Autogeneratedusername Does the sandboxing of google play prevent google related adtech and ad trackers?
"Sandboxed google play" allows the installation and usability of the 3 essential google components onto the AOSP operating system. These 3 are Google Services Framework, Google Play Services, and Google Play Store. These 3 components allow you to have (almost) full functionality of play store features.
Additionally Sandboxed Google Play strips all privileged access of those 3 components such that they become like "regular" apps and subject to the normal permission structure of the android OS. So they no longer have access to the things they previously had access to. Also they no longer have any direct access to hardware identifiers such as IMEI, SIM info, etc. More precise details about this is explained on the Graphene OS website.
Autogeneratedusername How much does the OS actually mitigate adtech?
On graphene OS, apps cant access each other's data and they cant talk to each other, UNLESS they both "plan and agree" to do so. They can do this through IPC (inter process communication) or coordinated file sharing (if both have access to the same file). Graphene OS's "Storage Scopes" feature can prevent the "file access" method. Therefore advertising or other private data sharing can only happen if both apps intentionally "collude”. So if you have a privacy respecting app installed, non privacy respecting apps cant steal anything from it. However if you have 2 non-privacy-respecting apps installed (like instagram, whatsapp, uber, etc.) its possible and maybe likely that they DO cross feed data to each other (on same profile).
If you install " Sandboxed Google Play", then Google Play can communicate with any app that normally communicates with Google Play and therefore google gains access to the data that the app willingly shares with google. The app can share identifying information like your username, email, phone, or credit card info (and many more things) with the sandboxed google play even if you haven't logged into a google account.
Logging into a google account will then associate that data further and with that google account and those apps can also see your google account if access to has been granted to them by google play.
If the app doesn't feed private data to GP then GP will still see the app present, but wont know any information about who is using it.
Autogeneratedusername If you sign into a google account on the sandboxed play store, what affect will that have on the google related trackers with other apps?
Aside from the above mentioned, logging into a google account will also "associate" this "instance" of GP with your google account, even if you log out after. Therefore everything you do on this profile that this instance of GP "can see" can technically get associated with that google account in the future even if its never logged in again. Logging into a google account "brings" all your previously gathered info about you and your "identity" into this new profile and associates it with this instance of GP permanently.
Creating a new account and then logging into it "elsewhere" from other devices does the same thing.
Autogeneratedusername What is the point of creating separate profiles if the OS is contained already?
Profiles have no access to each other. They are "almost" like having separate phones. Therefore while apps on same profile can "see" and "talk" to each other, apps on different profiles cannot. This is useful for isolating multiple privacy unrespecting apps from each other so they cant collude.
Autogeneratedusername What is the best way to set up graphene to become as invisible to ad tech as possible?
This heavily depends on what apps you want to use. Privacy respecting apps are generally not a problem and can be installed anywhere and together. The issue is using privacy unrespecting apps and controlling what they can see and "who else" can see and talk to them. Sometimes its desired to separate these apps from google play itself so that they don't get associated with a google play "Instance". Sometimes this association is unavoidable.
Some apps require google play AND they have access to your real identity (amazon, uber, bank, etc). In this cases its practical to put all these apps in one profile under the same roof since they all know you and share data with google. In this case you are " containing" them to a dedicated space and using profiles you can prevent "leaking" of data from these apps to other apps and vice versa.
If you want to deal with general tracking its VERY important not to expose your IP as it significantly identifies you. So a VPN is essential. You can also use some form of dns protection for added tracking prevention. Proper use of browsers and understanding of "fingerprinting" would also be helpful here.
The answer is very complicated and different for each individual, but hopefully the heuristics I've told you here are good enough to give you the big picture.
For most privacy, simply be mindful of which app can see "what" and "who" if installed. Use always on vpn from a "good" provider and don't "cross contaminate".
Damn, i think this was a pretty good write up. I wish i had a blog.
