GrapheneOS Owner Profile or Pixel Stock?

Hhgjvbgjhvv · Sep 28, 2023

I'm considering buying a Pixel phone to reduce my reliance on Samsung and Google, focusing solely on Google. Naturally, I'm considering installing GrapheneOS to further reduce my dependence on Google. However, I have some questions before making a purchase to ensure it meets my needs.

My plan is to primarily use one profile where I would have WhatsApp, GMail, Google Maps, GCam, and Google Photos, all logged in with my account. Additionally, I would like to have Infinity, Instagram, Spotify, my Samsung Watch 4 app (although I plan to migrate to Oura), and my Samsung Buds that I'd like to work with sound isolation, along with a 2FA app, Twitter, and a few others.

I'd also like a second profile for banking and cryptocurrency apps. These apps are used occasionally, so I don't mind switching profiles for them.

I also use a lot of FOSS apps... is it better to isolate them in another profile without Google?

The question is: Is it worth doing this, or should I stick with the Pixel as it comes from the factory? My reliance on Google services and the interconnectedness I expect, such as sharing an Instagram story through WhatsApp or sharing photos or tweets, makes it inconvenient to separate profiles. Would there be any benefits? From what I've read, there's already some isolation in Android, but I'm not sure if it's significant for my specific case of data-collecting apps.

Thank you in advance to anyone who takes the time to respond.

N1b · Sep 28, 2023

hgjvbgjhvv From what you've said, installing GOS should cause no problems for you while giving you a lot more privacy and security in the defaults (hardened malloc, kernel, app runtime, sandbox etc) and with the great feature set (contact and storage scopes, network and sensor permission, sandboxed google play etc).

The only problems I could think of is that your specific banking app doesn't work with GOS. That's rarely the case and you can consult this privsec list to check in advance.

As for FOSS apps running on a separate profile: With your threat model that allows for WhatsApp and GMail, I'd say the privacy benefits are negligible. Many FOSS apps don't even use Google Services or don't consent sharing data with other apps. But as so often it depends on what you use and need, maybe if you give us a list of your apps we could give you more detailed advice.

So in short: If your banking app doesn't break, I see lots of benefits and no disadvantage for you in using GOS.

Hhgjvbgjhvv · Sep 28, 2023

Hello, thank you for your response. I understand that my threat model may be insulting to most of the privacy community, and I appreciate that you haven't dismissed my message.

Since I haven't tried GrapheneOS yet, I don't quite grasp how inconvenient it might be to have multiple profiles. However, the reality is that I don't want to deal with things like receiving WhatsApp calls in the wrong profile, or double-tapping the camera and having GCam photos not sync with Google Photos, or similar issues.

Here's a breakdown of what I'm looking for:
The apps I want to be able to intercommunicate are (there are many FOSS apps, as you can see):

GCam, Google Photos, Gmail, Fit, Drive, Youtube, Google Maps, Infinity, Eternity, Twitter, Instagram, Whatsapp, Bitwarden, 2FAS, Mastodon, Duolingo, Firefox, Brave, Signal, ProtonMail, ProtonDrive, Mullvad, ProtonVPN, Anki, OnlyOffice, Standard Notes, Telegram.
I also use PrivateDNS and VPN 99% of my time online.

I'm also interested in keeping my Samsung Watch 4 smartwatch always synchronized. To achieve that, I need to install "Samsung Wearable app" and Samsung Health (I'm not sure if this is possible, and if so, can it be installed in a second profile without losing Bluetooth connectivity? I mean, having 100% sync all the time, like in any stock android with the app).

Lastly, there's the matter of banking and crypto apps, as I mentioned earlier, which would be occasional.

If it's not a bother, I'd like to ask a question because I'm not quite clear on this. Will FOSS apps installed with their APK have any direct communication with those installed via Google Play in any way? In other words... can they detect that I have them installed and somehow track some telemetry data to identify me in some way without my explicit consent (e.g., sharing a photo from Infinity through WhatsApp)? If that's the case, I might consider moving many apps to a second profile.

Thanks again!!

