Hi! What would be the best way to limit play serbices to only selected apps. I still need notifications to work from them, but would like to be sure that google can’t access anything else
Hi! What would be the best way to limit play serbices to only selected apps. I still need notifications to work from them, but would like to be sure that google can’t access anything else
Last time I read the GrapheneOS docs, my understanding was that this has been taken care of for you, even when using a single profile.
Apps inside the same profile can consensually communicate via IPC. So if you have Google services running in the work profile, any app in that work profile can talk to them
Yep. That’s a good clarification.
“Apps within the same profile can communicate with mutual consent and it’s no different for sandboxed Google Play.”
If GFS is installed on a profile, any app in that profile can use it to phone home.
I suspect that aspect is mostly mitigated, for me. by my not using a Gmail account to sign into any apps. Theoretically, it doesn’t stop them from fingerprinting, in other ways.
Except:
“Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access.”
and
“As with any other app, it can’t access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions.”
Means that GFS is going to be denied it’s usual fingerprinting solutions.
Source: https://grapheneos.org/usage#sandboxed-google-play combined with professional experience with privacy technically, and a decent amount of (educated) speculation.
TL;DR:
Using separate profiles is better, particularly when using GFS.
But as someone who doesn’t sign into any Google account and just wants a banking app to work, GFS on the main profile is still way better than stock Android.