Google Play Store/Services sandboxing is unclear in usage guide

Criminal_Cucumber

The sandboxing of Google Play Store and Google Play Services seems unclear in the usage guide.

Apparently “Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox[, and] it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions”. Yet, we are advised to “install it in a separate user or work profile [to avoid] making it available to all [apps]”?

If Google Play is sandboxed like any other app, then why should apps which need it be installed in a separate profile?

Additionally, the distinction between Google Play Store and Google Play Services is really confusing. Are they both equally sandboxed (or not) in the same ways?

I ask because I have separate profiles for banking and google maps, but I have recently become aware that GrapheneOS doesn’t recommend Aurora for security reasons. Plus, banking and maps in separate profiles is quite inconvenient, so I would prefer it all in the one profile. But I want to know what exactly Google has access to (i.e., collects data about) within a profile with Google Play Store and Google Play Services installed.

I’m sorry if this question has been asked a million times; I haven’t found a clear and simple answer.

(edit: hyperlink and clearer quoting)

mmobder

Criminal_Cucumber But I want to know what exactly Google has access to

It has access to anything any other 3rd party app would have access to, plus to what you manually allow it on top of that.
That's sandboxing. You can compare it to permissions of Services and Store on "standard" Samsung where they have elevated permissions and you can't remove those.

mmobder

Criminal_Cucumber banking and maps in separate profiles is quite inconvenient

you have just put yourself into a trap of overcomplicating the setup
no wonder as it was widely promoted here on the forum and in the advertised outdated guides.

mmobder

Criminal_Cucumber Yet, we are advised to “install it in a separate user or work profile [to avoid] making it available to all [apps]”?

There is such a thing like IPC.
A lot of apps supports Play Services as it's quite popular and convenient for developers in the first place (FCM for push messages, firebase for logging etc, Storage for cloud store, etc), but they still can work without it installed.
If you have Services enabled in owner profile, all such apps (a lot of open source apps rely on it as well) can use some some IDs for their convenience, but will leave traces of those IDs that reduces privacy.
If you keep all of Services separately, you will remove such a possibility.

fid03

Criminal_Cucumber Apparently “Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox[, and] it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions”. Yet, we are advised to “install it in a separate user or work profile [to avoid] making it available to all [apps]”?

Think there might be a slight misunderstanding here. The full quote is this:

If you want to choose which apps use Google Play rather than making it available to all of them, install it in a separate user or work profile for apps depending on Google Play.

My emphasis on "if" here. It does not say "you should choose which apps…". It just mentions an option because some people might want selective Google Play usage for whatever reason they decide. It's entirely up to the user if they want this or not.

mmobder

If you have spare Private space, and none of your Google apps requires access to phone and sms, and you don't need NFC for them, just install all of that in PS.

As AOSP in general wasn't built for privacy in the first place, there will be a lot of info that you may consider private (like list of installed apps etc).

PS will help to limit some of it, though not all (see MediaDRM ID).
PS will give you a chance to lock it when not needed (so all google apps are shutdown at once).
PS will give you an opportunity to route network requests via separate VPN to further separate potential fingerprinting by Google.

Criminal_Cucumber

mmobder Yes, anyone with search can find information on this forum, but sometimes there's too much information, much fragmented, unreliable, and full of acronyms which newbies don't understand, hence why I said "I haven't found a clear and simple answer".

fid03
So GrapheneOS is suggesting that "some people might want selective Google Play usage for whatever reason they decide", but that better privacy is not one of them?

de0u True, I know this.

So, to be clear:

If I have both Aurora and Google Play Store installed, the only difference in privacy between installing through Aurora or the Google Play Store is that in the latter case, the basic installation and update data (app name, time) is tied to the Google account signed into the Play Store. Whereas in the case of Aurora, Google could only associate basic data (app name, installation time) with the user/device through indirect methods such as IP address (correlating with the IP address tied to the Google Play Store account)?

Even if Google Play Store is installed, Google has no way of knowing what I install through F-Droid, and no direct way of knowing what I install through Aurora?

So Google (Play Store and Play Services) have no access to what I do within the apps I installed through its store? What about in the case of my banking app which underpins a push notification to confirm purchases when online shopping? Does Google somehow have access to the data bound to this notification, which might include data tied to my bank account, such my name?

