Drawbacks to Google Play Services (GPS) in Owner Profile

GoodJobe

I'm curious about other people's thoughts and user profile setups. I'm currently running an owner profile that only contains secure open source apps, bank apps, Spotify, Sony and Jabra Headphones apps, and apps needed to run Galaxy watch apps. Thankfully, they all run well without GPS. To make things less complicated, I opted for private space nested under this profile to contain few social media apps that need GPS to run properly. I just never lock this private space so that I can keep a seamless experience. I'm aware that GrapheneOS' sandboxing is pretty good but I just keep this setup for two reasons:

To minimise any possible chance of data being passed from most apps to GPS through interprocess communication (IPC).
To safeguard the owner profile from GPS.

Regarding the second point though, I don't actually know why I'm doing this. Couldn't I just switch the profiles around and make my owner profile have GPS and the apps that need it then the private space be everything else that can survive without GPS? I want to do this so that I can use features that would be useful like quick share, call screening, RCS, etc. I also want to keep the Galaxy Watch apps in the same profile so that I could get notifications on my watch. Would there be any downsides to this privacy-wise? Do I need to keep GPS out of the owner profile for specific reasons? My current threat model is just protecting data from most apps from GPS and accepting that my social media apps need GPS for real-time notifications.

c86

There's nothing wrong with flipping your main profile / private space setup as you describe. It sounds like you're more concerned with surveillance capitalism than anything else and that's fine. Avoiding play services lends itself to a higher threat model and not everyone needs to go that route.

You could use a pseudonymous Google account in your main profile so everything you need to work off of it functions. Social media apps are the worst so you could run them via browser to limit what data they collect. Conversely you could put social media apps in a separate profile and forward the notifications to your main profile.

If you're dead set on them being in your main profile, just limit their app permissions, such as using storage / contact scopes and removing their access to sensors to list a few. You can view permissions and decide what is acceptable.

GoodJobe

c86 Thanks very much! I would like to put the social media apps in a separate profile but this might just be too tedious since I use a messenging app many times everyday to contact friends and family abroad. I'll follow your advice for app restrictions and create a pseudonymous Google account.

Could I ask on your opinion with RCS and call screening? I understand that they're great for security since you're using an encrypted channel of communication and preventing potential scam calls from identifying your number as a callable number. However, I am worried about Google collecting information on calls and RCS messages. So I imagine there is a trade-off here for security vs privacy?

c86

GoodJobe

I don't use RCS or Google messaging app, but I understand the folks that will use it if they have a personal benefit from it. In my mind the only messaging service that ought to be used is Signal/Molly since both can be used with or without Google and are cross platform. If a use case exists that a phone number for account setup is problematic, those folks are then needing services with anonymity and it begins a vastly different discussion.

Your stated worry is a valid one in terms of the metadata collected yes. There are some apps you can download, SpamBlocker on GitHub for example, that gives access to known spam lists and identifies callers as such. However the number must previously be flagged as spam for the app to work.

In my own situation I have public & private use numbers and only answer if a contact calls. Every other call goes to voicemail.

Elgoog

I realize this is not relevant in GoodJobe's case, where GPS will always be active, but how much privacy does one gain by placing GPS in a profile that is active only when apps requiring it are active? In other words, what do I lose in terms of privacy by having GPS always active?

GoodJobe

Elgoog I'm by no means an expert since I am asking similar questions. I imagine though it wouldn't have much of an impact if GPS is starved from permissions (basically just network and sensors active). The only privacy concern may be GPS communicating with apps through IPC more frequently if always active. Then it could potentially phone home and send all that data since it has network permissions.