Incorrect theories about sandboxed Google Play

GrapheneOS

I will almost certainly be removing sandboxed Google Play Store, but keeping Google Play Services for now.

This is thoroughly broken, unsupported and doesn't make any sense. Your assumptions about what is happening are highly inaccurate. Nothing unexpected or problematic has happened. Aurora Store is a frontend to the Play Store and you're still using the Play Store with Aurora Store. It's clear what you think is being avoided by doing that.

Google Services Framework is no longer a stand alone app in GOS

It's obsolete and not needed anymore. No functionality was lost without it.

which from my recollection was the only thing necessary for Signal (and other apps) to use Google's battery-efficient Firebase Cloud Messaging (FCM) for notifications

No, this was never the case. FCM always required sandboxed Google Play Services. You can use UnifiedPush with a MollySocket server instead with Molly.

So in order to keep FCM capability I will apparently have to keep Google Play Services (GPS) installed. Hopefully GPS is not in any way connected to the privacy compromising issues I have experienced with sandboxed Google Play Store.

FCM never worked with only GSF which isn't useful anymore. None of what you're assuming and claiming happened with the Play Store actually happened. You're wrong and are spreading misinformation about GrapheneOS with no basis. Your posts are likely to mislead other people.

If I decide to stick with GPS, even though Google has my main profile fully fingerprinted now since I installed it on my primary profile and I use my primary profile for just about everything, it still may be wise for me to uninstall both Play Store and Play Services and then reinstall only Play Services so Play Services is not directly tied to my Google username/account. Whether or not this will help to mitigate any privacy issues, I don't know.

Your claims about what has happened as wrong. Choosing to sign into an existing account instead of making a new one was entirely your choice and not in any way a problem with sandboxed Google Play.

Lastly, I will say I was extremely happy with sandboxed Google Play Store in the past (I have used it since it was introduced a few years ago), but with since latest experience, I would have never installed it if I had known the issues I would have encountered ahead of time. As Google becomes increasingly authoritarian in its policies (perhaps they are even specifically trying to sabotage GOS's sandboxed Play?), hopefully more developers will begin offering their apps on secure and privacy-respecting Accrescent.

Everything you've described which actually occurred is an expected result of what you were doing with it. Your assumptions and claims about what it must mean are highly inaccurate. Nothing about sandboxed Google Play has been sabotaged and the claim doesn't make any sense. It is working as it's supposed to work. You're making wild interpretations of what's happening on your device because you have a conclusion you came to and you're looking for evidence for it. What you think you've found as evidence for what you think happened is not and none of it indicates anything wrong or unexpected. You signed into an existing account so of course it's signed into an existing account because you chose to do it and did it. None of this means anything is being tracked in Vanadium, that anything was done without your permission in violation of the OS sandbox or anything else like that. None of that has happened.

xYz

Thank you for the thorough response!

Regarding Google tracking cookies: I never imagined confirming I was the legit account holder of my Google account on my Pixel 9a would result in Google placing tracking cookies in Vanadium... lesson learned! Perhaps GOS could make a NOTE/Warning about this in the Sandboxed Google Play info/instructions for users setting up Google with an existing account. As you know, reusing an existing account is very helpful if you have purchased apps that you don't want to have to repurchase.
What about Google Play auto-downloading various apps like Wallet, Gemini, etc.? That is an expected result of me installing sandboxed Google Play?
In every prior install of GOS over the past five years I and my family have been using GOS on various devices I never recall being redirected to a Google web article for information. Is this a new implementation?

DeletedUser495

xYz stop acting foolish. When you first set up your Google account on the device you are asked if you want to download additional apps, which is skippable. Browser asking you to login with Google is the Google autofill which you can turn off or change to something else. Do not create issues where there are none.

GrapheneOS

xYz

Regarding Google tracking cookies: I never imagined confirming I was the legit account holder of my Google account on my Pixel 9a would result in Google placing tracking cookies in Vanadium... lesson learned!

It does not.

What about Google Play auto-downloading various apps like Wallet, Gemini, etc.? That is an expected result of me installing sandboxed Google Play?

You triggered this saying you wanted to install existing apps you had installed at some point.

In every prior install of GOS over the past five years I and my family have been using GOS on various devices I never recall being redirected to a Google web article for information. Is this a new implementation?

Nothing about having links to standard documentation in various places is new and it has nothing to do with sandboxed Google Play.

xYz

DeletedUser495 Acting foolish for asking questions and explaining what happened on my end and making a suggestion for the Google Play install instructions? Got it. You are a great professor! Anyway, I don't ever recall being asked if I want install additional Google apps. If that is what happened, that is totally new to me and perhaps I just blindly clicked accept because on all the previous devices I installed sandboxed Play on in the past I never recall such an option. And besides, why is it even asking me such a thing anyway? If indeed it did ask, it was a single click type thing to get me to install all the Google garbage which I want nothing to do with. It's like the old days of installing a windows app and there's a small checkmark opting you into install five other apps you want no part of. And why would GOS have implemented this now, when it never was an option in the past?