N1b · Sep 29, 2023

hgjvbgjhvv thanks for sharing details, I'm sure it'll help people here to support you better. Btw. I don't think your threat model is insulting, there are good use cases for all the apps you mention and nobody should judge others here for their individual situation and needs. What I tried to say is that if I were in your situation, I wouldn't separate profiles for the sake of reducing open source apps communicating with other apps and each other. GOS has great sandboxing and features like storage and contact scopes to further control what apps can do, so my privacy benefits wouldn't be worth the inconvenience. If I wanted to use profiles to separate work and private life or different workflows, it would be a different conversation.

I don't have experience with WhatsApp, but you can search this forum as I remember there were some quirks with contact scopes. Also Brave doesn't currently work with Bitwarden's autofill service, but that might be an AOSP-wide issue and not GOS related. Mullvad and pretty much any app works like a charm.

What apps can do or not doesn't depend on where you install them from (if it's the same version). If open source apps use GSF, they will share data with Google. If there's mutual consent between apps, they will share data with each other. At least that's how I understand the matter. Using different user profiles will solve this, but you should be aware that it opens up new complications (you need to make sure to install the same version of apps in each profile, every profile has their own VPN setup independently, some settings are only available to the owner profile etc.). But you'll figure this out with time, so if using multiple profiles looks interesting to you, try it out and see if that works for you.

And if it helps your confidence: I have faced no issues with GOS that I wouldn't have faced on stock Pixel OS. It's well polished and has been a really nice experience. Once you experience all the power and control you suddenly have over your device and data, you probably don't want to go back to a system without contact scopes, storage scopes, network toggle, per-connection network randomization, pin scrambling, auto-reboot and many more, the feature list is amazing. Android Auto and Google Pay won't work (for now), but these are no sacrifices for me as I don't use them anyway. So be warned, because nothing else might satisfy you after using GOS. ;)

[deleted] · Sep 29, 2023

N1b If open source apps use GSF, they will share data with Google. If there's mutual consent between apps, they will share data with each other.

They "can", but not nessecarily "will". Also, I think mutual consent is not needed for sending data in some cases, For example, An app can invoke the Dialer app and share the number It wants to be autofilled, So the user doesn't have to input the number manually.

N1b Also Brave doesn't currently work with Bitwarden's autofill service

Does It work with other autofill services?

[deleted] · Sep 30, 2023

hgjvbgjhvv In short, running a bunch of mainstream apps or even privacy invasive apps doesn't defeat the purpose of using them on GrapheneOS. Outside of a couple of edge cases (Android Auto, Google Pay and others depending on Play Integrity API) you're mostly better off running them on GrapheneOS. If it turns out GrapheneOS is not for you, you can always replace with stock OS just easily as you installed it.

I'd also like a second profile for banking and cryptocurrency apps. These apps are used occasionally, so I don't mind switching profiles for them.

Unless you have clear understanding of what it is you compartmentalizing and why I'd say stick with a single profile. That said, your particular threat model may merit multiple profiles, I don't know. I personally don't keep more that a couple of hundred bucks worth of crypto on my phone and don't generally do my banking on my device. There's no erasing GrapheneOS device remotely and also no good backup solution for when you might need to factory reset and start over, so I keep mine pretty clean.

UUser2288 · Sep 30, 2023

hgjvbgjhvv

I'd say if you dont have a clear reason for using GOS and you dont have a clear vision of what aspect of it you are going to benefit from, then why switch?

Are you trying to be more private about something? What exactly? And does going to GOS actually make you more private given that you are engaging in all those other privacy exposing activities?

Are you wanting a more secure system? Why? Whats wrong with what you got and how does GOS improve it for you?

You explained a bunch of stuff but i still couldn't extract any single and clear privacy or security vector that you were specifically after to say "ok, GOS will help this way or that way".

Also note that with gos comes certain compromises like android auto, voice assistance, and loss of other google features like background music discovery, and maybe more.

So make sure you are clear (with specific things) about what you want to achieve with GOS to then be able to judge if it actually improves anything.

One vector i can see is that you could limit whatsapp and instagram access to your contact list. But thats it kind of.

