Hi folks,

I am interested in trying GrapheneOS and have been reading through the documentation to get a grasp on what has been done differently from other systems and why. In general, I found the features page here to be well-written and easy to understand, but there are a couple things I was hoping someone could help clear up.

I have seen mentioned a few places the practice of adding Google services into a separate user profile, as a security or privacy precaution. On its face, that seems to make sense but after reading a little more I'm not sure I get it. In the notes for Sandboxed Google Play (here), it seems to suggest Google services are already somewhat limited with what can be accessed:

Only apps within the same profile can use it and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.

For the sake of an example, I use Proton Mail which relies on Google Services for push notifications. My initial thought was these apps could be isolated to a separate profile...but after reading through the documentation above, it is somewhat unclear what benefit this brings. What is visible (from the perspective of the Google Services app) with the permission it has for retrieving notifications seems like it would be unaffected by what profile it is in. Am I missing something?

If anything, putting my Proton Mail client in a separate profile seems like it could prove to be a nuisance; my understanding is I would not be able to copy and paste something into a web browser in another profile, for example. Or even click through a link for that matter, unless the new profile had its own web browser installed.

Another app I have to use for work is the Microsoft Authenticator app, which also piggy-backs on Google Services. It is a work app and it makes sense for it to be in a separate profile from my normal stuff, but again: what exactly does this practice add from a security or privacy standpoint? This is not an app that attempts to interact with other apps, or really do anything but sit there and wait for a notification to come down so it can churn out an MFA code.

Thanks for reading through all that, I've just been kind of absorbing a lot of new information with the GrapheneOS documentation and my head is spinning a little bit! Any clarification or insight would be welcome, thanks again for reading.

    It can be challenging to fully appreciate all of the possible threat scenarios, especially if you don't have a specific threat model that you are attempting to mitigate. I was in the same boat when I first read the GOS documentation and the posts here and on reddit (long before actually using GrapheneOS).

    For many users, there is no issue at all with running the sandboxed Google Play in their one and only profile. In fact, I would wager that many if not most GOS users do this already.

    Some of us however, would rather not use Play at all, or at the very least some might wish to limit its interaction to a specific set of apps. I commented about this just a few minutes ago on another post if you're interested. As I mention there, Play Services and Store apps are widely used by apps as a conduit for communication, telemetry, advertising, and other services, so for some it makes sense to isolate Play from the rest of their apps if they wish to avoid those things. IPC allows apps to share information with each other, as long as there is mutual consent between the apps, which would be by design of the developer(s) themselves.

    With the exception of using profiles to separate apps and data, there is nothing the user can do to control this behaviour. IPC is a fundamental part of the Android OS and is often used to perform common tasks between apps. However, it can also be used to exchange telemetry, metadata and other information between apps.

    In another scenario, a user may have two separate social media apps with two separate pseudonyms. IPC may allow one of these apps to share information to the other (again, with mutual consent) which could possibly reveal that their pseudonyms are from a single source.

    These are just a couple of many examples as to why someone might choose profile isolation.

      BluishHumility

      It's not only apps that use Google Services you have to worry about. But Google itself. Having Google Services running for a few apps that use it's Firebase Cloud Messaging (FCM), those apps aren't the danger. But rather Google has data that many people would think should be private.
      Sandboxing the Google Services so it doesn't have system level privileges is the first step. But even sandboxed, Google collects whatever data it can.

      Then there are some apps that force you to use Google. Such as to make sure you are a paid subscriber by requiring the Google Play Store be logged in, or "in-app" purchasing. Some users resent these app developers for making them stay connected to Google Services just because of ad-revenue or micro-transactions.
      Google itself is the main privacy concern.

      Thanks guys, I do appreciate the responses and this information is very helpful.

      I'm coming from running vanilla LineageOS (no G-apps) for about ten months, and then /e OS for another ten months after that. Going cold turkey with Google on Lineage was honestly not that bad; being forced to find alternatives on F-Droid or elsewhere was helpful because some of those apps turned out to be better. /e OS has been really nice, everything works great with microG built in and it's been nice to get email notifications from Proton Mail again (not essential in my case, but nice). Even that stupid Microsoft Authenticator app they made me download for work has worked fine on microG, to my surprise.

      I do understand the microG project is somewhat flawed (https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#sandboxed-google-play-vs-privileged-microg), and I appreciate how sandboxed Google Play is a less hacky/more secure solution, but I have been really conflicted about bringing Google stuff back on to my phone--in any capacity--after all this time without it. It does somehow feel like a major step back, just to get some notification services working.

      I guess that is kind of what led me down the rabbit hole of setting up multiple profiles in the first place--my instinct was to quarantine Google stuff as much as possible. After reading through the discussion here and mulling it over though, I do think I end up falling into this category:

      mythodical For many users, there is no issue at all with running the sandboxed Google Play in their one and only profile.

      Google will be able to see when I get a notification from Proton Mail, or Signal, or whatever...I don't especially like that, but I think I can live with it. It's not like they can read the messages or anything. At the end of the day, that data amounts to little more than crumbs compared to the juicy data sandwiches Google survives on.

