Hi! What would be the best way to limit play serbices to only selected apps. I still need notifications to work from them, but would like to be sure that google can’t access anything else

  • MajorHavoc
    link
    fedilink
    arrow-up
    4
    ·
    6 months ago

    Yep. That’s a good clarification.

    “Apps within the same profile can communicate with mutual consent and it’s no different for sandboxed Google Play.”

    If GFS is installed on a profile, any app in that profile can use it to phone home.

    I suspect that aspect is mostly mitigated, for me. by my not using a Gmail account to sign into any apps. Theoretically, it doesn’t stop them from fingerprinting, in other ways.

    Except:

    “Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access.”

    and

    “As with any other app, it can’t access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions.”

    Means that GFS is going to be denied it’s usual fingerprinting solutions.

    Source: https://grapheneos.org/usage#sandboxed-google-play combined with professional experience with privacy technically, and a decent amount of (educated) speculation.

    TL;DR:

    Using separate profiles is better, particularly when using GFS.

    But as someone who doesn’t sign into any Google account and just wants a banking app to work, GFS on the main profile is still way better than stock Android.