Liberated Google Play Services on GraphOS

trythis3

well...Ive tried everything I could find. I still cant get push notifications thru to my Graphened Pixel 9, which I moved to from iPhone for the last few weeks. The apps in question are Abode home security and Eufys security cameras apps. Ive used all good setting changes and permissions etc., that I could learn about from this forum and all knowledgable Youtubers, and online articles, that I could find. So, before I abandon Graphene tonite for a standard Android Pixel 9 install, a single last option just to mind. Can anyone advise on the option of allowing an unrestricted/standard/normie Google Play Services to run on GrapheneOS? The same GPS that would be aquired from the google play store for a standard Android install. Id perhaps put it in a second GrapheneOS Profile, and place just those security apps there, so they can all hump each other all night, or even 24/7. The hope would be that a liberated, un-neutered, normie standard GPS will allow the push notifications to finally work thru the security apps to the phone.
Of course, I dont know if this is even possible! Can I get the "normie" version of GPS on the GrapheneOS phone? (I already have the Graphene app store GPStore & GPServices installed.) How would I get it? And if I put it in a second profile on Graphenne, and put only the security apps there, will the GPS' be isolated "enough" from everywhere else so that it doesnt make GrapheneOS pointless? Or will GPS in its full form as its received from the official Google Play Store not be limited to the 2 apps in the second profile? Would it pollute other functions and locations in the phone?
Please answer if this is possible, how Id get the right GPS onto GrapheneOS so it works, and what the down sides would or might be for this kind of setup.
Thanks for any knowledge-

de0u

trythis3 My understanding is that on Google's Pixel OS the Play components are installed as privileged system applications (i.e., built into the system image). In theory it would be possible to build a custom GrapheneOS fork with the Play components included as privileged system applications, but at that point profile isolation would not limit Play's abilities. The applications themselves would be isolated in a second profile, but Play would have control over the device.

de0u

trythis3 Ive used all good setting changes and permissions etc., that I could learn about from this forum and all knowledgable Youtubers, and online articles, that I could find.

Were the Play directions on the GrapheneOS web site followed?

TrustExecutor

Strange. Does other notifications come through, those that are dependent on Google's FCM? Did you install Sandboxed Play services before or after you installed those apps?

trythis3

TrustExecutor first installed after so I could see if the security apps Push Notifs would work. They didnt, so I uninstalled, the installed the google from Graphene app store, then reinstalled to the effect of no Push Notif's. I get "notifications" , ie, can see text, updates, even Eufy camera triggers, when I pull down from top of main screen to get all notifications, but not Push Notifications" meaning that they break thru the settings I have set during when screen is locked and phone is in my pocket meditating. I need the breakthru when the house alarm is triggered. The respective app makers claim theres no way Push Notif's can work on GrapheneOS (but theyve never had it on a phone in their hands).

trythis3

de0u so.....its a no-go? Getting a standard version of GPS and install to any Profile would make De-googling via Graphene, pointless?

de0u

trythis3 I recommend installing an app that uses push notifications and is known to work on GrapheneOS, and using that app to debug push notifications, if necessary, before determining that something is standing in the way of these two particular apps.

de0u

trythis3 Getting a standard version of GPS and install to any Profile would make De-googling via Graphene, pointless?

It's not even possible. The Google Play that is available from the GrapheneOS "App Store" app is exactly the same Google Play as on a Google device, but its abilities are limited. Unlimiting it would require building it into the system image as a privileged app.

trythis3

de0u thats what i was afraid of. Thanks for clarifying.

trythis3

de0u Ill bite. Any simple to install app that u might have in mind for this test? Besides the stores, I only have those 3 security apps so far. Texts get pushed thru on Graphene text app just fine.

Psyonico

My understanding is that GrapheneOS' versions are the "normal" version, they just don't have elevated privileges.

But you said something that has me wondering if it's not a GOS thing but a settings thing. You said you see notifications but not push notifications. This may mean that somehow the notification settings aren't set up right.

Try this:

Go to Settings->Notifications->App notifications then click on one of the apps in question. From there, make sure that the overall toggle is turned on, then, also make sure that everything under "Notification Categories" is also turned on and there is a bell icon next to each category on the left.

If there isn't a bell icon, that means the notification is muted, simply click to the left of the text in the category and choose "Default" rather than "Silent"

Hope this helps

trythis3

Psyonico yes, those were all set, with no "Push" happening. Either with screen off and app open underneath, or app closed. Thanks anyway.

de0u

trythis3 Any simple to install app that u might have in mind for this test?

