Is going the hard way w/o GPlay services worth the effort?

Semiconductor

Hi all,
going through the posts in this Forum about how people use to set up their GOS powered phone, I noticed one particular pattern:
For the average user, the developer of GOS to recommend to use the phone like a normal Android phone with sandboxed GPlay store, as this offers the best compromise between usability and less surveillance by the big G (at least compared to standard Android on any average phone).
Instead of following this advice, many user set up at least one profile without any GPlay store, by manually installing the APKs from external sources.
But I assume the developers will make their recommendation for a reason.
So my question is: How much will GOS' approach with sandboxed GPlay reduce the "chattiness" (telemetry data being sent) of my phone to the big G? As I am no expert, it's hard for me to estimate, how the quantity and above all the quality of the data being sent to Mountain View will decrease.
And second: If I go the hard way by installing APKs manually (w/o GPlay), will this reduce the quantity and quality of the submitted telemetry once again, or is it not worth the effort at all? To my understanding the lack of GPlay should cut one important transmission line in the OS which allows the big G to get as many data as they normally get on an average Android phone. But maybe I totally overestimate the benefit of a completely GPlay-free phone compared to sandboxed GPlay, hence my question.
I don't know if it exists, but some data regarding that would be highly appreciated. Maybe some of the experts over here can give an estimation for a better understanding?

IDtheTarget

Semiconductor

I'm new to GOS as well, and I'm trying to learn more about the various threats and risks involved in Google Play as well.

This is probably a good place to start, as it explains some about the Google Play sandbox. After reading it, I'm personally not quite clear about when the GOS team is speaking about "Google Play" the app versus "Google Play Services", but that's probably because I'm not familiar enough with the architecture to understand the context properly. So, I'm trying to read and learn more.

I remember reading a forum post recently about apps being able to talk with each other within a profile, but I don't remember enough details to find it, sorry. The upshot (as I recall) is that apps within a profile can communicate with each other, so even if you have removed network permissions from one app, it can talk with another app that does have network permissions to act as a go between. However, the team member that was explaining this observed that it is unlikely that a network-connected app would allow this unless both apps were specifically programmed to work together. The only likely scenario I could come up with for this type of cooperation would be if multiple apps were using the same advertising tracking software and one of the apps required network to function (weather app, email app, whatever). So I'm trying to limit my network-approved apps to only be from Obtainium/github, if possible.

Again, I don't know if this is a reasonable precaution or a paranoid delusion. I'm still reading and learning.

One thing I do suggest, is reading this, it'll really help you to figure out where to spend your time if you know what you're trying to accomplish. It's helped me to rein in my tendency to jump down rabbit holes...

nologo

Semiconductor I noticed one particular pattern:
For the average user, the developer of GOS to recommend to use the phone like a normal Android phone with sandboxed GPlay store, as this offers the best compromise between usability and less surveillance by the big G

You seem to be mixing up 2 pieces of advice here:

(1) use the phone like a 'normal' phone, that is, with just the owner profile (as opposed to a multi profile setup);

(2). use sandboxed Google Play.

I agree with advise (1), because multi profile setups tend to have negative impact on usability. I don't necessarily agree with (2). If you absolutely need apps that won't work without Google Play Services, then by all means use sandboxed Google Play. But if there is no such necessity, I would avoid Google like the plague.

Also: installing apps from other sources than Google Play Store it not as hard as you seem to assume.

DeletedUser499

Semiconductor
Is going the hard way w/o GPlay services worth the effort?

yes, nothing more to be said!

nandohyphen1

Semiconductor for me, yes it is. 100% of all my apps run without Google Play Services. If I need an app and it doesn't work, well then I just find an alternative. Now if you want/need apps that require GPlay services (like social media), then yes, it may be worth it for you.

Yeetchuh

IDtheTarget this seems to be why when I have WhatsApp in a sandboxed google profile without network permissions, I still receive a notification saying I may have received messages I should read. Then I think how does WhatsApp send me a notification saying this and know I received a message when I don’t have network permissions on. Guess the notifications are hitting googles services first then passing the message onto what’s app. Weird.

Byku

I doubt anybody that's not working on Google telemetry can honestly answer what Play Services sends out. Not even Graphene devs. The idea with sandboxed Google Play Services is you run it without priviliged access so you can restrict access to what it can collect, not what it can send. There are some research papers that support that Google Play Services can collect logs from other Google apps (like GBoard) and thus send them to Google even when the other app is not allowed internet access. For this to happen apps must be designed to communicate with each other, so Play Services cannot get data from apps without their explicit consent. What else? There is a fair amount of data that can be used for fingerprinting that does not require granting access like your settings, country SIM code, apps installed etc. Any app can use this info, Play Services incuded.

