coffeefun A question I have is, what are the privacy pros/cons of using sandboxed Google Play on GrapheneOS compared with iOS? I assume that GrapheneOS without Google Play is better than iOS, but it's not clear what are the pros/cons with Google Play, with respect to privacy.
I'm afraid that I'm not really an authority on iOS, so it would be very hard to give you an accurate and thorough comparison there. What I will say is that again, with Sandboxed Google Play, you're getting nearly the same app compatibility as Stock OS without really taking a hit in privacy and security.
Google Play Services, Play Store etc. will have the exact same access as all other apps you install, but let's think about what that actually means for you, in broad terms:
- You should assume that apps within the same profile can enumerate each other. Therefore, Google will know which apps you've installed. Of course, the same thing applies to all other apps you'd install.
- Apps that you install which utilize Play Services will communicate with Play Services so that it can provide the functionality they need. The information that Google gets based off that varies greatly, and depends on what the app is willing to give it. For example, Signal can use Play Services for notifications. However, Play Services never see the actual message content of the notification. An important thing to note here is that even if you decide to forego Sandboxed Google Play, a lot of the apps you'd install probably have Google libraries in them that they use regardless, so you might want to keep that in mind if your reasoning for not using Sandboxed Google Play is avoiding Google in its entirety.
coffeefun Based on your comment, and those of others, it sounds like the consensus is that F-Droid has security risks.
Correct. At this point, I only use the F-Droid repository as a discovery tool to find out about new apps. If I actually want to download them, I do it through other means, not through F-Droid.
coffeefun I agree, the RSS alternative will require some time investment to learn.
It is not exceptionally hard to do, but it does add unnecessary complexity that you can easily avoid with a traditional app store.
coffeefun I noticed that you didn't include Aurora Store in your list of app sources. Is Aurora Store not recommended? By using it, do I gain any privacy benefits over Play Store? Do I lose any security benefits using Aurora instead of Play?
The primary reason for not mentioning Aurora Store is because I was recommend a one profile setup with Sandboxed Google Play. With that setup, Aurora Store makes little to no sense, in my opinion, unless you're extremely adamant about not having a Google account of your own (one could be created for the sole purpose of using it with the Play Store).
If you're using Aurora Store while you have Sandboxed Google Play, you won't need a Google account, which is arguably a privacy benefit. That said, you're now using a shared "anonymous" account. Aurora Store can't remove Play Store's account requirement, it just optionally allows you to use their own accounts instead of bringing your own.
The above might sound great at first, but it comes with drawbacks. A shared account means shared settings. It means that someone might have opted into a beta version of an app on that account and you're now downloading an update that may break.
There are also other security issues with Aurora Store that make it hard to recommend, though it is handy.
Quote from https://privsec.dev/posts/android/f-droid-security-issues/ which was linked above:
If you don’t have Play services installed, you can use a third-party Play Store client called Aurora Store. Aurora Store has some issues of its own, and some of them overlap in fact with F-Droid. Aurora Store somehow still requires the legacy storage permission, has yet to implement certificate pinning, has been known to sometimes retrieve wrong versions of apps, and distributed account tokens over cleartext HTTP until fairly recently; not that it matters much since tokens were designed to be shared between users, which is already concerning. I’d recommend against using the shared “anonymous” accounts feature: you should make your own throwaway account with minimal information.
This, coupled with the fact that apps are fully capable of communicating with Google all on their own (take a look at Google Maps - it's fully capable of working without Play Services present), make the benefits of foregoing the Play Store (which is more trusted, provided that you get it from GrapheneOS' Apps app, along with being more secure in general) dubious at best.
I personally still use Aurora Store in profiles where I don't use Sandboxed Google Play or for when I create a new profile to test something and don't necessarily want to login with my Google account, but I do it knowing where it does well and where not.
If you have any more questions, shoot!