this post was submitted on 10 Jun 2024
30 points (100.0% liked)

DeGoogle Yourself

8984 readers
2 users here now

A community for those that would like to get away from Google.

Here you may post anything related to DeGoogling, why we should do it or good software alternatives!

Rules

  1. Be respectful even in disagreement

  2. No advertising unless it is very relevent and justified. Do not do this excessively.

  3. No low value posts / memes. We or you need to learn, or discuss something.

Related communities

[email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

founded 4 years ago
MODERATORS
 

Hi! What would be the best way to limit play serbices to only selected apps. I still need notifications to work from them, but would like to be sure that google can't access anything else

all 28 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 6 months ago (2 children)

AFAIK, the only way to limit certain apps using GPS is to install in another profile.

https://grapheneos.org/usage#sandboxed-google-play will give you the complete rundown on how this works.

[–] [email protected] 3 points 6 months ago (2 children)

So if I have two profiles, one with and one without play services and the profile with play services is not active, there's no active pinging and telemetry going on?

[–] [email protected] 3 points 6 months ago

Truthfully, I'm not sure. There is a way to get notifications from a second profile when on the main profile so I stands to reason there is something happening on the second profile. I don't use a second profile so I can't give a first hand account. It's why I posted the link for reference.

[–] [email protected] 3 points 6 months ago (1 children)

If the profile with Google services is quiesced like suspending your work profile, then no activity should be seen on the network at all. No keep alive no pings etc

[–] [email protected] 2 points 6 months ago

That's great. Love this sand boxing.

[–] [email protected] 1 points 6 months ago (1 children)

That is a great rundown, thanks! How would I install them on a different custom rom? Upon installing their "apps" store, i can't see the google play services (this might be because I'm currently on stock)

[–] [email protected] 3 points 6 months ago

Sandbox Google Play is just for GrapheneOS. As far as I know, doesn't work anywhere else.

[–] [email protected] 7 points 6 months ago (4 children)

I know in GrapheneOS that the Google Play Services are sandboxed and you can install them in a specific user profile, but I’m not sure if doing that still gives you notifications across those profiles

Hopefully someone with a little more knowledge of this can help? lol

[–] dracs 5 points 6 months ago

You can get notifications in other profiles. However it'll be a generic "Profile X has a notification". Tapping it will swap profles, but not exactly seamless.

[–] [email protected] 2 points 6 months ago

If it's a work profile, you can see the full notifications in the main profile

[–] [email protected] 4 points 6 months ago (2 children)

If I'm understanding correctly, this sounds just about exactly how GrapheneOS works by default. All GPlay apps work and have notifications, but are sandboxed.

[–] [email protected] 4 points 6 months ago (3 children)

I'm really interested in Graphene and Google privacy, but what does it mean when you say "Sandboxed? Like... I want to use Google Maps, does Google still track me? Maybe only when the app is open, and not when it's closed?

[–] [email protected] 4 points 6 months ago (1 children)

I don't really understand this stuff super well, but... I suspect what it means is that Google can track you while google maps is open, BUT since it doesn't have access to the rest of your phone, they'll have no idea who you are anyway?

[–] [email protected] 4 points 6 months ago* (last edited 6 months ago) (1 children)

And you can also not log into Google Maps. It still lets you use map and navigation etc. But it is denied any explicit methods of identifying you and is left with only probabilistic methods (i.e. you are searching from the same network and therefore same public IP as another device that is known to Google as being associated with your account).

[–] [email protected] 1 points 6 months ago

This would only be true if you're using Google maps through a privacy respecting web browser like mull.

If you're using the Google maps app, it has hardware identifiers, and can uniquely identify the phone. No guessing required

[–] [email protected] 4 points 6 months ago

For grapheneos sandboxed means the Google apps are just regular apps, they don't have privilege, they're not escalated, they are exactly the same as other apps. Very specifically, it means Google services are only accessible in the user/profile that they are installed in, and not phone wide

If you use a Google service, or an app that interacts with the Google apps, then Google knows about it. In graphene OS you can choose what apps have access to Google services, by running them in a different profile.

[–] [email protected] 1 points 6 months ago

but what does it mean when you say "Sandboxed?

By default, on a normal Android device, Google Play services are installed as a system application. It means that you can't remove it, and it can grant itself the permissions it needs. In contrary, regular user apps run in the Android application sandbox. They are installed by the user, have distinct permission controls that are enforced by the operating system and can be uninstalled at any time. Sandboxed Google Play is a compatibility layer created by the GrapheneOS team, which allows you to run Google Play services (which would normally require system privileges) to run as a normal user app in the regular application sandbox.

[–] [email protected] 2 points 6 months ago (1 children)
[–] [email protected] 1 points 6 months ago (1 children)

Yes, because the Google Wallet app requires a higher level of SafetyNet attestation, which can only be achieved when running an OS that's specifically whitelisted by Google.

[–] [email protected] 1 points 6 months ago

That's super sucky. I have to use gwallet for my uni ID and mobile payment stuff :( gotta wait til I graduate to use graphene ig

[–] MajorHavoc 3 points 6 months ago (1 children)

be sure that google can't access anything else

Last time I read the GrapheneOS docs, my understanding was that this has been taken care of for you, even when using a single profile.

[–] [email protected] 2 points 6 months ago (1 children)

Apps inside the same profile can consensually communicate via IPC. So if you have Google services running in the work profile, any app in that work profile can talk to them

[–] MajorHavoc 4 points 6 months ago

Yep. That's a good clarification.

"Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play."

If GFS is installed on a profile, any app in that profile can use it to phone home.

I suspect that aspect is mostly mitigated, for me. by my not using a Gmail account to sign into any apps. Theoretically, it doesn't stop them from fingerprinting, in other ways.

Except:

"Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access."

and

"As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions."

Means that GFS is going to be denied it's usual fingerprinting solutions.

Source: https://grapheneos.org/usage#sandboxed-google-play combined with professional experience with privacy technically, and a decent amount of (educated) speculation.

TL;DR:

Using separate profiles is better, particularly when using GFS.

But as someone who doesn't sign into any Google account and just wants a banking app to work, GFS on the main profile is still way better than stock Android.

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

Update: I ended up going with microG. You can install the apps from f-droid and with insular/shelter copy them to a work profile. It seems that apps outside of the work profile can't acces these services.

Edit: do NOT install them to non-work profile and then clone them. Instead, they must be installed directly in work profile. My way of doing this was to clone fdroid and install the microG from (work profile) fdroid. If you were to install them to non-work profile, clone them and uninstall the original, your (or at least mine did) phone will be stuck on "phone is starting" after reboot.

[–] [email protected] 1 points 6 months ago (1 children)

Great I'm glad you found a solution that works for you. Just be aware Microg is still phone wide, so any app on your phone can talk to Google.

[–] [email protected] 2 points 6 months ago

Whan I installed messenger on my non-work profile, it kept crashing. On the work profile with microG it works. I think it still at least limits the access