mildlyparanoid

Hi, I guess what each person calls hard is different but speaking for myself using GOS mostly w/o play has not been problematic EXCEPT for Voip, thats been a PITA due to push protocols or something that I barely understand. You mentioned difficulty in installing apps, I will definitely say that has been the least difficult part of using GOS for me. There is of course Neostore which gives you access to many quality open source apps, and then you can use Aurora Store which allows you to easily install apps from googles store (kind of like an interface for sideloading? I am making an educated guess about the sideloading part) but I find those two store cover the vast majority of my needs, though mind you they are not a panacea there are some apps that require google services.
Me personally, I have a profile I use most of the time for messaging and signal/molly calls, browsing, photos, podcasts etc then for the apps i really don't trust but need I have another profile for those apps, and then finally for those apps that i really need an require google (banking apps) I just have a private space in that "untrusted apps" profile so i don't have to switch profiles which makes it a bit less cumbersome, finally I have a totally separate profile w/o google for games and I turn off their access to the internet as many games don't need google/internet even when they say they do. I hope that helps!

schweizer

When Google Play Services are installed almost every push message will leave metadata on Google servers. And although apps must agree to share data with google you can assume the vast majority will have this setting to on/unlimited by default. Assume Play will share position as long as you have location enabled. This allows you to find your device if it's lost or stolen.

Once you know what to do it's actually pretty simple to have a phone with the main profile without Play Servicces. Downloading an app from Aurora ist not fundamentally different from downloading it in Play Store. I actually even prefer the Aurora GUI because it lists the included tracker libraries and it shows wether it requires Play Services.

If you don't care about privacy and security you don't want to install GrapheneOS in the first place. If the focus is on a shiny GUI there are better and probably cheaper options.

Because I think the average user will have a hand full of apps that really require Play Services it is recommended to install those in the private space of the owner profile. Then you can easily switch on and off Play Services by unlocking and locking the private space. You can enable Tor on the private space to minimise your data footprint.

mildlyparanoid those apps that i really need an require google (banking apps) I just have a private space in that "untrusted apps" profile

Isn't that irony when you distrust your bank's apps of all things? To my experience most banking apps work without google.

The only PITA is to use paid apps without disclosing your identiy.

Byku

Yeetchuh That's the whole idea about push notifications. Istead of having multiple apps constantly listening to their servers for notifications, their servers ping Google servers instead and then Play Services wakes up the app that needs to receive the notification. It is battery efficient that way - instead of multiple active apps in the background you only have one. Too bad that it has to rely on Google...

Yeetchuh

schweizer I knew I read something like that about metadata and whatnot. Makes sense. That’s why I only install apps that I require notifications for right away in my google sandbox profile and anything that doesn’t require it and more privacy friendly I put in my main profile. I suppose it’s way more private this way than having the default os even though I still need google for live notification forwarding on certain apps.

KCne

Semiconductor

This guide by GrapheneOS devs may be helpful for ways to set up user profiles and Play Services. Play Store as an app installation method is also more secure compared to app stores like F-Droid and Aurora Store. If telemetry on Sandboxed Google Play is a concern, using a burner Google Account may help.

schweizer I actually even prefer the Aurora GUI because it lists the included tracker libraries and it shows wether it requires Play Services.

Aurora Store just uses Exodus to check for trackers, and that uses badness enumeration which should not be considered reliable. For checking whether an app uses Play Services, Aurora Store uses Plexus, which you can already use from the browser.

nandohyphen1 Now if you want/need apps that require GPlay services (like social media), then yes, it may be worth it for you.

I would like to note that using social media through the browser can be a useful way to mitigate both Play Services and app telemetry, but web apps are very much less secure than native apps.

Ammako

schweizer Assume Play will share position as long as you have location enabled. This allows you to find your device if it's lost or stolen.

That's not a thing. Play Services doesn't get your location unless you explicitly allow it.

IDtheTarget

schweizer When Google Play Services are installed almost every push message will leave metadata on Google servers

Do you mean "installed" or "enabled"? My current setup, which I'm currently re-evaluating, is to have two secondary profiles: a "work" profile and a "me" profile. I need to have Microsoft Teams on my work profile, and I have some games I purchased from the Google Play Store that I would like to have on my regular profile. Those games don't require any permissions to run.

So, I installed Google Play Services and Google Play Store from the GrapheneOS app store, in my owner's profile. I then downloaded and pushed M$ Teams to the work profile, and the games to my "me" profile. Then, in the owner profile I disabled both the services and the store.

This seems to work, though I'm beginning to think about moving my "me" profile to the owner's profile. I need to learn more about how that works before deciding to do so. Are you suggesting that, even though Google Play Services is disabled in both my owner's account and my "me" account, Google still gets push metadata?

Thank you!

