I have done my homework. I know the “best approach” when it comes to Google Pixel is to use GrapheneOS with Sandboxed Play Services if required.
But what about stock itselft? What if I disable all tracking activities on the Google account and all tracking toggles on the phone itself?
I read a lot, and it seems that there is a lot of click-baits articles where the privacy configurations are not correctly set and then the writer would complain about tracking. On the other hand, one study which seems to be legetimate suggested that Google will even get your phone and sms logs (https://www.scss.tcd.ie/doug.leith/privacyofdialerandsmsapps.pdf) .
It is starting to become mentally exhausting. And any feedback about suggestions or experiences is welcome (I am also not going back to Apple).
Well, even if you disable all tracking activities, there is no guarantee that Google would respect the toggles anyway. Similar to what was happening with Apple.
Additionally, Google Play Services is still a system-level app on Stock Pixel and has lots of invasive permissions compared to its sandboxed state in GrapheneOS. Personally, I would go with GrapheneOS and benefit from the security hardening and privacy advantages.
The problem on stock Android is that Google Play Services has privileged and invasive access to your device. It can access all your files, your unique identifiers, and a lot more. As the study you linked and others show, disabling the toggles seems to be superficial in a lot of cases, and doesn’t do as much as it should. It all comes down to how much you trust Google at the end of the day. All you can really do is disable what tracking you can and hope for the best.
I would say overall that its really difficult to be private on stock unfortunately and I wouldn’t recommend it, but it all depends on your threat model and what you’re comfortable with.
Maybe I am missing something but I think Stock is a smoother experience overall between all the small features here and there. And maybe this silly, but the hardware might be optimized for Stock at best (Adaptive Battery, Hardware accelertion, better compatibility etc…).
@anon5233878@Sharply Yes, this is why I said it is becoming mentally taxing. On one hand there is the study, but then I read Google answer, which is not that bad, but we never know the reality of things…:
Google say they plan to change the app onboarding flow
so that users are notified this is a Google app with a
link to Google’s consumer privacy policy. This will likely
include opportunities to provide more “Privacy Tours”
that walk the user through an overview of the app’s
data use and data collection. This will include a new
on/off toggle to cover data collection that Google do not
consider to be essential for the app to function.
Will halt the collection of the sender phone number via
the CARRIER_SERVICES log source, collection of the
5
SIM ICCID and of a hash of sent/receivedmessage text
by Google Messages (the latter change will be rolled
out with version 10.9.160 of Google Messages, the other
changes in the next release).
Will remove logging of call related events in Firebase
Analytics from both Google Dialer and Messages.
Re the recommendation to use short-lived session identi-
fiers for telemetry data, Google say they would like to
see more logging moved to using the least long-lived
identifier available whenever possible and that this an
ongoing project.
Re the spam detection/protection service, Google note
that this only occurs for phone numbers not in the
handset contacts list and plan to (i) create a product
tour explaining to new users and reminding current users
that caller ID and spam protection is turned on for user
protection, and letting them know how to disable it,
(ii) add a visual indicator within the Messages app that
indicates when spam protection is enabled, (iii) investi-
gate whether an approach similar to the Safe Browsing
hash prefix solution can be used. Google also state that
the timestamp logged in the SCOOBY EVENTS log
message (see Section VI.A.4) is fuzzed to the nearest
hour server-side, and will also be fuzzed client-side from
version v75 onwards of the Dialer app.
Google state that there are back-end server controls to
regulate joins between the Android ID and user account
data, but the policy used to manage joins is not publicly
available. Google also note that when a handset has
multiple Google user accounts then its Android ID would
be associated with all of those user accounts.
From what you have listed, almost all of these are future plans and have not been implemented yet so I don’t think basing your decision off of these reasons would be a good idea. Also, the benefits of Stock and the allegedly improved compatibility do not outweigh the advantages of GrapheneOS in my opinion.
Unless you have a really strong reason not to, I would use GrapheneOS for a month or two and then re-evaluate. From what you have said, you have done your research and came to the conclusion that the overall advantageous approach is to run GrapheneOS, so why consider running Stock anyway?
I would recommend reading the GrapheneOS Features Overview (assuming you haven’t already). It lists all the features that are GrapheneOS specific compared to Stock which can help with your evaluation.
Ultimately, It is up to you to consider your threat model and use case and pick whichever tool you feel will satisfy your criteria.
Maybe I am mistaken, but I don’t think that you can meaningfully disable tracking in your Google Account.
If you closely read most of the things Google lets you opt-out of, you’ll notice that rarely does Google let you opt-out of the actual tracking/data collection itself. They’ll often let you opt-out of certain ways that data will be used (i.e. targeted advertising) or limit the time some of that primary data is stored. But as far as I can tell none of the privacy controls let you actually opt-out of the tracking, data collection, and profiling in the first place. (e.g. you can opt out of some forms of targeted advertising, but afaik there is no option to opt out of the tracking and profiling that the targeted ads are based on).
GrapheneOS is fantastic, so I think you’ll enjoy it. And if you have any questions, head on over to the GrapheneOS forum and we’ll help you out.
A little reminder: do not let perfect be the enemy of good! Figure out and remember your threat model. It’s easy to get lost in the Woods of Surveilance, with the Hounds of GAFAM nipping at our heels and the Big Bad Wolf Brother skulking in the shadows as we search for the Cottage of Privacy.
