I only want notifications from Play Services, and i wanna restrict the apps as much as possible. Here a re a few questions i have:
1: can i disable play store? it says that store and services depend on each other, but it doesnt say if its only needed to be installed disabled or not, or running 24/7.
2: Do i nees network permission for Play services notifications to work on any of the 3 apps?
Thank you for the help!
[deleted] can i disable play store?
You can, but you'll recieve updates to Google Play services/Services Framework faster via the Google Play store.
[deleted] Do i nees network permission for Play services notifications to work on any of the 3 apps?
You need to give the Network permission to Google Play services for Notifications in any apps that use Firebase Cloud Messaging (FCM), including Google apps.
[deleted] ill just uninstall it, because apps with mutual consent can send data to eachother, which would expose me to data leak from Pixel Camera, and other apps. fuck signal for using 40% battery without this.
[deleted] can google services access notificatipn content with this? do you have a resource i can read about how this works exactly? i assume they only deliver the notification, not proxy it through itself because it would be unsafe.
[deleted] Any app can send data to any app. That means you'll never be able to install even a single app with such paranoia.
[deleted] Google can read the notification content unless Its encrypted. Also, Signal just uses notifications from FCM to wake up and then looks up the actual notifications itself.
[deleted] I only use free software except for gcam. Dont you think it has a higher probablity to share data with other google made apps than a random open source app doing this? It would also require two components to pull this off, which is in google's interest but not any third party app's. Every app i use is from a different developer, there is no chance they have malicious code pairs to exfiltrate data like it would be possible with multiple google apps.
Also, wouldnt google services need a specific permission to access notification content?
[deleted] wouldnt google services need a specific permission to access notification content?
I think when the app is running, the Google SDK in the app itself gets notification from FCM. However, when the app isn't running, Google Play services recieves the notification itself and forwards it to the app. The Google SDK can obviously share notification content with Google Play services, but I don't think there's any reason for doing that.
Thanks.
I'm not sure how well you understand how GP Services and GCM works. My understanding is not complete but I'll explain a few things:
From what I understand to get notifications you have to install GP services (and maybe Playstore), and they need to have internet access. If you are gonna install these two then you might as well install GSF for complete compatibility, but you might not have to.
Any app that uses notification will only detect the presence of google components if its installed AFTER those components were installed. If installed before then the app will notice the non-existance of the components and either resort to its own independent notification system (batter draining) or will give a warning and not work. An app will not "change" this position later, unless if reisntalled.
Once an app decides to rely on GCM for notifications, if the google components are then disabled or have no internet access then GCM will not work and the app wont receive any notifications.
Signal uses GCM if present. I've read that the way signal uses GCM does not expose your messages (content). Though i am not 100% sure on the phone number. I don't quite remember what it does expose, perhaps you can research.
Privacy respecting opensource apps generally do not expose any information to google components, so its generally the case that installing these apps in a profile that contains google components doesn't expose any data contained in these privacy apps. The reason is that these apps do not use GSF and don't use shared analytics with GP services.
The privacy problem mostly arises when you combine apps that normally DO use google components and IPC with a profile that has google elements installed. Then there is a chance of leaking data between these apps and google or other analytics companies. Also the risk of sharing data between such apps arises.
For example you may have installed the google elements in a profile but not be using any google account to log in (preventing identification). If you then install and use an app that DOES KNOW your identity (such as email, phone number, credit card, etc) then these apps could share your identity with the google instance.
Also installing any google apps such as gcam or gboard on such a profile could theoretically leak some private data to the google components.
Now in the case of signal, signal might not expose your phone number to GCM or the google components (though i am not sure of this). However installing whatsapp likely will. Telegram also might do that. Installing payment based service apps (door dash, uber, banking, etc.) or other popular Identity based apps could also share data with google through the google components.