23Sha-ger

xYz
That's an expected behavior when you sign into a Play account and already had apps installed with this account. You can "restore" those apps on a new device you just logged in to.
Then you synced your browser with the said account.
You are the only one with a question like this.

fid03

xYz Acting foolish for asking questions and explaining what happened on my end and making a suggestion for the Google Play install instructions? Got it. You are a great professor! Anyway, I don't ever recall being asked if I want install additional Google apps. If that is what happened, that is totally new to me and perhaps I just blindly clicked accept because on all the previous devices I installed sandboxed Play on in the past I never recall such an option. And besides, why is it even asking me such a thing anyway? If indeed it did ask, it was a single click type thing to get me to install all the Google garbage which I want nothing to do with. It's like the old days of installing a windows app and there's a small checkmark opting you into install five other apps you want no part of. And why would GOS have implemented this now, when it never was an option in the past?

Let me be clear that I can't imagine that GrapheneOS would implement a feature which automatically installed or even asked you to install lots of Google apps. That seems to have been confirmed by the GrapheneOS account in their previous replies in this thread.

The prompt for installing Google apps comes from Play Store and is a new feature of Play Store itself, not Sandboxed Google Play or GrapheneOS. The prompt appears after you make a new account in Play Store (and possibly also when you sign in to an existing one; I haven't tried that). Try it in a new secondary profile.

Here's what happens to me: I install Sandboxed Google Play in a new secondary profile, create a new Google account through Play Store, then allow Play Store to display notifications. After about a minute I get a notification in the notification drawer "Action required in Play Store" (by the way, this is the standard text that appears when Play Store wants to install something but it needs your explicit permission for it to do so). I select the notification and a dialog asking me to permit Play Store to install unknown apps appears, and I select "allow from this source". I get an additional notification about Play Store requiring an action, when I select it Play Store asks me if I want to install a range of Google apps. I toggle off the check marks for each app and hit Install (not sure why I wouldn't just close the dialog instead, but there you go). A system dialog then asks me if I want to install Gboard and a few other apps. I select Cancel, and the apps are not installed.

Quantum

xYz You can install Signal from their website which will self update.

https://signal.org/android/apk/

xYz

Quantum Thanks, I think I'm going to go with Molly as I remember hearing in the past Signal without FCM drains the battery quite a bit more than Molly. So long Google Play...

xYz

fid03 Thanks for recounting exactly what happened on your end (without a disparaging remark) regarding how Google Play tried to get you to install various Google brand apps by defaulting to install them with checkmarks you had to manually uncheck one by one. It's a deceptive tactic IMO. I will have to try it again on a secondary profile as you recommended and see if it behaves any differently than what you described for existing Google accounts.

In the meantime, I know for a fact that since I have been installing sandboxed Google Play on various Pixels running GOS over the past few years I have never encountered such a thing up until the latest install a week ago on a P9a, so it must be something new Google Play has implemented... one or two unsuspecting taps and there it could have been: Gemini AI spyware installed on my phone! See article here: https://proton.me/blog/turn-off-gemini-on-android

fid03

xYz Thanks for recounting exactly what happened on your end (without a disparaging remark) regarding how Google Play tried to get you to install various Google brand apps by defaulting to install them with checkmarks you had to manually uncheck one by one.

Or, as I said – I could have just swiped away the window.

xYz one or two unsuspecting taps and there it could have been: Gemini AI spyware installed on my phone! See article here: https://proton.me/blog/turn-off-gemini-on-android

I honestly think you're overplaying this. Even if you tapped the several buttons to install Gemini (not sure it was there in the list?), including confirming the install dialog shown by the system, the Gemini app would just be installed as a regular sandboxed app, confined by Android's app sandboxing. It can't have any more access on GrapheneOS than any other app so I don't really share the worry you are expressing.

xYz

GrapheneOS

It does not. <

Any other idea how Google would have installed cookies that tracked me across various websites on a fresh install of Vanadium if the 2 Google confirmation number sent to me and which opened in Vanadium was not the reason? I never signed into any Google accounts on Vanadium other than approving that code. This was the only thing that occurred within Vanadium that is the only thing I can see as the only possibility.

You triggered this saying you wanted to install existing apps you had installed at some point. <

The only Google apps I have used in the past on some devices are Maps, Waze, Camera, and Photos. I NEVER had on any of my devices Google Wallet, Gemini, Home, System Intelligence, etc. These apps were prechecked and somehow began downloading (a user above says I must have tapped to accept, which I don't recall). I'm going to try to recreate what I did on a secondary profile and post the results later.

MineralWater

That all does not happen.

I used a throwaway Google at first and after some weeks of trying out the system I changed to my old original account, because I wanted to use my paid apps again.

Nothing happened, no Google or any other apps have been automatically downloaded, contacts have not been shared, and so on.

You can decide what the Google Account is allowed whenever you change it. Of course Google will tie accounts when you sign in on the same device, but it does this on their side, not on your phone.

I have not witnessed any change in behavior of the OS since switching accounts.

DeletedUser495

xYz when you are going to recreate it, I hope you are going to notice that skip button when you scroll to the bottom I was talking about. There is nothing deliberate about this, you confirmed your choice and apps got installed. Pay attention next time.

GrapheneOS

xYz

Any other idea how Google would have installed cookies that tracked me across various websites on a fresh install of Vanadium if the 2 Google confirmation number sent to me and which opened in Vanadium was not the reason? I never signed into any Google accounts on Vanadium other than approving that code. This was the only thing that occurred within Vanadium that is the only thing I can see as the only possibility.

It didn't do any of that. You're misunderstanding something and coming up with a theory about what happened which isn't accurate.