Hey all,

I'm still new to the Android world and originally come from iOS.
Unfortunately, since all my friends and family use WhatsApp, I am forced to use it as well.

How dangerous or unsafe is it to use WhatsApp on GrapheneOS?
I only have one profile on my Pixel (owner).

    Its still far more better then using telegram or some other non-encryption messaging services

    Whatsapp features E2EE by default, so it is actually one of the reasonably okay options, if Signal is not an option for you.

    Now, with regards to running it on your phone, you really have nothing to worry about. All applications on Android are sandboxed and will only gain access to what you allow them via permissions. Nothing else. It's the same for any app.

    TheGodfather According to these articles Whatsapp will gather your Device ID. However, as of Android 10, apps can no loner access non-resettable hardware identifiers on android. The articles were published after Android 10 was released (2019) so either they are unaware of these changes, are making a general comment about all versions of android or there is some device ID it accesses that I don't know about. Do you know which device ID they are collecting?

      I try to get my friends on Signal if I can. If not > WhatsApp. It's still better than plain SMS and, probably, iMessage

        junction we're in the same position. It amazes me how everyone can be so keen to transition to one service from SMS but then become so obstinately averse to then moving to something better because it is inconvenient.
        I suppose it comes down to the fact that WhatsApp was the cheaper/media rich alternative offering something above SMS, it is also the reason I can imagine why Signal play around in the payments space as to move people en masse they have to have a significant enough differentiator too and why things like Session, Briar et all will also struggle to be more relevant outside their niche.

        • [deleted]

        Thanks guys for your assessment on the subject.
        I also find it extremely unfortunate that so many people still use WhatsApp, but that seems to be the general peer pressure.

          • [deleted]

          • Edited

          Using Whatsapp is not ideal, but it still offers very strong encryption and is far better than SMS or Telegram. I think for most people outside the US the privacy benefits of ditching it completely is not worth the social isolation that it would bring in many cases. I would love to be able to use Signal for everything but there are far worse platforms to be locked into

          7 days later
          10 months later

          And would any of you WhatsApp users allow it to be installed in a profile that handles other critical data?

          Does it require GSF to run?

            Toomanyuserprofiles Form the time when I used WA (I ditched it four years ago), I remember that the app didn't require Google Services back then because I ran it on a LineageOS phone without Google Services installed.

            I'm trying to device if I trust it enough to be used in my daily driver profile.

            I picture it hoovering up contents of my encrypted connections and so on.

            If it is as most people say, and can at most read which other apps are installed it should be fine. But I feel naked at the thought of it knowing my logins and emails for each app in use.

              • [deleted]

              Toomanyuserprofiles I have been using it for the lack of better alternative and unwillingness of my loved ones since I installed GrapheneOS. Without major problems. If you don't use Play Services, with unrestricted battery it gives reliable notifications. I found out that when I experimented with installing/uninstalling Play Services with Whatsapp already installed, it breaks notifications so had to reinstall a few times. Never pursued the area of backing it up, always fresh install. It is a solid messenger and if it puts your mind at ease, LibChecker says it contains no google libraries so IPC with Google apps/apps containing google libraries is unlikely. That is on device side and it doesn't mean it will not collect certain data for the purpose of server-side analytics (possibly Google linked). This not an expert opinion of course. I am looking for a better alternative and any recommendations with reasoning are welcome.

                The main concerns are from granting it permissions to access your data.

                As i understand it (having never used it) the biggest problem is that it can be hard to use without granting it permission to access your contacts. This is a valid concern. Unfortunately everyone you know who uses WhatsApp has likely already shared all their contacts. Combining that with other data they have got from elsewhere lets WhatsApp / Facebook construct a large part of most peoples social graph.

                Still, I think best to avoid feeding them more data if at all possible. The upcoming GrapheneOS Contact Spaces feature will provide a neat way to control what contact data WhatsApp can access.

                Another options you can use now is using WhatsApp in a different user profile. Maybe even worth considering using a work profile via Shelter or Insular if user profiles dont work well for you.

                Imagine you can share files and images form Gallery and Files or other apps into WhatsApp so you dont need to grant Whatsapp any files / media permission. Also Graphenes Storage Scopes lets you work around those permissions and control the stuff it can access.

                [deleted] LibChecker says it contains no google libraries so IPC with Google apps/apps containing google libraries is unlikely.

                This LibChecker result is interesting because there is Google Analytics inside.

                com.google.android.apps.analytics
                com.google.android.gms.analytics
                com.google.analytics
                  • [deleted]

                  • Edited

                  Hat thank you, you made me look at it again. And there I see it, not a library but a service.

                  com.google.android.gms.analytics.AnalyticsJobService
                  com.google.android.gms.analytics.AnalyticsService
                  com.google.android.gms.auth.api.signin.RevocationBoundService
                  com.google.firebase.components.ComponentDiscoveryService
                  com.google.firebase.messaging.FirebaseMessagingService
                  -> Analytucs, sign-in, Firebase and FCM

                  Thank you for bringing that up.

                  But when I tested the network activity of WhatsApp some weeks ago with PCAPDroid all it was showing was connecting to WhatsApp servers once every 30 seconds presumably providing notification service. That is without sandboxed Play Services installed.

                  • Hat likes this.