Switching from CalyxOS to GrapheneOS Privacy Concerns

wgb920

Given the recent issues with CalyxOS, I am thinking of switching to GrapheneOS. My biggest reservation is privacy concerns. I know many people says GOS is better for privacy, but I don't understand how that can be the case. If I install GOS and want to use apps that interact with Google Play services, I need to actually log into Google. On Calyx, with microG and the Aurora store, I can install apps that use Google Play services without ever logging into Google.

Many people have said that the tracking from Google is "less" with the sandboxed Google Play, but it seems like there is no tracking at all with Calyx because I never have to log into Google at all.
Many suggest using a throwaway Google account to log in, but I still need to use a phone number that can receive text messages to set that up and to log in again if I am ever logged out. Also, this is a hassle I don't have to deal with on Calyx.
Many say to just set up a separate profile for Google, but Google is still installed and logged into on the device. So Google is still tracking me and always listening to me regardless of the profile on which it is installed.
Many say using the Aurora store is worse than using sandboxed Google Play store, but I can get any app I want on the Aurora store without ever logging into Google. That seems more private. I don't understand what is so bad about the Aurora store.

I know it is not possible to keep Google from knowing anything about me, but I want them to know as little as possible.

I understand what people have already said about why they like GOS more than other custom ROMs for privacy, but I have not found any clearly stated reason why it is better to use GOS and log into Google for Play services than it is to use Calyx, or iodeOS, or any ROM that requires no login to Google.

jarell

wgb920 Hi. You do not need to log into a Google account to use apps that rely on Google Play Services. https://grapheneos.org/usage#sandboxed-google-play:

Signing in into a Google account is optional, unless you want to use features depending on being signed into an account. For example, some apps use Google account authentication instead of their accounts having a username and password. The Play Store requires being signed into an account in order to install apps or use in-app purchases. This is still true even for an alternate frontend to the Play Store. Aurora Store still requires an account but fetches shared account credentials from Aurora Store's service by default.

If you do chose to log into a Google account on a user profile, that profile is isolated from all your other profiles. https://grapheneos.org/usage#sandboxed-google-play:

Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they're only available within that profile. Only apps within the same profile can use it and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.

GrapheneOS also provides a convenient way to put non-owner user profiles at rest so none of the apps inside can run. https://grapheneos.org/features#end-session:

GrapheneOS also enables support for logging out of user profiles without needing a device manager controlling the device to use this feature. Logging out makes profiles inactive so none of the apps installed in them can run. It also purges the disk encryption keys from memory and hardware registers, putting the user profile back at rest.

Viewpoint0232

wgb920 If I install GOS and want to use apps that interact with Google Play services, I need to actually log into Google. On Calyx, with microG and the Aurora store, I can install apps that use Google Play services without ever logging into Google.

That's not the case. You don't need to use a Google account to use Play Services, for example to get push notifications via Google servers (which I think is the main reason to use microG on CalyxOS). A Google account is required to download apps from the Play Store but you can just use Aurora Store, same as on CalyxOS. A further advantage is that you can install Play Services only to a specific profile (e.g. a second user profile, a work profile set up with an app like Shelter, or the 'private space'). Then, only apps installed in that profile will be able to communicate with Play Services and your main profile remains completely Google-free. Many apps including well-known ones like Whatsapp and Signal and anything from F-Droid do not need Play Services or microG to work and they will still have push notifications. You only need to install those apps that specifically depend on Play Services to work in the secondary/work/private profile where you have Play Services installed.

jarell

wgb920 To make your transition to GrapheneOS easier, I suggest you read https://grapheneos.org/features and https://grapheneos.org/usage.

xxx

wgb920

I switched long time ago from Calyx to Graphen and experience was/is stellar. Just make sure you read the guidance.

wgb920

Thank you @jarell and @Viewpoint0232 . That is all very comforting.

So is the Aurora store the best way to install apps if I don't use a Google account for the Play Store? Do I need to get an APK for the Aurora store from a browser on the phone? Is there a better way to get apps without logging into Google?

Also, if I have a seedvault backup for my phone from Calyx, will I be able to use that in a new GOS installation to add apps and data?

jarell

wgb920 Without signing into Google, Aurora and Obtainium are the most common options.

When you first install GrapheneOS, you can install Aurora Store from the Aurora Store website.

boredfridge

wgb920

Using the playstore would be better for security, using aurora would be better for privacy I guess. You can just download the apk from the official aurora store website.

As for seedvault, I think your calyx backup will be compatible with GrapheneOS.

xxx

wgb920 Is there a better way to get apps without logging into Google?

Perhaps read those short pages from Nitrokey to get an overview:

https://docs.nitrokey.com/nitrophone/

jarell

wgb920 Regarding Seedvault, I recommend you search through this forum for existing posts. You're not the only CalyxOS user that is making the switch lately so there have been some recent posts about backing up from CalyxOS to GrapheneOS.

Edit: found this https://discuss.grapheneos.org/d/24706-calyxos-grapheneos-seedvault

jarell

xxx I would recommend OP to read the official GrapheneOS documentation instead. A brief look at the site you linked already shows incorrect information. For example:

The Google Play Store cannot install and update apps due to the sandbox.

(https://docs.nitrokey.com/nitrophone/apps)

This is wrong.

xxx

jarell I know. But I think the faq covers most and nitro links to the official site. Op must read and think himself in the end.