I just want to be 100% sure what privacy sacrifice, if any, will be made if I move my bank account and google maps to my main profile.

(edit: typos)

mmobder

To sum up - the guide is quite clear and suggests a good practices for beginners.
For those seeking deeper knowledge, and familiar with a concept of Search (be it internet or the forum), there is plenty of knowledge here on forum, as the info becomes outdated over time.

de0u

Criminal_Cucumber "Sandboxed Google Play" means "Google Play running in the Android app sandbox with the powers of a regular app without superpowers such as being able to wipe the device". It does not mean "Google Play with a privacy filter so that privacy-invasive apps are transformed into privacy-respecting apps".

de0u

Criminal_Cucumber

I think perhaps the big thing people overlook about installing an app from Aurora is that as soon as the app is launched it probably makes a bunch of calls to Play Services (most apps from the Play Store do). So the moment of installation may be anonymous, but if the point of installing the app is to use it then the fact that it's been installed can be connected to the Google Play account.

Even if a Play Store app installed via Aurora does not ever contact Play Services on the device, the Play Store app itself may well contain Google-authored libraries that directly contact Google servers (and/or other libraries that send telemetry to servers run by other parties).

Overall, Aurora is not a way to convert privacy-invasive apps into privacy-respecting apps.

de0u

Criminal_Cucumber So Google (Play Store and Play Services) have no access to what I do within the apps I installed through its store? What about in the case of my banking app which underpins a push notification to confirm purchases when online shopping? Does Google somehow have access to the data bound to this notification, which might include data tied to my bank account, such my name?

If the bank app is well-written, it can send notifications via FCM that encrypt all sensitive details (such as the account number). If the bank app is not well-written, who knows what it sends in clear text (or, perhaps, encrypted but not well).

Criminal_Cucumber I just want to be 100% sure what privacy sacrifice, if any, will be made if I move my bank account and google maps to my main profile.

It's hard to say! If you are currently using privacy-invasive apps, maybe the additional privacy loss of Google being able to fingerprint the device via an app inventory is minor.

Said differently... when it comes to maps, I think it's probably necessary to choose among different ways to "pay":

Pay some subscription to a service that hopefully doesn't sell your data,
Use a less-featureful app that doesn't send anything to anybody (e.g., OsmAnd),
Use Google Maps and "pay" by being tracked,
Spend time on various workarounds that may or may not reduce how well Google Maps tracks.

I don't think any large wealthy organization is pouring millions of dollars into making convenient apps with great maps and real-time traffic data and giving all of that away for free.

littlerack

Criminal_Cucumber If I have both Aurora and Google Play Store installed

Why that may be needed? I can understand Services (w/o internet) + Aurora, so there is no "Google data hub with internet access", but why add Play Store itself (as another data collector)?

Criminal_Cucumber

de0u

as soon as the app is launched it probably makes a bunch of calls to Play Services (most apps from the Play Store do)

This contradicts the usage guide, no?

As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.

de0u

If the bank app is well-written, it can send notifications via FCM that encrypt all sensitive details

Is it possible for me to know if FCM are encrypted?

littlerack

Why that may be needed? I can understand Services (w/o internet) + Aurora, so there is no "Google data hub with internet access", but why add Play Store itself (as another data collector)?

I thought Services and Play are interdependent.

Novalissoide

All my banking apps or ID etc, are ok with both Sandboxed Google Play Services, and Store being disabled all the time, and without a logged in account.

By "Sandboxed Google Play Services" you just mean GPS via GrapheneOS? And by "disabled" what do you mean?

It's still unclear to me how an app store, whether Aurora and Google Play Store (and services), communicate with apps. Some level of communication is necessary beyond installation to enable updates, right? Can an app only be updated through the store it was installed?
When the usage guide says Google Play can't access data of others apps or communicate without "explicit user consent" or "mutual consent", how exactly is this consent established? The only thing I see in the app settings/permissions is toggling "Block usage attempts" of "Play Integrity API". I don't know if I'm missing something obvious or if this is all there is to Play Store <> App communication? I can't see how to enable communication consent between two normal apps, which the guide claims is possible: "Apps within the same profile can communicate with mutual consent".

littlerack

de0u I think it's probably necessary to choose among different ways to "pay":

Or use a combination. OsmAnd for general maps (like for travel), Waze (in guest mode) for car navigation and GMapsWV for POIs or public transport (if there is no dedicated app for public transport). As those are often time-split activities, Waze and GMapsWV aren't used often.