From the looks of it you dont really care too much about privacy and what it is you want to achieve is not clear. Whatever gos offers, you "might" be undoing with some of your other actions to the point of making GOS no better, or worse than default OS. So you need to be clear about your aims and how your other uses and actiins don't interfere/back-track with the solution you are applying (installing GOS.)

Read the entire GOS website before you decide and I really do mean THE ENTIRE site. The features, usage and faq and install pages. It will clarify for you what you will or wont gain from going GOS.

If you wanna hide from the mailman, installing tinted windows will do it, but wont do it if you got your name and statue build into the yard.

Hhgjvbgjhvv · Sep 30, 2023

N1b Thank you for your response. It's really helpful for me to know that you haven't encountered major issues with GrapheneOS, as practicality is a priority for me. I'll take your advice to avoid separating my apps into profiles too much, and I'm considering a new approach:

- Owner = Profile for daily use apps (those I use at least once a day)
- Finance and others = Once a week

My initial idea was to separate the FOSS apps from the ones installed with my Google Play account to prevent them from "communicating" and losing the new privacy I would gain with sandboxing. However, as I understand from what has been explained here, the sandbox takes care of that, unless I willingly consent to such communication. I have nothing to lose by trying, and I'm eagerly awaiting the new Google Pixel 8 Pro to dive into this new world. Thanks again for your time :)

User2288
To answer your first question: yes, I'm trying to improve my privacy, but I'm not willing to make the leap by giving up my social life. I once read that privacy is a spectrum, and every step forward is worth celebrating, regardless of whether the practical goal of being more private is achieved.
To answer your second question: no, I'm not looking for a more secure system. In that regard, I have full confidence in Google's security.

I understand that GrapheneOS may come with some usability prejudices, which is why I wanted to consult this forum before diving into this world. My argument was as follows: today, all my apps communicate with Google because they are installed from Google Play, and I assume that Google literally reads everything that goes through my phone (no matter what they claim in theory, I always assume the worst). I also don't trust installing apps from F-Droid or directly from each app's GitHub, as I understand that Google could still leverage its privileges to see everything. Google knows and sees everything about me. I want to change that. I'm willing, initially, to sacrifice some usability, but not something that's substantially important. I'm not going to give up my social life and media consumption habits overnight; that's not what I want to do. I believe starting with GrapheneOS will make me more conscious of which apps I no longer want in my life, but there are others I simply can't give up (like WhatsApp). I'm fortunate to have many friends and family and in my country is the default app.

From the looks of it you dont really care too much about privacy and what it is you want to achieve is not clear.

This is the kind of comment I expected on my first post in a niche privacy forum. It amuses me because in my family and among my friends, I'm the person who "always nags about privacy" when "nobody cares about what I post". Clearly, I don't have, nor will I ever have, your code of conduct, but it's sad to think that it's "all or nothing" for you. I have a different life and different needs. I admire people who live outside the system and are happy with alternatives. I'm just not there yet.

EEnas · Sep 30, 2023

hgjvbgjhvv I totally agree with userb2288 on this one. If you need a better answer advice for a solution to your problem or whatever it is you are looking for I don't think it can be articulated better than what user2288 posted. He made the right questions for you to think about and answering those questions will reveal the solution toy your inquiry. Read the whole GOS website info and FAQ and contemplate on your path moving forward. But sometimes (one being this one) having it both ways (privacy and convenience) can't be done.

Hhgjvbgjhvv · Sep 30, 2023

Enas Thank you for your input. It's true that achieving both privacy and convenience can sometimes be a challenging balance, but I'm determined to find the right solution for my needs.

I read the FAQ before posting, and I came to the forum to clarify my doubts before buying a new phone solely to install this OS. The communication is excellent, but it's true that the language is technical, and some things can't be explained in simpler terms. Or at least, there aren't people here who can do it or have the time and willingness to do so, and that's why we're on this forum.
Well, don't worry. I'll definitely take your opinion into account regarding the possibility that GrapheneOS may not be suitable for me.

UUser2288 · Sep 30, 2023

hgjvbgjhvv
Ok. First off let me apologize for coming across the way I did. If i sounded aggressive or critical consider it my curse that i have to live with. I totally understand where you are coming from and have been in your shoes, where i didnt have enough knowledge and did unnecessary things or went over the top or applied the wrong solution. So let me re express. I don't want to in anyway dissuade or unmotivate you from what you are doing. What you are doing is honorable and applaudable given the firm resistance you face from the rest of the world.

