Can and will sandboxed Google Play Services access hardware identifiers?

SpeakYourMind

I might want to install an app that only runs with google play services.
But i hesitate. And the reason is that i did install google play services in a separate user profile i am still worried about the data collection of Google - 2 questions which are still unclear to me:

In the Faq is written that:
"As of Android 10, apps cannot obtain permission to access non-resettable hardware identifiers such as the serial number, MAC addresses, IMEIs/MEIDs, SIM card serial numbers and subscriber IDs. Only privileged apps included in the base system with READ_PRIVILEGED_PHONE_STATE whitelisted can access these hardware identifiers."

I am now worried that while most data between apps will not be shared (since i have PS in another profile) that Google reads the hardware identifiers of my 2nd profile, sends them to google and then all the profiles on the phone are are then conected to this phone?
Is there a way to block/obfuscate the sending of the IMEI of my phone to google even when sandboxed google play is running?

I it is a silly question but i want to make sure i got this right: The main problem of my 2nd profile the GSF and PS is running, then it does not help that the mere act downloading the apps from aurora store does not help privacy in any way? and when those services are runnin anyways i can download the apps from the playstore app as well, since all the apps from aurora have the tracking codes inside of them (since it just accesses Playstore), and those will connect with GSF. Or would there still be any difference?

Thanks!

de0u

SpeakYourMind Is there a way to block/obfuscate the sending of the IMEI of my phone to google even when sandboxed google play is running?

It's sandboxed, not running with system privileges, please see: https://grapheneos.org/features#sandboxed-google-play

At present to install an eSIM while running GrapheneOS you must enable Google's eSIM manager, which is privileged code and likely shares your IMEI with Google. But that requirement may be removed in the future.

It is probably productive to read 100% of the GrapheneOS usage guide and FAQ.

spring-onion

SpeakYourMind I am now worried that while most data between apps will not be shared (since i have PS in another profile) that Google reads the hardware identifiers of my 2nd profile, sends them to google and then all the profiles on the phone are are then conected to this phone?

The google play store and its components isn't privileged. It can do just as much - or little - as any other app you have installed on your device. That means it, too, can't read those sensitive hardware identifiers, unless you enable privileged eSIM management. So you don't have to do anything yourself to stop that.

SpeakYourMind then it does not help that the mere act downloading the apps from aurora store does not help privacy in any way?

The benefit here is that the requirement to login is omitted.

[deleted]

spring-onion That means it, too, can't read those sensitive hardware identifiers, unless you enable privileged eSIM management.

Well Google's Play store can't, but Google's eSIM app can

Google Play store and Google's eSIM app are different

SpeakYourMind

spring-onion

The google play store and its components isn't privileged. It can do just as much - or little - as any other app you have installed on your device. That means it, too, can't read those sensitive hardware identifiers...

I kinda get that. I guess my problems stems from that a) Apps do talk to each other and exchange information between each other and b) that i don't really understand the whole implications of:

Only privileged apps included in the base system with READ_PRIVILEGED_PHONE_STATE whitelisted can access these hardware identifiers."

So whrere can i see the apps that have access to the hardware identifiers? Where can i check this in my phone in the settings? i could not find anything. It is a bit confusing since the FAQ says that since Android 10 no app can acesss hardware identifiers except prvileged apps. And if we get even PS to run completely without it why would the priviliged apps then need it?

I don't want that due to the fact that apps communicate between each other that in the end the beans are spilled with "GSF". So i get surprised like this user got surprised with the account data beeing shared between apps.
[https://discuss.grapheneos.org/d/6338-google-apps-and-google-accounts]

Have a good one!

Graphene1

If you decide to install play store you way as well use play store to install apps as it can see all the apps you've installed anyway.

SpeakYourMind

[deleted]

I am not planning to run eSIM for that reason...
I just don't have the feeling that i understand this very well / like i wrote in my last post. What whitelisted apps would be, if even play store runs without it.
"Only privileged apps included in the base system with READ_PRIVILEGED_PHONE_STATE whitelisted can access these hardware identifiers."

and where to check this on phone settings...

de0u

SpeakYourMind The FAQ says that since Android 10 no app can acesss hardware identifiers except prvileged apps. And if we get even PS to run completely without it why would the priviliged apps then need it?

For the Settings app to display your IMEI to you, the Settings app must be able to read the IMEI. Or it must communicate with a hidden system app that can read the IMEI. To make your phone work, there must be acres of privileged code. Luckily much of that code holds only a small set of privileges needed to do some particular job (see: "least privilege").

To install an eSIM, some piece of code must be authorized to talk to the eSIM hardware. At present the only eSIM manager that runs on GrapheneOS was written by Google.

But code to pay Google for apps and download them does not need to know your IMEI or talk to your eSIM module. In GrapheneOS it can't.

[deleted]

SpeakYourMind and where to check this on phone settings...

You'll need to use ADB I think

SpeakYourMind

well i guess that is a little bit beyond my scope of interest/paygrade.

i was trying more to understand how this works. Whether those "privileged apps" are there but are purely internal GrapheneOS "stuff" that is never shared with any service from apps or google.

Or whether this is something that i can install apps, that need privileged access (for whatever reason) and that i could then witelist them...

Basically understanding better what those privileged apps are and how secure it is that they never share data with google services/apps...

SpeakYourMind

de0u

Thanks for that answer. After reading:"...must be acres of privileged code" i shouldn't feel better, but do laughing.
It's always good to understand better how things work. I just hope it is encapsuled well. Google services feels like the total predator that you need to put in the toughest steel cage that one can find, even if it is installed in another profile.
That if you type in your login credentials in one google app, that than all of them have it just shows in my opinion how dangerous this non-system apps talking to each other is...

Have a good night...

N1b

Not sure about how important the app is, but if your threat model requires using this specific app beyond the security of a separate user profile, you could buy an extra GOS device for exclusive use. The cheapest Pixel phone in terms of cost per year of remaining security updates would currently be the Pixel 6a or 7a. This might be too inconvenient or expensive for you, but it would truly separate your app from everything else, given you are keeping up good OPSEC and don't share anything else voluntarily.