Xtreix

wgb920 Use Obtainium or Accrescent if you don't want Google Play, Google Play Services on GrapheneOS is fully sandboxed and has no special privileges, MicroG has special privileges while Google Play on GrapheneOS work like a normal app in the standard sandbox, you don't avoid Google with Aurora. Sandboxed Google Play is a much better alternative with much better app compatibility.

https://discuss.grapheneos.org/d/13828-automatic-aurora-store-update-start-of-aurora-store/44
https://discuss.grapheneos.org/d/13828-automatic-aurora-store-update-start-of-aurora-store/46
https://discuss.grapheneos.org/d/14345-using-google-account-on-aurora-storeplay-store/4

Welcome to the community.

PS : GrapheneOS is not a custom ROM, this term is misleading and causes confusion for newcomers. ROM = Read Only Memory, that's all. GrapheneOS is a production-grade operating system.

Andromxda

This is a misleading narrative that The Calyx Institute and their supporters have pushed for a long time, often using shady and manipulative tactics. It's a fact that by default CalyxOS makes a lot more network connections to Google than GrapheneOS for basic stuff. This includes:

Network time
Captive portal
A-GNSS (SUPL)
DNS connectivity checks
Provisioning of hardware attestation
Widevine DRM provisioning
eSIM provisioning (the proprietary Google eUICC is preinstalled on Calyx, with no sandboxing and no way to disable it)

microG doesn't avoid Google services either. It too connects to Google servers, and even downloads and runs proprietary Google blobs on your device. It's not an open source alternative, as it wouldn't work without proprietary Google code. Also keep in mind that all the apps using Play services via microG have proprietary Google libraries embedded within them. microG is basically nothing more than a proxy between the proprietary Google libraries in apps that depend upon them, and proprietary Google services.

It merely gives you the illusion of control and privacy, while also decreasing your security, by requiring elevated privileges.

I recommend reading this German article by Mike Kuketz titled "CalyxOS: This is not how degoogling works" (the best English translation I could come up with), or checking out this chart: https://eylenburg.github.io/android_comparison.htm

If I install GOS and want to use apps that interact with Google Play services, I need to actually log into Google.

This is only true for certain apps. The majority of apps depending on Play services doesn't require you to log in. CalyxOS only bypasses this by granting microG elevated access to spoof the signature of Play services.

Many say to just set up a separate profile for Google, but Google is still installed and logged into on the device. So Google is still tracking me and always listening to me regardless of the profile on which it is installed.

That's not true. Profiles are isolated from each other. GrapheneOS also includes the "End session" button, which completely pauses all activity in a user profile, as well as wiping the encryption keys from RAM, putting it in BFU state.

always listening to me

Also I'm not sure what you mean by "always listening". If you're talking about microphone access, then no, that's completely false. Only the currently active profile has access to the microphone.

Many say using the Aurora store is worse than using sandboxed Google Play store, but I can get any app I want on the Aurora store without ever logging into Google. That seems more private. I don't understand what is so bad about the Aurora store.

You can choose to use the Aurora Store in Session installer mode on GrapheneOS. It doesn't require elevated privileges. The choice is up to you.

W1zardK1ng

wgb920 Sorry to say but you are completely misinformed.

Andromxda Have eplained it nicely.

Microg is no way better than sanboxed google play. Microg still connecs to google and share data, if u install sandboxed google play even that connects to google but microg runs as a system app.
in the other hand sanboxed google play is optional and runs like any other app, and eveything it can access is under your control, i prefer this.
also evey app uses google trackers in them share data with google, there is no escape from it unless you completely ditch almost all popular apps from playstore. But if its not linked to your real identity its not a big deal.

install the play service, revoke the internet access for play store and use aurora store insted of the playstore without logging in to aurora. though its not the best option.

To create a google account without phone number: create a new user profile or a clean owner profile, then install the play services and click on login in play store. Make sure you are not connected to any vpn.
Use mobile data or some public wifi, it will not ask for a phone number. do not use a complete random strings in the username, make it looks like someones name.

GrapheneOS

wgb920 You're immersed in misinformation about GrapheneOS from the CalyxOS project and community. Forget what you have heard about it from there because it's not at all accurate. There's absolutely no requirement to use a Google account on GrapheneOS and unlike CalyxOS it doesn't have privileged Google integration deeply built into the OS along with always connecting to Google servers.

CalyxOS didn't keep up with privacy and security patches, didn't provide comparable privacy or security features and has privileged integration of Google services into the OS. GrapheneOS doesn't connect to Google servers by default while CalyxOS and the other operating systems you're referencing always connect to them. You're still running Google Play code within the apps using it and still connecting to Google services via microG, but with an additional high privacy and security cost.

Sandboxed Google Play on GrapheneOS gives strictly less access and control to Google code than the microG approach on those operating systems. You do not need a separate profile to use sandboxed Google Play, do not need to use a Google account and do not need a phone number to make an account. Logging into a throwaway account does not enable tracking in any way that's not possible without it. Aurora Store still uses an account it fetches from them, which is very likely to stop working since it's against the terms of use and can be detected.

CalyxOS and the other operating systems you're listing are not suitable for privacy which at the very least requires keeping up with basic privacy and security patches, which they've never done. They've previously had delays similar to the current 3 months of not providing basic standard updates. This is going to be substantially longer and possibly permanent but other operating systems you're referencing are just as far behind on patches.