Concern about whether Google Play Services are truly sandboxed

momo55

Hi everyone, first off, thanks to anyone who leaves a comment.

I never questioned whether Google Play Services are truly sandboxed, but recently I got curious and ran a test that worries me. The test was performed on a factory-reset Google Pixel 6 with the latest GrapheneOS update.

Environment

20 GrapheneOS user profiles

No SIM card

Profile setup

“Allow running in the background” was disabled for each user (from the owner profile)

Each profile was in airplane mode (to reset SIM-related ISO codes that could be used for fingerprinting)

Each profile had the app RethinkDNS installed to connect to a SOCKS5 proxy. Android settings were set to “Always-on VPN” + “Block connections without VPN.”

Each profile’s local settings (timezone, language, etc.) were set to match the proxy location

Google Play Services was installed only after each profile was configured as described above

Proxy details

I used four different proxies (so five user profiles used the same proxy)

Each proxy is located in a different country

I rotated the proxy IP before switching to the next profile to avoid IP bans that might skew results

Test behavior

Open Google Play Store app → create a Gmail account

Results

The first eight account creations succeeded; then account creations failed. Proxies were alternated during the test.

Conclusion
This suggests Google Play Services may not be fully sandboxed and could be collecting device-specific information that enables fingerprinting. Another possibility is that the proxy connection via RethinkDNS leaked and exposed the local IP address. Either way, the result is concerning.

If you have ideas for further checks I’d love to hear them.

One note: Proxy quality is good. It is not a proxy quality issue

23Sha-ger

momo55 The first eight account creations succeeded; then account creations failed. Proxies were alternated during the test.

You are just using GOS to register google accounts for whatever blackhat reasons. 20 accounts? After 8 got rate limited, because you kept the old ones still without a separate profile. "proxy quality" etc. This is not Blackhatworld forum.
One note: you are a spammer.

fid03

momo55 The first eight account creations succeeded; then account creations failed. Proxies were alternated during the test.

You are not saying what about the account creation failed?

momo55 This suggests Google Play Services may not be fully sandboxed and could be collecting device-specific information that enables fingerprinting. Another possibility is that the proxy connection via RethinkDNS leaked and exposed the local IP address. Either way, the result is concerning.

And another possibility is that the IP addresses were simply pre-marked by Google as being suspicious or blacklisted. You are saying that the quality of the proxies are good. What is it about them that is "good"?

The GrapheneOS and GmsCompat source code is there for people to inspect. If someone can pinpoint aspects of the code which makes Play Store escape from the Android app sandbox, I'm all ears.

There can be numerous explanations to Google account creations failing, and it's not clear to me why a sandbox escape/failure would be one of the most likely conclusions to ponder here. VPN leaks are of course possible. Are you able to demonstrate one?

n3t_admin

momo55 This suggests Google Play Services may not be fully sandboxed and could be collecting device-specific information that enables fingerprinting.

And who exactly said otherwise? There are a LOT of identifiers apps can access without having any permissions. There also is no "true sandbox". The sandbox means that apps are restricted to what other apps' data they can access and have to follow the permissions they're given, unlike privileged apps that can be really invasive.

momo55 Maybe this is the breaking point.

Most likely one of the breaking points. I would expect Google to implement a reaction time tracker that measures time between taps/clicks to determine spammers and bots for Google account creation specifically.

Also keep in mind that these companies are not stupid. Tracking a device or a person based off IP alone was en vogue 20 years ago - pretty much no one does that anymore. It's a combination of identifiers where IP address is not that important anymore. What I'm saying is: basing test results on IP address alone is not representative for such scenarios.

gvprtskvni

Could it be related to this? :
https://discuss.grapheneos.org/d/19484-unique-drm-id

momo55

gvprtskvni yes thanks

momo55

23Sha-ger whatever you say man...

momo55

fid03 that's a good question. I can say that the IP's were 99% not marked by google. So this is not a potential breaking point of the test. At least very unlikely. IP leaks on the other hand could be present. I don't know if and cannot prove if they are.

Also just learned about the Media DRM ID. According to a response of the official graphene os account in this forum this ID is persisten across user profiles for the same apps.
Source: https://discuss.grapheneos.org/d/19484-unique-drm-id
Maybe this is the breaking point.

DeletedUser464

fid03 Hello, has GrapheneOS already been audited by a third party? If so, I would like a link.

fid03

momo55 I can say that the IP's were 99% not marked by google. So this is not a potential breaking point of the test. At least very unlikely.

Can I ask why you are sure about this? It's not easy for other people to judge if that might be a fair assessment unless we know more about the proxies you are talking about. It's known that Google at least demands that you provide a phone number if your IP address is slightly suspicious, such as registering behind a VPN. It would be the easiest way to block registration.

Also I'm still wondering what specifically you mean by account creation failing. Were you blocked from creating an account? Did you get an error message? Again, not easy for other people to assess your testing without having more specifics.

fid03

DeletedUser464 Hello, has GrapheneOS already been audited by a third party? If so, I would like a link.

https://grapheneos.org/faq#audit

DeletedUser495

DeletedUser464 https://www.kuketz-blog.de/grapheneos-der-goldstandard-unter-den-android-roms-custom-roms-teil7/

Is this enough of an audit for you?

DeletedUser464

DeletedUser495 This is a very advanced article but not an audit.

DeletedUser464

DeletedUser495 The author wrote: "All articles on this blog exclusively reflect my personal point of view and are independent of LfDI BW and my professional activity." for his blog post he did not have access to the GrapheneOS infrastructure, he did not analyze the GOS servers... it is a push test but not a security audit.

DeletedUser495

DeletedUser464 audit is the evaluation of a subject matter against criteria. Without criteria, you don’t have an audit, you have a witch hunt. And we were having none of that.

DeletedUser464

DeletedUser495 Where in the article, does the author analyze the code? There is no audit like proton and others do.

DeletedUser495

DeletedUser464 good luck searching. I prefer to put my trust in GrapheneOS based on what I have learned this far, rather than other multiple times audited and rewieved products. And of course, no one is stopping you to go over it yourself, we'll be grateful for reports of any backdoors.
https://github.com/grapheneos