I might be wrong about some of the things im about to say, but hopefully others will correct me. Take it as my best attempt to sum things up for you.

With a normal google infested android phone google has access to:

All contacts info
All your text msgs
Everything you type (in any app)
all your saved wifi passwords
All your browsing
gives away your google identity to all websites you visit
your phone log (call times, who you called, how long, etc.)
full access to camera, microphone, and other sensors at any time
all hardware IDs
-metadata or actual data of all your files or pictures
sim data
you location (constantly), and it uploads it even after you turn every option off and disable everything possible, collects it even when you dont have internet, and uploads later.
theoretically allowing backdoor access to your system and installing hidden components or surveillance elements.
application IDs
inbuilt analytics collusion with many popular apps
Inter-Process Communication (IPC)
etc...

Apps like whatsapp and instagram have access to:

Android ID and Advertising ID, which you cant evade
your files (once they force you to accept their agreements)
your full contact list (once they force you to give it to them or they wont work)
etc.

Also carriers have the ability to install forced components onto your OS automatically using google services without you having any control over it. (Dont know how, but apparently they can)

By using GOS, basically almost all the above can be eliminated. Unless you go back and one by one re-enable access to those things by installing bad apps and giving them permissions.

On a phone with GOS you can do a few things you can't do on other phones:

granular storage access control for apps
granular contacts access
block all internet access to individual apps
block the usb port from being used to install trojans on your phone
and more...

On gos each profile has a different Android ID, and fake advertising ID. So each profile can kind of look like a separate phone to naive apps. It also fully isolates apps and IPC.

On gos apps and GPServices have no access to your sim or identity info. They only see your country code.

In the case of foss app, you don't really need to isolate them because first off they are not doing anything bad and are not trying to gather identifying data on you. Secondly other apps cant see whats happening inside the foss apps. So.

The dangerous apps are things like facebook and WhatsApp and google maps. THEY are the ones that need to be isolated. They (the bad apps) need to be isolated from EACH OTHER so that they can collude less through IPC, google APIs, and mutual analytics.

For example installing a bunch of google apps in your main profile might be fine as long as you don't give access to identifying things. But if you also put google maps there then google now gets full access to you location as well, which it did not have access to before.

On GOS If you install google play services by itself with a new account behind a vpn, then you will have access to it without it knowing anything about you. But if you login from any app that knows who you are that colludes with GPservices now GPservices knows who you are and then if you also install google maps and give location access, now it knows your movement too. You'd be starting to venture pretty close to before GOS install times. Although still there are benefits.

So.

Do get a good understanding of what gos does and doesn't (by reading the pages i mentioned), then you can thing about a controlled action plan of what level of privacy you want to achieve and then prepare your steps and manage your installed apps so that you actually achieve your goal.

You can plan right only after you fully understand how GOS works.

I hope this has been helpful. If there is anything else i can help clarify, do please ask and me and others will do our best to clarify.

UUser2288 · Sep 30, 2023

In terms of crypto apps, it depends whether its a kyc app or a true Foss and IDless app. If its a no KYC app then you might not need to isolate it from your main profile because all the other apps will see is that "wallet app X" is installed on the system. But they don't know who it belongs to. But if you install something like binance, then its possible that binance colludes with google play or other analytics components possessed by itself and other apps and all apps share with each other what they know about you and therefore who you are and who owns this instance of binance.

I'm trying to give you some examples so you see the bigger picture here.

Ddgzeij · Sep 30, 2023

hgjvbgjhvv Android 14 and the new features the GrapheneOS team is planning to add AFTER A14 is released will change how you deal with privacy substantially. If I were you I would wait with the actually installation of GOS until all the important changes and additions have been completed. In the meanwhile I would spend the waiting time figuring out which apps I want to replace what with, and the way I want to install and manage them. Not to mention how to migrate info from previous phone to new without using spyware.