GrapheneOS

Byku Push notifications do not specifically require Google Play services. Apps can do push notifications on their own or through a UnifiedPush provider. Google Play FCM is not inherently more efficient than other implementations. Using the same push connection for multiple apps is inherently more efficient, but UnifiedPush does exist too. Having both FCM and UnifiedPush is not a big deal as long as the UnifiedPush implementation is efficient. Avoiding highly inefficient implementations such as Signal's WebSocket push when FCM isn't available is important for battery life. Molly is a fork of Signal with UnifiedPush support which can be manually set up with a MollySocket server.

schweizer

Yeetchuh Installing the sand box in the owners private space is more user friendly compared to having a completely separate profile. You can switch much faster between the apps and even have split screen between an app of the owner and one of the private space. The difference is rather subtle but noticable.

xxx

DeletedUser499 Is going the hard way w/o GPlay services worth the effort?

Yes absolutely.

23Sha-ger

Worth the effort - for who? And what apps do you intend to use or your threat model. There isn't a simply binary answer to such vague question. Will it be worth for 99% of casual users I moved to GOS? The answer will be most definitely no. Everytime you read a question and bunch of answers like that always put another question, which is for who.

Semiconductor

Hi all. Thanks for all for taking your time and for the replies, I really appreciate that you take your time, although this may be the 1000th "hi I am new here an have a question"-Thread.

23Sha-ger Worth the effort - for who?

Uhm let's say for an average user that was using a standard OEM Android before.

People (and I'm no exception) sometimes tend to over-complicate things, although it may not be required. And maybe I did so in this case as well. Future will tell.
I now ended up with an owner profile w/o Gplay. There are FOSS apps installed via Obtainium and App Verifier plus proprietary apps installed via Aurora Store.
The 2nd profile includes PlayStore and all those apps that require a Playstore and a logged-in g00gle. account, Gmail Youtube, Maps, Calendar etc (you name it).
I have set up the 2nd profile being put at rest if it's not in use (which is the case most of the time).

So far the usability is totally fine for me. What I noticed is a significantly extended battery life. I am still not sure if this is due to the lack of Gplay in the "Owner"-Profile, but for me that's is a very appreciated side-effect.

Again, thank you all for your input!

schweizer

IDtheTarget This works but it is cumbersome to switch profiles constantly. You have three profiles but installed Google on all of them.

I strongly assume if you disable Google it will not collect data but then again you do not benefit from energy efficient push notifications. I do not see the advantage of such a setup.

Ammako Play Services doesn't get your location unless you explicitly allow it.

Yes and no. They get your coarse location through the IP. And for the exact location most people have it enabled permanently and also granted the permission to Play Services. Because it prompts and warns you that it is unsafe not to grant location permission. (You may not be able to find your device if it's lost or stolen.)

GrapheneOS

schweizer

And although apps must agree to share data with google you can assume the vast majority will have this setting to on/unlimited by default. Assume Play will share position as long as you have location enabled.

No, this is not how it works and completely baseless. There is no setting apps have to disable to avoid sharing data with Google Play. They have to go out of the way to include Google libraries and then use them in a way that shares data with it.

Assume Play will share position as long as you have location enabled. This allows you to find your device if it's lost or stolen.

This is completely false. It does not get access to location unless you go out of your way to grant it, which is completely unnecessary for any of the baseline functionality or app compatibility.

I actually even prefer the Aurora GUI because it lists the included tracker libraries and it shows wether it requires Play Services.

The Aurora Store information shown about trackers is highly inaccurate and not at all a good way to see which apps include privacy invasive functionality, share data with third parties or even which use Google services. It misinforms and misleads users.

If you don't care about privacy and security you don't want to install GrapheneOS in the first place. If the focus is on a shiny GUI there are better and probably cheaper options.

Using sandboxed Google Play and mainstream apps does not at all defeat the purpose of using GrapheneOS.

Because I think the average user will have a hand full of apps that really require Play Services it is recommended to install those in the private space of the owner profile.

This is not a specific recommendation from GrapheneOS. There are advantages to putting apps in separate profiles but none of it is specific to sandboxed Google Play.

Then you can easily switch on and off Play Services by unlocking and locking the private space.

Disabling apps individually or at a profile level when you aren't using them doesn't provide any significant privacy value. It mainly just saves battery life, but you won't get notifications while apps are disabled.

You can enable Tor on the private space to minimise your data footprint.

Tor is much more niche than a regular VPN and people should think the implications of Tor about it before using it.

schweizer

They get your coarse location through the IP.

This has nothing to do with Play services specifically and it's a misconception that Play services is needed for apps to use Google services. If you're using a VPN then it's not the case.

And for the exact location most people have it enabled permanently and also granted the permission to Play Services. Because it prompts and warns you that it is unsafe not to grant location permission. (You may not be able to find your device if it's lost or stolen.)

No, this is highly inaccurate. Standard permissions are not granted to sandboxed Google Play because they're regular apps and that's not how it works with regular apps. Location does not need to be granted for any baseline functionality or app compatibility, so very few people grant it to sandboxed Google Play. You're wrong about this.