One solution to deal with the privacy problem is simply to disable the google components after install or prevent their internet access. This will allow app installation compatibility and allow the apps to work, but the notifications wont work. Although there is still some potential of the Google component instance IDs to be detected by the apps and shared directly with analytics companies and cause cross contamination.
Another solution is to install the invasive apps and the required google components in a dedicated profile where such data exposure is considered OK and unavoidable. Then separate apps like Gcam and gboard can be installed to a different profile so that they don't get connected with those other apps. Google maps is another example where having it isolated in a profile would be helpful in isolating your movement data from being associated with other google components.
The best way to proceed is really dependent on what apps you need to have and what works for YOU. A strategy is therefore required in order to limit and and compartmentalize groups of data and what gets shared with which app. This strategy has to necessarily be tailored to the individual user's needs and priorities. What is required is a good understanding of how data sharing between these components works, which I just expalined to you.
Its a bit complicated as you see.
So to sum things up:
My explanations might lack some detail, which perhaps other users can chime in on, as I am not fully educated on every detail.
Any app that uses notification will only detect the presence of google components if its installed AFTER those components were installed.
Apps can detect presence of any app (in the same user) whenever they want to.
The privacy problem mostly arises when you combine apps that normally DO use google components and IPC with a profile that has google elements installed.
I think to IPC with apps in different users without the INTERACT_ACROSS_USERS or INTERACT_ACROSS_USERS_FULL permission is not possible
This will allow app installation compatibility and allow the apps to work
How will that improve compatibility when apps can't use Google Play services because its disabled? Disabling Google Play services is only helpful if apps force that Google Play services be installed but don't check whether Its enabled or not.
Although there is still some potential of the Google component instance IDs to be detected by the apps and shared directly with analytics companies and cause cross contamination.
Please elaborate.
[deleted] Apps can detect presence of any app (in the same user) whenever they want to.
This is not the case in relation to GCM usage. Most apps that use GCM and have the built in option of using an alternate notification method only check once when they are installed and don't recheck and realign later. This is also moot in the case of apps that only use GCM.
[deleted] I think to IPC with apps in different users without the INTERACT_ACROSS_USERS or INTERACT_ACROSS_USERS_FULL permission is not possible
Apps can also collude and share data without use of IPC. They can send data to shared data banks online (analytics) and gain mutual access to shared data. Where android ID could be recognized as shared and any further personal identification data could be shared and corelated.
[deleted] How will that improve compatibility when apps can't use Google Play services because its disabled?
Some apps need the presence of GSF regardless of any dependency on GP services. In such cases the presence of GSF is the different between "working" and "not working".
[deleted] Please elaborate.
See above. Apps can see any unique identifiers provided to them from the GP Services instance. This can easily be shared and referenced elsewhere in shared data banks. Its another static identifier like android ID.
Apps can also collude and share data without use of IPC. They can send data to shared data banks online (analytics) and gain mutual access to shared data. Where android ID could be recognized as shared and any further personal identification data could be shared and corelated.
Then you should have mentioned this. You specifically said "The privacy problem mostly arises when you combine apps that normally DO use google components and IPC with a profile that has google elements installed." Also note that while IPC normally cannot be done across users, localhost can be used instead, which is a loopback address.
This is not the case in relation to GCM usage. Most apps that use GCM and have the built in option of using an alternate notification method only check once when they are installed and don't recheck and realign later. This is also moot in the case of apps that only use GCM.
You specifically said that "Any app that uses notification will only detect the presence of google components if its installed AFTER those components were installed.". You did not mention that apps can detect prescence/enabled state of Google Play services. I know correcting wrong terminology may be annoying, but wrong teminology can easily confuse people.
See above.
You did not elaborate about the so-called "Google component instance IDs".
[deleted] I think it was pretty obvious what he meant. Since the apps only check for play services availability once on runtime they'd have to be installed after play services. Obviously they could be detected later, because any app can access the installed packages' list, but they just dont do it this way. Also he didnt say anthing about interacting across different users.