So as you learn more, go back, reevaluate and update it as needed.
I am also in a situation where I am asking myself to GrapheneOS or not to GrapheneOS (i.e. staying with stock OS on a Pixel 8)? It is about my wife’s mobile. She has been on a Pixel 4a with CalyxOS but now the device has reached end of life state and her new Pixel 8 is lying here in front of me, still unboxed.
I myself have been using GrapheneOS for over two years now and I would never want to go back to any other mobile OS again. I know quite well how to troubleshoot if something doesn’t run instantly on GOS, my wife doesn’t. Also our family Pixel Tablet is equipped with GrapheneOS plus sandboxed Google Play Services and my wife likes it.
However, there are some things that make me doubt about GOS on my wife’s phone:
Whenever something hasn’t been working as expected on her 4a with CalyxOS, she has been blaming me and “my complicated setup” on her mobile. She just wants things to run smoothly.
She owns her own business and has to use several banking apps. I myself haven’t run into issues with banking apps on GOS so far. However, she uses more banking apps than I do and there is Play Integrity API looming. So if one day a banking app fails to run, she will be blaming me and “my complicated setup” on her mobile.
She is not into password managers. She uses a small number of passwords for a huge bunch of accounts. I have been trying to change that but I keep failing. Maybe Passkeys will be the thing that convinces her to leave behind this bad habit. But Passkey integration will be a much smoother experience on stock OS than on GOS (there is none yet).
She wants to use the Google Play Store. She doesn’t like Aurora since they had these major problems logging in and searching for apps a few months ago…OK. That’s fairly possible on GOS, too.
She doesn’t care as much about privacy as I do. She just wants things to run smoothly.
She won’t be able to troubleshoot if some app fails to run.
Although privacy is a nightmare on stock OS, at least security seems to be decent on a Pixel 8.
So my thought now is to leave her phone with stock OS and install Brave as her main browser, for it has got Chromium security plus additional privacy.
To be perfectly honest, they should probably just use an iphone. With all the privacy toggles set properly it’s decent compromise they will get that won’t break or get frustrated with in the future.
Buying hardware again would be an issue, but assuming you are in the return window for the pixel it’s not a bad idea to consider/discuss other options.
Interesting. I will say though that regards to banking apps, if yours is not using safetynet now I think there’s a good chance they won’t adopt play integrity either. These things can change at any time however. Google Pay also won’t work on GOS.
What specifically has she been having issues with, if you don’t mind sharing? The good news is that GOS has excellent compatibility and support thanks to Sandboxed Play, so things will likely work better than they did on Calyx in that sense.
Is it possible for you to test the banking apps ahead of time on your GOS phone? Is it also possible to just bookmark and use the banking websites for any unsupported banks, instead of the apps? If any banking apps don’t work, then I’d recommend contacting the bank if possible, and sending them this guide from GrapheneOS. Here is a resource as well that keeps track of what bank apps work on GrapheneOS, could also be of use.
I honestly don’t know enough about passkeys to comment here, hopefully someone else can.
Yeah, Aurora would act the same regardless of OS. Aurora does seem to be a lot more reliable than it used to be months back, but every now and then, it does still have issues. You could probably just use the official Play Store if you need to thanks to Graphene’s Sandboxed Play.
Yeah, I understand that, but like I said, Graphene does have pretty good compatibility and support, a lot better than most other alternate OSes out there.
Depends, but it’s pretty easy to enable exploit protection compatibility mode as needed. Graphene also appears to automatically enable it now for apps that do need it, which would make it even easier. I think out of all the apps I use on a daily basis, I’ve only ever had to temporarily enable exploit protection compatibility mode for one of them, so the good thing is that is uncommon to run into.
Yeah, the security is pretty good, downside is just of course the lack of privacy.
So my thought now is to leave her phone with stock OS and install Brave as her main browser, for it has got Chromium security plus additional privacy.
Brave is probably a good choice for a browser.
Yeah, I think I agree with @anonymous127 that iOS would probably be a perfect compromise in this case, since it’s a balance between privacy, security, and usability/user-friendliness, but if she doesn’t like iOS, then clearly there’s not much you can do there. I’d definitely recommend Graphene, but if it doesn’t work out for her, you can just stick to Stock and follow PG’s recommendations and use the recommend settings where possible to mitigate the damage, with things such as disabling usage & diagnostics, advertising ID, etc.
Actually the Aurora Store story was the thing that bothered her most.
I am testing them before on the Pixel Tablet with GOS and sandboxed GPS. The truth is that one of the banking apps she just installed on CalyxOS won’t run. Another reason why she wants a new device. On the Pixel Tablet it works perfectly.
Thank you for your answers and your thoughts. Finally she decided to stick with stock, also because we have already found one banking app that doesn’t work on GOS but she needs on a daily basis. We will try to mitigate the privacy issues if possible by trying to adjust the settings in a most privacy friendly way and by installing Brave, but no question, the damage will be there.
Also be sure to use an ad blocking dns (such as nextdns with a good blocklist) as it might block some of the telemetry and ads (even though you can’t rely on it). You can set it through private dns.
Don’t have one on the top of my head but I’d assume it’s just looking at all the settings on the device and google account and turning off ones that make sense?
!