MrStreisand

soon404 Doesn't really seem like there's a way to make a completely anonymous one.

There is: https://discuss.grapheneos.org/d/3366-how-to-create-google-account-anonymous/66

If by anonymous you mean that they don't know who you are, then this is anonymous. You are not giving up personal information.

soon404 Besides, won't having play store installed on the device just have it in the background.."spying"? Or won't it know my activities on apps and therefore be able to technically profile who I am?

That's not how it works, not at all. Play Store can't see your activities in other apps. Play Services on GrapheneOS run in the standard app sandbox, without the privileged access it has on stock OS. In other words, it cannot do anything more than any other app you install on your phone.

Being an app store, it will need to see which apps you install and have installed. Like any other app, it can collect your activities within the Play Store app itself. Of course also your IP address, if that matters to you.

I've basically paraphrased the entry about Sandboxed Google Play on grapheneos.org: https://grapheneos.org/features#sandboxed-google-play

soon404 I've seen people say to download them on a different profile but I don't really understand the benefits of this, still a big noob lol

There are several benefits to user profiles. But as a new user, I personally recommend not using them unless you have a clear reason to do so. I'm not saying that to dissuade the usage of profiles in general. Rather, I'm observing many users who start out by separating their apps into two or more profiles, because they think this is a necessity to use GrapheneOS (it's not; it's your choice) and then come here and express how exhausted they are with constantly switching between profiles, and then saying that GrapheneOS is not for them because it's too tiring.

It's interesting to discuss privacy practices, but when installing GrapheneOS for the first time, I recommend starting out simple. Use the Play Store, install the apps you usually use, then slowly go from there based on what you want/need further.

Dumdum Ok, so this is intended. Nothing to worry, thanks.

MrStreisand
Seems like you're referring to the system file picker. This is perfectly normal and Threema can't see anything beyond what you select with the file picker.

MrStreisand access to full dick

Has to be said, funny typo.

Another minor reason why I like running separate profiles is for the once or twice a year that I feel like doing a factory reset for a "clean" start. Much easier if the owner can stay the same. But I'm also a very simple phone user. I don't need it to do complicated stuff or change settings often, transfer files around, etc. I try to keep everything cloud based (hosted on personal servers at home) so my phone can stay tidy.

MrStreisand There really is no one "best" way to set up your phone with profiles. It's really up to you how you want to do it.

I personally wouldn't suggest having Sandboxed Google Play running in a profile you're not even using. To me that seems like a waste of battery for none of the benefits. Two profiles with Sandboxed Google Play will just suck up more battery faster.

If you want to use a primary profile with Sandboxed Google Play, then why not just use only the Owner profile, or keep the Owner profile completely empty and use a secondary profile for day to day use?

I personally do it the second way. I think it's a better setup for multiple reasons:

• If I want to save battery, I can always terminate my profile but I don't need to restart my phone.
• Personal data can be put to rest easily, no reset needed.
• If I want to be extra paranoid, I can use other profiles after ending the session of my regular use profile.
• Profiles can be set up to forbid running in the background if you want to use extra profiles for other purposes.
• After a reboot anyone with my phone would have to enter two different passwords to get to my personal data.
• Certain system settings are only accessible via the Owner profile, so a password is required to change certain settings (some might find this annoying, but I like it because it's more secure, but it's true it's annoying for some other settings).

MrStreisand When I want to install an app, my preferred "app stores" would be in this order: Accrescent, GitHub / Obtainium, Google Play, F-Droid.

MrStreisand Would really appreciate thoughts and input on the matter, as i can't wait to use the phone, but i'd like to set it up properly.

Starting with the last part first: I wouldn't worry about it. I've wiped my phone multiple times and rearranged things to my liking. You won't know what you want or how you want things set up until you actually try them out.

MrStreisand So do i use obtanium only to OBTAIN (couldn't resist, sorry) the apps not present in gPlay? What logic would you suggest?

To be honest, it doesn't matter if you ask me. I personally install with Obtainium if I can, then use other app stores if I can. Google Play is my second to last go-to, and F-Droid is my always my last.

