing a value to the personal DNS service?

5) Am I correct that using the Adguard DNS will filter out trackers and ads from all internet connections, including trackers bundled with any apps I download? I understand that the apps can share data without trackers but I see no reason to make it easy for them.

Apps
I'm doing my best to avoid apps with lots of trackers, especially social media and ads trackers (thank you Exodus), and using web apps where it makes sense.

Question:
6) I haven't quite understood how using a web app provides better security and privacy than downloading the app. I think it has to do with the chromium sandboxing that Vanadium is using?

Also, just as an aside, the android Files app is horrendous. I understand GrapheneOS has just hardened / cleaned up the standard app, so no shade to you. However, I really miss the simple, clean interface of the Apple Files app. I'd love recommendations for alternative document management apps.

Private Space

For my private space I've created a 2nd new google account, sans email, phone number, and payment info, opting out of history, no ad ID, etc. In this space I've so far only put my banking apps (including one that uses Play Integrity sigh).

Question:
7) There are a few other apps that I don't use every day that I'm considering putting in there, purely because they have trackers. However, if the private DNS is blocking the worst of the trackers, this wouldn't add any value, right?

Email / Calendar / Contacts

The biggest hold up right now to using my new phone is moving away from outlook mail. I've had a Proton account for ages but never got around to setting it up. When I tried to set it up on GOS, I discovered that I can't sync my proton contacts with my android contacts. I really don't want or need 2 contact lists. I've also come to the conclusion that a Proton email would add no value to me because I don't know anyone else using Proton, or anyone encrypting emails for that matter.

So, I'm now leaning toward mailbox.org because it's based in Europe, they have an option to send PGP encrypted email if I ever feel the need, and I can use any email client I want.

Question:
8) I feel as if I might be behaving like a spoilt child regarding the Proton contacts thing. Is there a good reason to try make this work? Any ideas on how I could easily resolve the contacts issue (without self-hosting)? Or other votes for mailbox.org / another email provider? (Yes, I've looked at Tuta, but again I don't actually need encrypted email, and their apps are apparently not great.)

Thank you for reading if you made it this far :)

de0u

SorryImLate How risky is it to use Obtainium?

It depends on what you're trying to achieve 🙂

The core problem is that basically nobody is in a position to thoroughly audit all of the components of even one app, so in practice it is necessary to outsource some things to somebody.

In theory getting an app from the Google Play store means that Google has done a bunch of things:

Verified (to some extent) the author of the app,
Scanned the app for some indications of malicious behavior,
Contractually required the author to agree to use app data in only stated ways,
Committed to you to use data collected by Google responsibly,
Set up a semi-automatic mechanism to prevent you from accidentally running a stale version of an app,
etc.

Your trust in Google's performance of various of those items is up to you. But Obtanium isn't trying to do most of them. Obtanium is a simple bridge between you and the author of each app. If the author sells to somebody, or if the author's account is compromised, or if the author accidentally pulls in a new malware version of a previously-ok library... that's between you and the web site that Obtanium downloads the new app version from.

It's not so much that Obtanium is safe or unsafe, but rather that Obtanium connects you up to things that are either safe or unsafe. It's in the connection business, not the safety business.

de0u

SorryImLate (thank you Exodus)

https://discuss.grapheneos.org/d/20641-aurora-store-exodus-trackers/6

Mystified3527

SorryImLate

SorryImLate I have an AdGuard VPN subscription but, after reading this awesome article, I've concluded that it's only useful to me if I use an unsecured wifi, or I want to hide my country for some reason i.e. rarely. My ISP uses CGNAT, and I'm pretty sure it's illegal for them to track me, so I have no reason to trust AdGuard over them with regards to my IP address.

Proton mail is not the only thing you can use from proton; their vpn is one of the few reliable (and free!) ones available, with the other mainly recommended one being Mullvad.
I would consider these over AdGuard, especially if you only plan on using it only occasionally, proton's free VPN might work out better for you, and if not, Mullvad is often considered the top paid one.
If you decide to go this route, Mullvad also has a free DNS service: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls available to anybody that also deals with trackers. This is what I use, and it might save you some money.

SorryImLate My apps are downloaded primarily from the sandboxed google play store. For this, I've created a new google account without my phone number, primary email, or payment information. I've opted out of every kind of history and tracking that I could, and deleted the advertising ID in the store.

I'm refusing to download any apps that require purchases via the google store, or apps that require play integrity. In these few cases I'm either using a Web App, or downloading the apps using Obtainium and confirming them with App Verifier.

Some of the setups listed in the first article here: https://discuss.grapheneos.org/d/21487-seprand-articles-and-guides-about-grapheneos-by-the-community
go over ways to minimize the access google has through play store, especially with the owner as app pusher setup.
You can further reduce the access apps have by separating them with profiles, as described in the link above, that way they have far less data available.

SorryImLate The biggest hold up right now to using my new phone is moving away from outlook mail. I've had a Proton account for ages but never got around to setting it up. When I tried to set it up on GOS, I discovered that I can't sync my proton contacts with my android contacts. I really don't want or need 2 contact lists. I've also come to the conclusion that a Proton email would add no value to me because I don't know anyone else using Proton, or anyone encrypting emails for that matter.

