How safe is to use sandboxed Google Play vs just going all FOSS?

wyntrson

I've been researching and reading about how much data does google get if I have daily apps like WhatsApp and Telegram along with a logged in google account?

But nothing points out to how much Graphene OS is stopping sandboxed Google play services from collecting data.

I know some basics data like IP address, notifications via FCM are inevitable and Google gets them anyway by being on every single website and app.

So what are the risks?

de0u

wyntrson If you use apps that are designed to track user behavior, they will collect behavioral data. For example, WhatsApp and Telegram will know who you communicate with when, and thus will probably know when you are awake and asleep (and thus something about where you live, even if you use a VPN that apparently places you elsewhere). Telegram historically has access to what you are communicating about.

On GrapheneOS you can put Google Play and WhatsApp and Telegram in a separate user profile and turn all of them 100% off whenever you want, which is not possible on the stock OS.

There is no way to turn a privacy-invasive app into a privacy-preserving app, so GrapheneOS can't do that.

harp

Only because it's FOSS doesn't mean it's guaranteed safe, secure and privacy respecting by itself. Though many FOSS developers won't implement something like trackers in their software because of their ideology, they principally able and allowed to do. As long as the code using such tracking services is FOSS itself it wouldn't violate the respective license. You cant take a look at the FOSS Apps only providing F-Droid Store, where you can read the warning for some apps, e.g. weather apps "depends (completely) on proprietary services". So it depends.

The same with security. A FOSS app can be extremely insecure depending on the skills and care of the respective developer(s). (Fortunately, the GOS devs are highly competent in this area.) So it always depends on the skills and claims of the devs. So whether open source or proprietary, it's always a good idea to do a quick search for each app to see if it meets your personal requirements.

As far as sandboxed Google Play Services is concerned, AFAIK it should not be able to access any information of your hardware identifiers like phone number, IMEI etc. until you actively allow to. The same with other OS concerning activities. Maybe with the exception, if an app installed by and communicating to Play Services has such a permission, it could pass these info to Play Services, depending on the app.

Another point is Play Protect. In Google Play Store you can choose, if Play Protect can also observe apps not installed by Play Store. (Play Protect is always active for apps installed directly from Play Store). As far as I remember this preference is enabled by default, so it may be recommended not installing any other apps in the same profile where Play Services are used before this is disabled in Play Store settings. I'm not sure how it works, but as far as I remember from earlier tests, when this preference is enabled, the Google account only shows apps as installed, that are actually available in Play Store. That does not mean, the others can't be recognized, actually they should . Also, Play Protect should probably be able to see the apps shipped with GOS. Some of them like Secure Camera or PDF reader or Auditor are also available in Play Store. But though they might be technically identical, AFAIK the GPlay Store and GrapheneOS store versions have different signatures, so Play Protect doesn't recognize them as available in Play Store. But initially this only means Google can see, what apps you have installed (depending on Play Protect preferences). Not what it is capable of beyond that.

But in general sandboxed Play Services in GOS are much more restricted than in other (stock) OSes. You should weigh up which level of safety or convenience is more important for your use case, if you use some services or apps in private space or secondary profile(s). You can find many threads regarding to these topics using the forum search.