You can find close to all info needed around this by searching this forum and reading https://twitter.com/GrapheneOS/with_replies
Missing pieces are often found at https://grapheneos.org/

It might be worth jumping straight to Pixel 8 if your economy allows for it. That would also make you have to wait a bit with installing GOS, since it's not launched yet and the GOS team need to patch for it specifically aswell.

The more you preplan the easier the transition to GOS will become, and the fewer OS reinstalls.

[deleted] · Sep 30, 2023

User2288 One vector i can see is that you could limit whatsapp and instagram access to your contact list. But thats it kind of.

Don't forget about Storage scopes. Also, apps are prohibited from reading the list of user-created folders (directories) without having the Manage all files permission on GrapheneOS (This is allowed on Android) [1]

User2288 With a normal google infested android phone google has access to:

Some things you have stated are more like assumptious.

User2288 Apps like whatsapp and instagram have access to:

Android ID and Advertising ID, which you cant evade

It is possible to delete the Advertising ID.

your full contact list (once they force you to give it to them or they wont work)

Whatsapp and Instagram do work without giving the contacts permission, though Whatsapp without having the contacts permission would be very less usable than usual.

User2288 Also carriers have the ability to install forced components onto your OS automatically using google services without you having any control over it. (Dont know how, but apparently they can)

Carriers would have to ask Google to do that

User2288 On a phone with GOS you can do a few things you can't do on other phones:

block the usb port from being used to install trojans on your phone

I think you can do that in DivestOS too

User2288 On gos each profile has a different Android ID, and fake advertising ID.

Advertising ID does not exist on AOSP and GrapheneOS by default. Advertising ID is a part of Google Play services, and GrapheneOS does not attenpt to spoof or fake It.

User2288 Secondly other apps cant see whats happening inside the foss apps.

An app cannot see what's happened in other app, unless the other app shares data on its own with the App that wants to have the data.

User2288 But if you login from any app that knows who you are that colludes with GPservices now GPservices knows who you are

The app can share the data with GPServices on its own, but Its incorrect to assume that it guranteedly will.

Nnewbie24689 · Sep 30, 2023

User2288 and "not_a_homosapien"#p45235

Dang!! Nice write up(s) you guys; THANK YOU!

hgjvbgjhvv The emphasis above has been on your privacy priorities.

To answer your second question: no, I'm not looking for a more secure system. In that regard, I have full confidence in Google's security.

Well, FWIW I'm far more concerned with security than privacy; I believe that hardened malloc and a carefully audited Vanadium are EXTREMELY important in preventing being hacked - protections that AOS does not have. And there are ongoing efforts being used/developed to hack Android through the browser and/or messaging - not to mention some poorly-written FOSS app written by a well-intended author that can unknowingly be hacked.

N1b · Sep 30, 2023

[deleted] Does It work with other autofill services?

I only use Bitwarden on GOS, but according to this thread it's an issue with Brave on GOS and affects the autofill service, aka all password managers.

hgjvbgjhvv However, as I understand from what has been explained here, the sandbox takes care of that, unless I willingly consent to such communication.

I think this is not correct and I apologize for not explaining it better. To my understanding, the sandbox and features such as storage scopes and contact scopes are limiting the amount of data an app can collect on you. But when developers of two apps you installed in the same profile have decided that they consent in those apps sharing data that they can access, there's nothing you can do about it. Installing the apps on different profiles will solve this issue, because they can't see each other and therefore not share data. A popular example: You might want to install GBoard because you like how it looks and works, but you don't like Google potentially seeing all your keyboard inputs, so you disable the network permission. But you have installed GMail or Google Maps which require network access to function properly, and now GBoard could just push all the information over to GMail and from there to Google.

The good news are: If you already decided to get a Pixel 8 and use it either with GOS or Stock Pixel OS, you can always try GOS and if for whatever reason it doesn't work for you or is missing a crucial feature, you can always go back to Pixel OS as if nothing happened. After reading what you shared I give that a 1% chance of happening though. :) And yes take it one step at a time and only do what suits your needs. Using GOS will give you some huge benefits with very few drawbacks as it follows the "privacy by default" philosophy. And it's always good to have options and control available, even if you don't need them all for now.