Proton does remove trackers from emails, and the emails themselves are stored encrypted on the Proton servers while at rest. I believe Outlook does not do this, and instead only encrypts in transit (please confirm this yourself), and you can send password-protected encrypted email to non-Proton addresses, though you need a secure way to get the password to your recipient, hopefully through signal. In general, Proton seems to be less invasive with email and doesn't monetize your data (they can't access much in the first place) unlike Outlook.
I can't help you with the two contact lists; they just have not bothered me since I don't email all my phone contacts, and I don't message/call all my email contacts.

zzz

SorryImLate
Great writeup, welcome to the land of the free.
You're doing great, don't be discouraged.

About Adguard - be aware of their ties to Russia, which they have taken pains to obscure.
https://discuss.grapheneos.org/d/13591-what-when-quad9-is-down/16

Seconding Mystified3527 that Proton VPN and Mullvad are great options.

About contact lists - what is the value in merging android contacts with proton contacts?
Genuinely curious, as I've never felt the need to do so.
I do notice that a one-time import is possible:
https://proton.me/support/adding-contacts

Best of luck!

SorryImLate

de0u That is very clear now, thank you so much.

I'm going to go buy myself a physical google play gift card so that I can buy apps on the play store without giving google my personal information. That will only leave Ko-Reader which isn't available in the Google Store.

SorryImLate

de0u Interesting input on Exodus, thanks, that confirms what I had suspected.

I've been ignoring their permissions valuation because I trust GOS will give me the best available protection there. I also already identified an app that has an ad tracker (as per Exodus) but in-app includes the option to opt out of personalised ads, so it makes sense that not all trackers will be active. That said, they're still helpful for identifying apps that include a long list of social media and ad trackers because I want to avoid such companies on principle.

SorryImLate

Mystified3527 Thank you very much for the detailed input.

I bought a 2-year Adguard VPN subscription last year (it was on sale and I was definitely mis-sold on what a VPN does). I've cancelled the auto-renewal but figured I would keep using the subscription until it expires. However, if I understand you correctly, it would be better to just write off that money and switch to Proton or Mullvad now, because Adguard's VPN isn't reliable, plus they're not a trustworthy company. Is that accurate?

Thank you for the link to Mullvad's DNS, I'll switch to that immediately.

Thank you for the Seprand link, it's a good article which I would have really appreciated 2 weeks ago :) (How did I miss that?? sigh) Anyway, I did consider using a secondary profile but concluded that it's probably overkill for me for everyday use. I'm not currently using my phone for work, and I'm not very active on social media, so I see no need for a separate "persona". Also, I figure if companies want to do underhanded communication such as using IPC, they could just as well use the LoopBack port like Meta and Yandex did - apparently that also functioned between profiles (I've been lurking on the GOS Discord and read that disturbing detail there.) I might change my mind in the future but for now I'm OK with just keeping my Banking apps in the Private Space. Good tip though.

No question I have to leave Outlook, and if only Proton were available I would make it work. However I've been using Outlook for 13 years now, and before that I had a hotmail account (technically still do), so I still have contact details in there from people I haven't seen in 20 years (yes, I'm old, and a data hoarder). I'm just really used to (and like) having a single contact source that I can use for signal, threema, phone calls, birthday calendar, e-mails, notes on their kids birthdays, etc. You raise an interesting point though, I wouldn't need to fully sync my email and phone contacts, just split my existing contacts into those groups. I should do some homework and see for how many contacts I actually use both.

SorryImLate

zzz Thank you for the encouragement, it's been a really interesting journey so far :)

I had no idea Adguard has Russian roots. I was considering switching to Mullvad eventually, so maybe I should do that sooner than planned.

Regarding contacts, it's partly for convenience, partly simply being comfortable with my current setup, and partly because my day job regularly involves combining multiple data sets and I see no reason to split data that belongs together. (Huh, I hadn't fully realised the last point until I started answering you.)

I'm used to having a single repository with all my contacts information, which I can access for whichever purpose I want, whether that is getting directions to their new address, creating a calendar with their birthdays, calling them, messaging them, e-mailing them, or remembering their kids names (seriously). If I understand correctly, I can't give other apps access to contact information stored by Proton. That means I would need to either split my existing contacts into 2 lists (one with email and birthday info for Proton and the other with phone numbers) or I would need to manually sync a single list. That just sounds annoying and mistake prone. Bleh.

SorryImLate

Mystified3527 Apologies, I realised after I replied to you that my brain had linked your comment on VPN providers with another reply I received

zzz About Adguard - be aware of their ties to Russia, which they have taken pains to obscure.
https://discuss.grapheneos.org/d/13591-what-when-quad9-is-down/16

So I realise that you hadn't actually made any comments regarding AdGuard's trustworthiness, I was just jumping to conclusions because you recommended other providers.

DeletedUser299

SorryImLate regarding Tuta. I disagree, the app on GtapheneOS is excellent.

SorryImLate

DeletedUser299 To be fair, I haven't tested any Tuta apps, I'm just going on what I've read online. I'm interested to hear your experience, thanks.