I think lots of people on the forum use Signal and/or WhatsApp on their GrapheneOS devices, and rely on push notifications.

trythis3

de0u yes, I believe so. But I didnt get involved in the special Network Location feature setting on that page, as "This shouldn't be needed outside of testing or obscure use cases, since GrapheneOS provides its own opt-in Network Location feature". Perhaps Im a special case. FYI, I didnt sign into a google account as part of this. I didnt because the security apps have their own sign in and passwords.I was hoping the compatability Layer would apply to Abode app as well. So I didnt "want to use Google's network location service to provide location estimates without satellite reception" as I imagined the app only required my "location" if i was using geolocating, geofencing, etc. But Im not as I dont want to be tracked by app if possible. Should I get involved with those 4 steps of "use Google's network location service to provide location estimates without satellite reception"?
Btw, These apps were downloaded from Aurora. Ive used the apps for years on iPhone.

de0u

trythis3 I didnt get involved in the special Network Location feature setting on that page, as "This shouldn't be needed outside of testing or obscure use cases, since GrapheneOS provides its own opt-in Network Location feature".

Did you enable the GrapheneOS network location service?

trythis3 FYI, I didnt sign into a google account as part of this. I didnt because the security apps have their own sign in and passwords.

I believe not being signed in to Google Play works for some apps but not for others.

trythis3 I didnt "want to use Google's network location service to provide location estimates without satellite reception" as I imagined the app only required my "location" if i was using geolocating, geofencing, etc. But Im not as I dont want to be tracked by app if possible.

Personally I'm not sure I would consider Adobe to be a privacy paragon, so I'm not sure how feasible it is to use an Adobe security app without being tracked to some extent. I don't know much about Eufy, but I have read some concerning things about them with respect to privacy (example). Overall, it's not clear to me whether or not it's possible to use these apps without conveying information about you to the app owners.

de0u

trythis3 Do the notification failures happen on a home network, or do they also fail to arrive when Wi-Fi is disabled and cellular data is used? Is it possible that an ad blocker is blocking Google's FCM servers? That would stop notifications from working.

trythis3

de0u yes, understood. But since the location is already built up with these devices for these apps, and the money and time are already comitted, I thought if I had the apps sandboxed, then at least Id have some advantage. And, all other apps could be treated normally by GOS to get its full privacy advantage over them. It woulda been an ok tradeoff till i could find funds for another security system that would push notify me of camera activity or worst case, burgular alarm triggers.
Im looking at the special use case on the Play Directions link you gave me, to run it as an experiment (probably the last). On my phone, updated GOS, I cant see how to select #2 "Grant "Allow all the time" Location access to Google Play services along with the Nearby Devices permission for it to have all the access it needs." Do you kno the sequence to find it? Ive got 1 & 3 now selected for this experiment.

trythis3

de0u Both Wifi on and off. Both cellular on and off. I dont believe I have any ad blocking, as the only non GOS app store apps i installed were Abode, Eufy, Myhosmart (motion detectors, installed days after the other apps were installed and failing), F-Droid, Aurora Store.

de0u

trythis3 Im looking at the special use case on the Play Directions link you gave me, to run it as an experiment (probably the last).

If the built-in GrapheneOS network location service is enabled, it is not generally either necessary or recommended to engage Google's network location service. Did you enable the GrapheneOS network location service?

de0u

trythis3 Since the location is already built up with these devices for these apps, and the money and time are already comitted, I thought if I had the apps sandboxed, then at least Id have some advantage. And, all other apps could be treated normally by GOS to get its full privacy advantage over them.

I don't think I understand.

GrapheneOS doesn't "sandbox" apps in a way that is fundamentally different from Google's Pixel OS. There are some additional features beyond the standard Android application sandbox, such as contact scopes and storage scopes, but it's not clear those are relevant to these two apps.

What GrapheneOS does "sandbox" that Google's OS doesn't is Google Play. "Sandboxed Google Play" does not mean "Google Play except that the apps using it are specially restricted so they don't leak information to the app authors". What "sandboxed Google Play" means is that Google Play itself is not a privileged system application.

If you are concerned about limiting what the Adobe and Eufy apps can do, putting them (and Google Play) in a secondary user profile could help to some extent... but that inherently conflicts with getting full notification support on the lock screen, because apps in a secondary profile don't have complete access to the lock screen, and because if Play is in a secondary profile that isn't authorized to run in the background then the notifications won't even arrive in a timely fashion.

Overall, it's not clear to me exactly what you are trying to achieve. It might help if you could say what information you are happy to share with those two apps, what information you would like to withhold from those apps, and what else you are hoping to protect from what.

de0u

trythis3 I dont believe I have any ad blocking, as the only non GOS app store apps i installed were Abode, Eufy, Myhosmart (motion detectors, installed days after the other apps were installed and failing), F-Droid, Aurora Store.

I still think it might be interesting to try a messaging app.

trythis3

de0u Ive searched Location Services services" and it took me to "Network Location GrapheneOS proxy". It was "off". I selected GrapheneOS Proxy. No PushNotif. Then "Apple Server". Same nothing. :(