MrStreisand none of the apps downloaded from play store will be able to communicate to google if they are used in a different profile so it doesn't really metter the 'origins' of the app, as long as you trust the source?

It doesn't matter. Apps won't know they were installed using a specific Google account and then expect Google Play to be installed and logged in to that account (that said, I have no idea how paid apps work. Maybe they check with Google Play Services upon installation using some API).

MrStreisand Why manage all the apps on the owner

I personally don't do that, nor would I suggest it. I prefer owner to be completely empty.

MrStreisand wouldn't it be more logical to create an 'app manager profile' and use that to do the updates?

I wanted to that once, but I never used the app management profile, so I gave up on this idea, personally.

MrStreisand I want to suggest adding a feature (please forgive the ignorance if it's not possible to some reason) - to be able to install and maintain apps from non-main profiles across all the rest of them. Similar how right now you can maintain it from the owner profile.

There was something like this a while back, but it was removed because the implementation as it was could be abused. For example, a user installing a fake app in a profile they do have access to, then the owner inadvertently installing the same app on another profile.

People do want a feature that works this way, or something similar to it, but I gather the GrapheneOS team wants to do it in a way that doesn't compromise the security of GrapheneOS users who use profiles when regularly or temporarily sharing their phones with other people.

MrStreisand thanks for the kind words!

1. I lack the experience to know all the downsides to a "many user profiles" approach. You'll definitely miss some settings on user profiles compared to owner (e.g. WiFi and Bluetooth timeout are set globally in the owner profile, developer settings can't be unlocked etc.), but that can also be a good thing since it increases security (and dev settings are not recommended in general). Maybe using many profiles have some significant storage or battery usage impact since they can stay active in the background. And you'll have to set up a VPN per profile which is intentional, but it uses up your device slots in your VPN subscription (e.g. 5 profiles would use up one entire Mullvad license). There's probably more downsides, let's hope someone else can point them out.

2. Often the app is the same on gPlay and via Obtainium (it is with Signal). When this is the case, I'd use the gPlay version for convenience and security. Obtainium is a great complementary tool for when you want to use apps like Newpipe, replace or extend Signal with Molly (or get a beta version of Signal), use the full IVPN feature set or have apps like Simple Gallery Pro for free. There are many good reasons to have both sources, but I'd say more often than not gPlay would be my main source.

3. No every app can decide for itself what it collects and sends out. You can control the borders the app operates in (with storage and contact scopes, network and sensor permission, DNS firewall etc.) but if an app uses Google trackers and can send stuff to Google, it will do so, independently of its installation source or whether you use Play Services or not. At least that's my understanding and why I prefer FOSS software with no Google implementations whenever possible and reasonable.

4. As I understand it you can install and update apps on any profile (and identical apps will be updated for every profile simultaneously), but you can only push apps from the owner profile to user profiles. So in order to have this "one profile is the control and update center" approach, it must be the owner.

Hope this helps you and also triggers more educated people than me to comment and add ideas or correct me if I got anything wrong.

Such a great news confirming the huge added value of GrapheneOS on cybersecurity.

Enas Unfortunately, this is not possible to do on older Pixels. It requires the SoC to be ARMv9, which is only true for 8th gen Pixels, not previous generations.

tango I think breaking it down with an example will help.

Every app has an app ID. Let's assume the app ID in this case is com.example.app. This app has been signed by me, using my signing key.

If you install that app, and then someone tries to get you install an update to that app with the same com.example.app app ID but signed with their key, the update won't work, and Android will stop you.

That is because Android knows that com.example.app is signed with a specific key. An app with the same app ID but another signing key is seen as malicious.

If you uninstall the app that I'd signed, and install the malicious app, Android will let you do it. However, as long as the app you installed initially is the legitimate one, all updates to that app will also have to be signed with the same key. The only reason for an app update to be malicious in that case is if the developer or whoever is signing that app to have their key compromised, which would allow malicious actors to sign their malicious app with the "legitimate" key.

