Hi! What would be the best way to limit play serbices to only selected apps. I still need notifications to work from them, but would like to be sure that google can’t access anything else

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    Apps inside the same profile can consensually communicate via IPC. So if you have Google services running in the work profile, any app in that work profile can talk to them

    • MajorHavoc@programming.dev
      link
      fedilink
      arrow-up
      4
      ·
      1 month ago

      Yep. That’s a good clarification.

      “Apps within the same profile can communicate with mutual consent and it’s no different for sandboxed Google Play.”

      If GFS is installed on a profile, any app in that profile can use it to phone home.

      I suspect that aspect is mostly mitigated, for me. by my not using a Gmail account to sign into any apps. Theoretically, it doesn’t stop them from fingerprinting, in other ways.

      Except:

      “Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access.”

      and

      “As with any other app, it can’t access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions.”

      Means that GFS is going to be denied it’s usual fingerprinting solutions.

      Source: https://grapheneos.org/usage#sandboxed-google-play combined with professional experience with privacy technically, and a decent amount of (educated) speculation.

      TL;DR:

      Using separate profiles is better, particularly when using GFS.

      But as someone who doesn’t sign into any Google account and just wants a banking app to work, GFS on the main profile is still way better than stock Android.