Google Play Store and "hidden" connections

Usul

Hello,
I own a Pixel 9 with the latest version of GrapheneOS.
Recently, I've been interested in the different ways to configure applications installation.
I have a question regarding privacy and the use of Google Play Store (via GrapheneOS's App Store).
Indeed, unlike Aurora, Google Play Store makes a whole bunch of external connections (connections that I can see via NextDNS), see the list below.
Should I be concerned about the collection of information that may be circulating through these connections?
P.S. Maybe Aurora does the same thing on its side?

Thanks.

List of connections :
android.apis.google.com time.google.com gmscompliance-pa.googleapis.com www.gstatic.com android.googleapis.com geller-pa.googleapis.com www.googleapis.com pagead2.googlesyndication.com firebaseinstallations.googleapis.com fonts.gstatic.com play.googleapis.com play-fe.googleapis.com connectivitycheck.gstatic.com android.clients.google.com wallet.apple.com accounts.google.com simtransfer.goog g.co one.google.com pay.sandbox.google.com gds.google.com payments.sandbox.google.com quickshare.google wallet.google.com payments.google.com business.google.com accounts.sandbox.google.com proofing.upgradeparty.goog gaiastaging.corp.google.com staging-walletshare.sandbox.googleapis.com esimsetup.android.com walletshare.googleapis.com qr.quickshare.samsungcloud.com www.android.com enterprise.google.com pay.google.com my.play play.google.com market.android.com recaptcha.google.com digitalkeypairing.org proofing.gmsdrops.goog recaptcha.net quickshare.samsungcloud.com app.goo.gl cert-wallet.apple.com near.by

Morwendara

Yes, Google services do collect telemetry. But that's not the same as on Pixel OS. In GrapheneOS they run as normal, isolated apps. Therefore their ability to collect and transmit data is also limited. The number of domains they connect to doesn't mean much by itself — what's more important is what data actually gets sent.
Here's what one of the GrapheneOS developers wrote:

other8026 Apps cannot share data they don't have access to. So, if an app doesn't have access to anything, then it can't share anything with Google Play except for data collected in-app. We might not know what is shared, but if permissions are restricted, we know what can be shared, which isn't all that much.

This will be true for your question as well.

Morwendara

Also, take a look at this post:
https://www.reddit.com/r/GrapheneOS/comments/12a3r32/graphenes_sandboxed_play_services_vs_microg_on/
I think this applies to Aurora Store as well.
For that reason, I don't think there's much point in using third-party Google Play clients from a privacy or security perspective.

mmobder

Morwendara I don't think there's much point in using third-party Google Play clients from a privacy or security perspective

Aurora allows you to limit app update checks to be done only for apps installed by Aurora. GPlay store sends to Google servers whole list of your apps, including ones installed via Obtainium, Accrescent, etc exposing more info about you

Usul

Morwendara Thanks

harp

mmobder GPlay store sends to Google servers whole list of your apps, including ones installed via Obtainium, Accrescent, etc exposing more info about you

AFAIK only if Play Protect is allowed to detect apps not installed via GPlay Store. That's enabled by default, but you can opt out.

mmobder

harp are you sure that those are not separate processes - check for all apps updates and check for malware/protect?

kauyafrotrauci-4115

harp AFAIK only if Play Protect is allowed to detect apps not installed via GPlay Store. That's enabled by default, but you can opt out.

If I disable Play Protect in Play Store, will it be any different security-wise from just using Aurora store?

harp

mmobder are you sure that those are not separate processes - check for all apps updates and check for malware/protect?

That's my experience: If you disable Play Protect for all apps not downloaded through Play Store, all apps you install after that from other sources will not appear in the app list in Play Store and so there will not happen any update check for these apps within Play Store.

AcclaimSublevel19

kauyafrotrauci-4115 AFAIK it will still verify APK signatures making it much more secure than Aurora and at the same time you get automatic updates, which are very important for security.
I don't think there's any reason to disable Play Protect scanning. It doesn't weaken security and if you're lucky it might help you catch a security hole early.

EverettHitch

AcclaimSublevel19 very poor excuse for having to use Google Play apart from the obvious compatibility layer that doesn't work for some apps anyway.

Play Protect doesn't as much focus on scanning apps provided and vetoed by them as it does on scanning third party apps not provided by them (and lord knows what else it does on the side) which should not be their business. Aurora instead forgoes this security theater and gets apps straight from them according to your spoof manager. You still get notifications of updates and app can even autoupdate other apps if you can get it running in stable manner.

Obviously the app still provides information to Google but in a way reduced, restricted and pseudonymised since it doesn't rely on a particular Google account.

People need to know that there is more than one way of obtaining Play store apps (and not really a security nightmare, which can be argued) whether they will work or cause compatibilty issues. I am saying that with all the respect that I have for GrapheneOS developers and work they have done over the years.

littlerack

gmscompliance-pa.googleapis.com
Does anybody know what this gmscompliance-pa domain is used for?

AcclaimSublevel19

littlerack I don't know, but I block all Google domains and whitelist whichever ones are needed to avoid breakage. Here's what I've whitelisted:

play.googleapis.com
android.googleapis.com
play-fe.googleapis.com
play-lh.googleusercontent.com
(www.gstatic.com)
(dl.google.com)
(kstatic.googleusercontent.com)
(lh3.googleusercontent.com)
(ssl.gstatic.com)
accounts.google.com
firebaseremoteconfig.googleapis.com
accountsettingsmobile-pa.googleapis.com
content-autofill.googleapis.com
mtalk.google.com
(www.googleapis.com)
(www.google.com)

Domains in parentheses are the ones I've unblocked but I don't remember for sure whether they're strictly required for Play Store.
It's working fine for me like this, except for a few account settings pages which I don't really need.

littlerack

AcclaimSublevel19
www.google.com is frequently used by different services, last one I recall was google translate
dl.google.com was used by translate to download assets for offline translation, and also by Edge Gallery to download models.
lh3.googleusercontent.com - used by many apps, for Maps - photos of places, etc. for Play music, probably, album images, etc
ssl.gstatic.com as well as www.gstatic.com - I remember GBoard using it
www.googleapis.com - that's a domain for everythin. I remember I had to unblock it to enable some map-related applcations to work

But I'm specifically interested in gmscompliance-pa (gmscompliance-pa.googleapis.com) purpose

AcclaimSublevel19

littlerack Yeah, I already knew what all these were for, I was just unsure whether the Play Store specifically needed any of them or could function without them.

maprennegrulla

AcclaimSublevel19 Aurora requires gvt1, play-lh, play etc domains

AcclaimSublevel19

maprennegrulla IIRC gvt1 doesn't do anything useful and I'm doing fine without it everywhere (it's used by apps too). Are you sure Aurora requires it?

brummaucroubofoi

AcclaimSublevel19 gvt1

gvt with a zillion of subdomains is a cdn for actual packages data, isn't it?