      I decided I'm going to give it a shot; I ordered a second-hand Pixel 7 on Ebay today and I'm looking forward to getting it set up when it arrives in a few days. I'm planning on holding off on separate profiles for now, but I will bear that in mind about the IPC as I build up the phone. Thanks again for the responses.

      When I first installed GrapheneOS a couple months ago on a Pixel 7, I only had Google Play Services enabled on a user profile. Much as I wanted to keep it that way and minimize the use of Google, I ultimately installed it on the main user profile and dumped the alternative one. There were enough inconveniences with apps I want to keep using that demand Play Services that I gave in. I didn't like switching back and forth between profiles as much as I was.

      Maybe I'll get to where I can avoid Google altogether at some point soon. One paid app I use a lot won't even run unless Play Services is installed AND I'm logged into Google on the account on which I purchased the app. I think this is only so that it can verify my purchase status. That's frustrating. Because I otherwise have minimal need to be logged into Google. I don't allow network access for any app that doesn't depend on it for its intrinsic functionality, so this particular app doesn't have network access. But as @mythodical points out, the app may have other ways that it uses to communicate with Google. I ought to write the dev and request a paid version that doesn't depend on being logged in. I have another app I use regularly that offers exactly that.

      I'm no expert on any of these privacy issues with respect to the architecture of GrapheneOS. I've read through some of the documentation multiple times, but it's a lot to take in, particularly when one's feel for the details of the overall context is somewhat limited to begin with.

      Since you're already used to being deGoogled, @BluishHumility, why not try using a secondary user profile for Google dependent stuff? Nothing to lose. Just get rid of it if you decide to use Play Services on the main profile. It's easy to set up, easy to delete. The hard part is not being able to share data between profiles and having to switch too often.

        Hey there! I just wanted to add to add to the already great reply you got from @mythodical with a link a post I made a while ago that I find myself linking quite often, because the question of how user profiles helps and whether it makes sense for one to use them comes up very often (you're not alone!):

        https://discuss.grapheneos.org/d/168-ideas-for-user-profiles/2

        I hope that helps, and if you have any follow-up questions, just let me know.

          matchboxbananasynergy

          Thank you, that is a perfectly lucid explanation. Honestly, if I had found your post while I was poking around the forum yesterday I probably never would have opened this thread in the first place!

          tynd why not try using a secondary user profile for Google dependent stuff? Nothing to lose. Just get rid of it if you decide to use Play Services on the main profile. It's easy to set up, easy to delete. The hard part is not being able to share data between profiles and having to switch too often.

          After learning more about it, I think I am going to hold off on making a second profile because in my case it doesn't seem likely that it will bring any additional benefit (privacy or otherwise). I don't use any Google apps--or even anything from the Google Play Store for that matter--rather just a few things that will need to use Google Services for pulling in notifications. The apps that use Google Services are one-off apps rather than part of a suite (i.e. Proton Mail and Signal are not likely passing notes to each other). If the app sandbox works like it is supposed to, the data available to Google when one of my apps receives a notification will be exactly the same whether the app is in a separate profile by itself, or in the profile where I have my web browser and other apps.

          I appreciate everyone's input. I'm exited to get the new device and start setting everything up!

          tynd . One paid app I use a lot won't even run unless Play Services is installed AND I'm logged into Google on the account on which I purchased the app

          Not good.

          Maybe name them in another thread? Other users may have alternates or know of ways around this.

          As a new GrapheneOS user the past month It's been a big search to find apps unentangled with Google services. I was frustrated, for example, by FairEmail which.only appeared to offer a Play Store version. In fact I just wanted to donate to the creator for the plain version shortly after I learned that I liked it but I was unable to find a way to pay him except through the Play store. I finally did discover that I could not only donate directly but also get the Pro version for a donation without the Play Store getting involved, and how active the creator was in the alternate OS community.

          Good luck!

            ve3jlg

            I have FairEmail from F-Droid and the pro version. You don't have to go through Play Store.

            edit: sorry should have read through your entire post more thoroughly. Seems you found it in F-Droid!

              brookie229 Seems you found it in F-Droid!

              Yes, I did thanks! Then I found the website and details how to donate directly.

              ve3jlg There are apps that offer versions with all the paid features separate from GSF requirements. I'm a paid FairEmail user, too. I don't object to buying it again through the dev if I fully deGoogle again.

              The app I referred to that doesn't work is a prominent epub reader, Moon+ Reader Pro. I'm not too worried about it abusing privacy issues, plus I don't give it network permission. When I first installed GrapheneOS and had it on the primary and deGoogled profile, it did run, but without the paid features, which meant losing important enough things that it wasn't worth the bother. Now that Play Services are installed, the app fails if I'm not logged into Google, I suppose to check the validity of my purchase of it. I have another app that I like as much such that if that's what I primarily use for this purpose, it wouldn't be that great a loss. But it's kind of frustrating just the same.

              One way to solve the inconveniences that come with user profiles was shelter or other work profile apps. They create a work profile inside your main user profile. That way you can install play services and the apps requiring them in an isolated environment.

              2 years later

              Could you please give more information how to create this "work profile" inside user profile? Does it provide reliable isolation from other apps inside user profile?