General Opsec

Bahulife

Moved from reddit:

So I'm unsure of what this falls under. I've searched around the sub reddit and I've pieced some things together but still missing others.

My objective: leak as little data as I can about myself, what I buy, where I go, who I talk too and what I search for and download.

I just installed graphene on a pixel 10 pro XL works great looks amazing, thank you devs! Most apps I've installed from aurora store or F droid have been flawless:

Proton Mail and Pass (had to disable my yubikey auth because it wasn't working)
Session and Molly (no issues)

Some apps and things have not worked:

Gemini crypto Exchange (just doesn't let me log in at all give me an error
Glint (says I need Google play won't even open)

So it's become apparent I probably need Google play services for some apps.

From what I've gathered from the graphene site my inclination is to not be worried about installing Google play services. It seems like I should be safe based off it being sandboxed.

But then I get confused by everything I'm reading on reddit. People seem super sketched to use it outside of a completely different profile and then there's the private space which seems to be good but again makes me think am I under thinking this or are people over thinking this.

TLDR need Google services for certain apps to work, how badly does this kill my opsec/infosec? Or am I dumb and graphene OS devs have made this fool proof and I should just use it?

thmf

Bahulife From what I've gathered from the graphene site my inclination is to not be worried about installing Google play services. It seems like I should be safe based off it being sandboxed.

You're missing some key information. Read on what an Android IPC (inter-process communication) is.
I may be not 100% correct, but it should roughly work like this. Apps in the same profile can communicate between each other if they agreed to this beforehand. While there are good legitimate reasons for this functionality, it may be abused. Sandboxing won't guard from that.
For example, you could install a Gboard (google keyboard) and Play Services in the same profile. Then deny Gboard network access, but at the same time allow network for Pay Services, because you want push notifications to work. Since both apps are from the same developer, Gboard may be able to talk to Play Services via IPC, because the devs agreed to this while the apps were developed. Now imagine you type your most sacred password using Gboard. Will it send it directly to google? No, because thanks to GrapheneOS Gboard has no network access. Could Gboard ask Play Services to send your password to google on its behalf? Absolutely. Does it happen in real life though? Probably not.
So all apps in their personal sandboxes is of course a very good thing. But people choose better isolation and use profiles at least for sensitive stuff.

thmf

Bahulife I've pieced some things together but still missing others.

My objective: leak as little data as I can about myself, what I buy, where I go, who I talk too and what I search for and download.

It seems like you approached the problem from the wrong end. It's better to answer the "What's your threat model?" question first. Once you know who you're defending from, then your opsec becomes clear.

americanDude

Directly from the GOS website,

"Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they're only available within that profile. Only apps within the same profile can use it, and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play."

Bahulife

americanDude yes I read this but again I've heard people say that because it's sandboxxed it doesn't matter if it's in the same profile or not it's about what permissions you give it. Is that not right?

gta3

Use frontends like eddrit.com instead of reddit.com

You replace every reddit.com link with eddrit.com

Greaemonkey script automates this

Also, start using a linux distro like Ubuntu / secure blue / fedora etc with librewolf browser, instead of windows / Mac and IE / Safari - That should massively reduce your metadata exposure

gta3

thmf The Bogey Man

Bahulife

thmf I don’t want to expose myself or my family to either hackers/exploiters and I don’t want to lose any money/investments I’ve been building for my family. I guess that’s the threat I’m guarding against.

Secondarily malicious state actors and overactive government

thmf

gta3 The Bogey Man

Then it's easy. OP should turn off TV, stop reading reddit for bad advice, and start enjoying their GrapheneOS phone.

Murcielago

Bahulife

yes I read this but again I've heard people say that because it's sandboxxed it doesn't matter if it's in the same profile or not it's about what permissions you give it. Is that not right?

...

I don’t want to expose myself or my family to either hackers/exploiters and I don’t want to lose any money/investments I’ve been building for my family. I guess that’s the threat I’m guarding against.

If that's your threat model, I would be less concerned about IPC e.g. your Gboard eventually (probably not) talking to Play Services and install all apps from Google Play Store (if you want to increase privacy, use a disposable account).

This would increase security because it's considered the “gold standard” in terms of security for installing apps and would also give you the security benefit that you flawlessly can use your Yubikey with Proton Mail and Proton Pass in that profile (there may be a way to also get them to work without Play Services, but it doesn't seem to work as seamless as with Play Services).

You could ad some extra security by installing your banking/investment apps in a separate banking profile (a setup frequently mentioned here in the forum - also setup with Google Play Services) – not so much to be safe from IPC and Google, but to have the banking apps in BFU whenever they are not in use (I don't have the knowledge to say how much this helps against hackers and exploits – but it may be quite helpful if someone snatches your device).

thmf

Bahulife I don’t want to expose myself or my family to either hackers/exploiters and I don’t want to lose any money/investments I’ve been building for my family. I guess that’s the threat I’m guarding against.

Secondarily malicious state actors and overactive government

Correct me if I'm wrong, but it seems like you aim for better security first and privacy is more of a secondary concern. If this is the case, then it's easier. You use GrapheneOS, so you're already miles ahead of most people in both of these terms.
General recommendation for security would be not to install shady crap and use only what you really need. More apps = more attack surface.
GrapheneOS sandbox is great, so be mindful of apps' permissions, meaning don't give a calculator app location permission and network, because it doesn't need it to do calculations. If a dictionary app states it needs network permission to download the dictionaries, then give the permission, download what you need, and take the permission away. Chances it works without network are really good. No network = less chance for remote exploitation of a random bug in any random app + privacy benefit is also very nice.
As others suggested, maybe put the most important things in a separate profile (or profiles) for better isolation and to keep that data at rest when not in use. Consider using Private Space for convenience. Set it up to lock on power button press to put it at rest when you lock your phone.
Aside of security you can also leak data from the privacy side. General recommendation is to use e2ee providers for services you need, so even the providers won't have access to your data. Messaging apps, like Molly/Signal, trusted email provider if you need email and calendar, like Proton/Tuta, Proton drive may be used as cloud storage, Ente is really good for photos, and a password manager, like Proton, Bitwarden or Ente Auth.
As I see it, you're on the right track, just use common sense, because it's very easy to over think it. Don't let good opsec become a tedious chore. You don't need to passionately defend every bit of your data from the whole world. Maybe even don't go for the whole my post and implement things more slowly. Start small and let us know how you do.

thmf

Might be relevant.