Best way to install sandboxed gapps only for selected apps
Hi! What would be the best way to limit play serbices to only selected apps. I still need notifications to work from them, but would like to be sure that google can’t access anything else
Update: I ended up going with microG. You can install the apps from f-droid and with insular/shelter copy them to a work profile. It seems that apps outside of the work profile can’t acces these services.
Edit: do NOT install them to non-work profile and then clone them. Instead, they must be installed directly in work profile. My way of doing this was to clone fdroid and install the microG from (work profile) fdroid. If you were to install them to non-work profile, clone them and uninstall the original, your (or at least mine did) phone will be stuck on “phone is starting” after reboot.
If I’m understanding correctly, this sounds just about exactly how GrapheneOS works by default. All GPlay apps work and have notifications, but are sandboxed.
Yes, because the Google Wallet app requires a higher level of SafetyNet attestation, which can only be achieved when running an OS that’s specifically whitelisted by Google.
I’m really interested in Graphene and Google privacy, but what does it mean when you say "Sandboxed? Like… I want to use Google Maps, does Google still track me? Maybe only when the app is open, and not when it’s closed?
I don’t really understand this stuff super well, but… I suspect what it means is that Google can track you while google maps is open, BUT since it doesn’t have access to the rest of your phone, they’ll have no idea who you are anyway?
And you can also not log into Google Maps. It still lets you use map and navigation etc. But it is denied any explicit methods of identifying you and is left with only probabilistic methods (i.e. you are searching from the same network and therefore same public IP as another device that is known to Google as being associated with your account).
By default, on a normal Android device, Google Play services are installed as a system application. It means that you can’t remove it, and it can grant itself the permissions it needs. In contrary, regular user apps run in the Android application sandbox. They are installed by the user, have distinct permission controls that are enforced by the operating system and can be uninstalled at any time. Sandboxed Google Play is a compatibility layer created by the GrapheneOS team, which allows you to run Google Play services (which would normally require system privileges) to run as a normal user app in the regular application sandbox.
That is a great rundown, thanks! How would I install them on a different custom rom? Upon installing their “apps” store, i can’t see the google play services (this might be because I’m currently on stock)
So if I have two profiles, one with and one without play services and the profile with play services is not active, there’s no active pinging and telemetry going on?
Truthfully, I’m not sure. There is a way to get notifications from a second profile when on the main profile so I stands to reason there is something happening on the second profile. I don’t use a second profile so I can’t give a first hand account. It’s why I posted the link for reference.
I know in GrapheneOS that the Google Play Services are sandboxed and you can install them in a specific user profile, but I’m not sure if doing that still gives you notifications across those profiles
Hopefully someone with a little more knowledge of this can help? lol
You can get notifications in other profiles. However it’ll be a generic “Profile X has a notification”. Tapping it will swap profles, but not exactly seamless.
Add comment