Novalissoide

littlerack why add Play Store itself

I believe this is the best thing to do in several use cases, since the Services expect the Store to be present. It can be kept installed but disabled, that way it cannot collect anything but it helps keeping the Services less 'concerned'.
All my banking apps or ID etc, are ok with both Sandboxed Google Play Services, and Store being disabled all the time, and without a logged in account.

BeepBeep

I have the same basic question as the OP: I've been using a secondary profile as my daily driver and the Google Store in the Owner profile. But, apparently SMS/MMS (and a few other things) isn't (aren't) going to be working properly in secondary profiles. Otherwise, I only need Google for its App Store, and I could even disable Services and the Store when not updating apps. I've read everything on the topic, and I still can't tell what is the practical implication (not simply conceptually) for my privacy of me being forced into the Owner profile where Google apps are present.

Separately, I'm also currently looking at using Cape cellular, which must be run in the Owner profile, must have Google Services, and uses Firebase (ultimately, these requirements may be disqualifying irrespective of their actual service). What is the practical implications for my privacy in this case?

Thx

EverettHitch

BeepBeep the practical implication is that when you continue using Play services, it will continue maintaining the list of of your installed apps (among many other things we don't often hear about here and not only because it doesn't align with official narrative which is eat your carrots and read you bible) among plethora of other hardware and non-hardware identifiers to keep track of you. All in all it's a nasty piece of software andI I do not really understand why GOS devs endorse it besides security values, which is not enough for me.

EverettHitch

EverettHitch which is by long far not enough for me. This forum is a joke.

Delaney

EverettHitch All in all it's a nasty piece of software andI I do not really understand why GOS devs endorse it besides security values, which is not enough for me.

The point is to achieve stock pixel OS feature parity while maintaining security and, to an extent, privacy.

EverettHitch

Delaney that can be only said by a multi year user of an i product

littlerack

Criminal_Cucumber Google Play can't access data of others apps

In "traditional" Android, Play Services/Store has unrestricted access to whole storage and thus user data of all apps. In GOS - it doesn't (see "storage scoped" etc)

littlerack

Criminal_Cucumber I thought Services and Play are interdependent

Play Services are doing just fine without Play Store in my case. I use Aurora to install apps as this way I do not give Internet access to Google "core" data collection points (and I don't have one of them at all - Play Store).

de0u

Criminal_Cucumber This contradicts the usage guide, no?

No.

Sandboxed Google Play on GrapheneOS, unlike Google Play on Google's stock OS, can't directly access the data of applications at random. That has nothing to do with whether or not apps built to exchange data with Google Play will exchange data with Google Play (they will).

Criminal_Cucumber When the usage guide says Google Play can't access data of others apps or communicate without "explicit user consent" or "mutual consent", how exactly is this consent established? The only thing I see in the app settings/permissions is toggling "Block usage attempts" of "Play Integrity API". I don't know if I'm missing something obvious or if this is all there is to Play Store <> App communication? I can't see how to enable communication consent between two normal apps, which the guide claims is possible: "Apps within the same profile can communicate with mutual consent".

"Mutual consent" means "consent of the two apps" (via, e.g, Binder). It does not mean "with consent of the user".

The developers have expressed some interest in providing a way for users to filter which apps communicate with which other apps (Issue #2927). That has turned out to be difficult.

Regardless, with respect to apps obtained directly from the Play Store or indirectly via Aurora, if the app was coded to communicate with Play Services then there is a high likelihood that if it can't communicate with Play Services it will refuse to operate. Some will complain and function to some extent (e.g., recent posts about Twint), and others will refuse to function. On the other hand, some apps will just fall back to built-in libraries that share the same information without Play Services.

If an app is privacy-invasive, installing it via Aurora and letting it talk to Play doesn't convert it into a privacy-respecting app. Installing it via Aurora and stopping it from talking to Play may break it, or may cause it to use built-in privacy-invasive code instead of Play.