I guess I'm not convinced that my privacy needs justify a sandboxed environment like Tuta or Proton. Is there any point if no-one I email uses Tuta or Proton, or encrypts emails in any way?

de0u

SorryImLate I'm going to go buy myself a physical google play gift card so that I can buy apps on the play store without giving google my personal information.

I have never tried using a Google gift card, but lots of people have reported running into restrictions when trying to use them as an anonymity tool.

Mystified3527

SorryImLate

SorryImLate I bought a 2-year Adguard VPN subscription last year (it was on sale and I was definitely mis-sold on what a VPN does). I've cancelled the auto-renewal but figured I would keep using the subscription until it expires. However, if I understand you correctly, it would be better to just write off that money and switch to Proton or Mullvad now, because Adguard's VPN isn't reliable, plus they're not a trustworthy company. Is that accurate?

This I am not 100% sure about, I meant it more as in when the AdGuard subscription expires instead of renewing it, switch to Proton or Mullvad. I would have to do more research on AdGuard to tell you for sure if you should drop the subscription immediately.

If anyone else here has more info on AdGuard, please share it.

vlad

SorryImLate So I realise that you hadn't actually made any comments regarding AdGuard's trustworthiness

closed source privacy-related software originating from totalitarian country: what could go wrong.

SorryImLate

de0u Worth a shot anyway. I'll start with a small amount and see what happens.

SorryImLate

de0u Just an FYI / update on the use of a google play gift card for anonymity.

You are correct that the process doesn't support using a gift card anonymously. I managed to fudge it (kind of) but still had to give more information than I wanted. The gift card is also only usable for one-off purchases, it can't be used for subscriptions.

Here is detailed info on my experience, in case it helps someone else.

My first few attempts at adding the gift card failed, until it was "locked" and I had to provide "additional information". I don't know whether the lock was due to my age being unverified, giving business contact information, using a VPN, or a combination of the 3.

Age Verification:
Google (unsurprisingly) didn't believe my fake birthday of 1/1/2000 combined with no surname, and they had already downgraded my account to a "child" account with limited privileges. Apparently, in my country you have to be 13 or older to use a gift card (no idea why), so I had to verify my age (no, I don't live in the UK). The frustrating thing here is that at no point while trying to register the gift card did I get informed that my unverified age was an issue, I only discovered this after the gift card was locked.

In order to verify my age, my options were to upload an ID, upload a credit card, or use the PrivacyID webservice. I opted for the 3rd of those, which involves taking a selfie.

Contact information:
Google insisted on having an address and phone number before approving the gift card. I entered the address and phone number of our national Data Protection and Information Commissioner.

Perfect Hindsight:
1) Google now knows who my ISP is - switching off my VPN was my first move when registering the gift card failed.

Lesson learned: Do this while connected to a public wifi somewhere far from home (but still in the country your google account is registered for).

2) I updated my fake birthday to something closer to my real birthday when I read that they would be using a selfie to check my age. Afterwards, I read that Privacy ID claims that they simply advise whether or not you are age 18 or older, so this was probably unnecessary.

Lesson learned: Use a less obvious fake birthday than 1/1/2000 but otherwise, it should be fine as long as it determines an age above 18.

3) Google might have a photo of me - Privacy ID swears blindly the photo stays local but, again, who knows. The risk is higher here than was necessary because I had already downloaded and used chrome to verify my age on my main profile before you suggested switching off JIT in Vanadium. The JIT tip worked for my private space though, so thanks.

Lesson learned: Use Vanadium with JIT disabled for privacyid.com

4) Google now knows the municipality I live in. In order to unlock the gift card, I had to provide a copy of the purchase receipt, which showed the purchase location, which is very near my house.

Lesson learned: Buy the gift card in a shop far from your actual house.

Idea: Use a shop and public wifi that are both close to the business contact information that you provide, so that everything is nice and consistent.

Reading the above makes me feel rather stupid. Clearly, OpSec is not my strength. However, if it helps someone else who genuinely needs to be anonymous, it was worth it ;)

SorryImLate

vlad

vlad closed source privacy-related software originating from totalitarian country: what could go wrong.

Good point, well made. I'll switch.

de0u

SorryImLate

Thanks for the report!

Opsec is hard. People who professionally conceal themselves (e.g., spies) train for a long time and still make mistakes.

Some people who get into privacy-as-a-lifestyle end up in a vicious cycle of learning more about how people are tracked, then upping their behavioral restrictions, then learning more... and feeling that even though they are putting in more and more effort (and making their friends and family more and more nervous) they're always falling behind.

I think my personal use of GrapheneOS is fairly successful in part because my goals are modest (mostly I don't want to share my calendar and my contact list and my communication patterns with Google). And I realize that I am ok with limitations that many people would find shocking (no Play Store, no Android Auto -- what kind of smartphone is that???). But personally I think it's a good sign that I'm not on a "slippery slope" of spending more and more energy on privacy while feeling worse and worse about myself. If I found myself there I would try to figure out how to take a deep breath and evaluate all of the costs and all of the benefits of my current position versus what seemed like the plausible next positions.