All in all, this is why it's only necessary to verify the installation on the first install. Android will take care of it from there by not allowing you to update an app with the same app id but different signing key.

I hope that clears up any confusion.

coffeefun A question I have is, what are the privacy pros/cons of using sandboxed Google Play on GrapheneOS compared with iOS? I assume that GrapheneOS without Google Play is better than iOS, but it's not clear what are the pros/cons with Google Play, with respect to privacy.

I'm afraid that I'm not really an authority on iOS, so it would be very hard to give you an accurate and thorough comparison there. What I will say is that again, with Sandboxed Google Play, you're getting nearly the same app compatibility as Stock OS without really taking a hit in privacy and security.

Google Play Services, Play Store etc. will have the exact same access as all other apps you install, but let's think about what that actually means for you, in broad terms:

1. You should assume that apps within the same profile can enumerate each other. Therefore, Google will know which apps you've installed. Of course, the same thing applies to all other apps you'd install.
2. Apps that you install which utilize Play Services will communicate with Play Services so that it can provide the functionality they need. The information that Google gets based off that varies greatly, and depends on what the app is willing to give it. For example, Signal can use Play Services for notifications. However, Play Services never see the actual message content of the notification. An important thing to note here is that even if you decide to forego Sandboxed Google Play, a lot of the apps you'd install probably have Google libraries in them that they use regardless, so you might want to keep that in mind if your reasoning for not using Sandboxed Google Play is avoiding Google in its entirety.

coffeefun Based on your comment, and those of others, it sounds like the consensus is that F-Droid has security risks.

Correct. At this point, I only use the F-Droid repository as a discovery tool to find out about new apps. If I actually want to download them, I do it through other means, not through F-Droid.

coffeefun I agree, the RSS alternative will require some time investment to learn.

It is not exceptionally hard to do, but it does add unnecessary complexity that you can easily avoid with a traditional app store.

coffeefun I noticed that you didn't include Aurora Store in your list of app sources. Is Aurora Store not recommended? By using it, do I gain any privacy benefits over Play Store? Do I lose any security benefits using Aurora instead of Play?

The primary reason for not mentioning Aurora Store is because I was recommend a one profile setup with Sandboxed Google Play. With that setup, Aurora Store makes little to no sense, in my opinion, unless you're extremely adamant about not having a Google account of your own (one could be created for the sole purpose of using it with the Play Store).

If you're using Aurora Store while you have Sandboxed Google Play, you won't need a Google account, which is arguably a privacy benefit. That said, you're now using a shared "anonymous" account. Aurora Store can't remove Play Store's account requirement, it just optionally allows you to use their own accounts instead of bringing your own.

The above might sound great at first, but it comes with drawbacks. A shared account means shared settings. It means that someone might have opted into a beta version of an app on that account and you're now downloading an update that may break.

There are also other security issues with Aurora Store that make it hard to recommend, though it is handy.

Quote from https://privsec.dev/posts/android/f-droid-security-issues/ which was linked above:

If you don’t have Play services installed, you can use a third-party Play Store client called Aurora Store. Aurora Store has some issues of its own, and some of them overlap in fact with F-Droid. Aurora Store somehow still requires the legacy storage permission, has yet to implement certificate pinning, has been known to sometimes retrieve wrong versions of apps, and distributed account tokens over cleartext HTTP until fairly recently; not that it matters much since tokens were designed to be shared between users, which is already concerning. I’d recommend against using the shared “anonymous” accounts feature: you should make your own throwaway account with minimal information.

This, coupled with the fact that apps are fully capable of communicating with Google all on their own (take a look at Google Maps - it's fully capable of working without Play Services present), make the benefits of foregoing the Play Store (which is more trusted, provided that you get it from GrapheneOS' Apps app, along with being more secure in general) dubious at best.

I personally still use Aurora Store in profiles where I don't use Sandboxed Google Play or for when I create a new profile to test something and don't necessarily want to login with my Google account, but I do it knowing where it does well and where not.

If you have any more questions, shoot!