20 comments

[ 0.24 ms ] story [ 61.4 ms ] thread
I think this idea that Google Play is tracking the crap out of you (especially if you’re adept at changing your account privacy settings) is a bit overplayed.

Google Play makes the bulk of its money on in-app purchases. It’s essentially the same software royalty business model as the PlayStation Store or Steam. I doubt it’s really a heavy personal information tracking app like Google Search, with the exception of personalization for ads for apps within the store (which can be de-personalized).

Now, that’s not to say I don’t think it’s good to De-Google your life. However, for me personally, stuff like breaking bank apps or being unable to buy paid apps would be something of a dealbreaker.

Using Android with an alternative browser, ad blocker, and email service that are outside of Google, and auditing your account privacy settings is already avoiding 95% of the personal info tracking that Google does on the average person, if I were to guess.

I think you're conflating the Google Play store with Google Play Services. The latter is what people seek to avoid
Doesn’t mean those people who wish to avoid it are doing so for incredibly strong reasons.

Google is quite up front and transparent about what the services do and what data they collect. The user can control pretty much all of it via device and account settings.

https://support.google.com/android/answer/10546414?hl=en

Personally, a lot of the tin foil hat privacy stuff isn’t worth losing some rather useful services like sending emergency responders my location.

On Google's transparency, I think you need to bear in mind that, even if they have stopped now, Google was built by routinely collecting unseemly piles of data about each of us on the mostly correct assumption that our Overton windows precluded consideration of such invasions. In the meantime, law enforcement has helped itself to the spoils through geofence warrants that can earn you police scrutiny in, again, post-hoc happenstance that would be disruptive and jarring to one's life.

On you last point, consider that some people view those features as marginally useful or view abstinence from their use as worthwhile self-deprivation (e.g. I spend no time alone, so my emergency calls are already a solved problem.)

Having said that, I don't use a Graphene OS Pixel or any other de-Googled phone, but the existence of such a market shouldn't be surprising.

> breaking bank apps

It's not popular to say because Google is everyone's favorite villain, but those banking apps are far, far greater privacy threats.

A typical user session on the Chase website or mobile app might make a couple hundred https requests, and between 30% and 50% of those requests go to a dog's breakfast of 30 to 40 different non-Chase sites.

If you think it's important for your privacy to de-Google your phone, more power to you. But if you don't also de-Chase and de-Schwab and de-Instagram and de-Amazon at the same time, then your threat model is a lot different than my threat model.

One https request != one disclosure of personal information

If I host some static files on S3 and your browser makes some requests to AWS URLs that doesn’t mean that I’m giving all your info to AWS.

Does any of it really matter if Your phone still is running GoogleMobileServices deeply integrated with the OS itself?
You can install a VPN based firewall and block it. I still would prefer it to not be there though.
Actually you can't. Just like on iOS, researchers found that some of the deeply integrated Google system apps intentionally bypass the VPN. The VPN will reduce which ones report directly, but not eliminate many for the critical ones.
(comment deleted)
Isn’t YouTube without signing in losing any parental controls? Or am I mistaken?
I'm surprised not so many people know about DivestOS[0]. It's the best option IMO if you don't have a google pixel for grapheneOS. Has similar support to lineageOS which it is based on. Same developer made Mulch and Mull web browsers. Monthly security updates. Obviously none of the hardware security features grapheneOS offers, but many other features, binary deblobbing, private DNS, MAC randomization etc.

Also, if you're handset model supports relocking, you can use banking apps etc.

[0]: https://divestos.org

Here's an interesting comparison against other alternatives like /e/: https://eylenburg.github.io/android_comparison.htm
Good table. The device support for DivestOS will improve with device/cash donations, its basically a one-man project. SZ compiles all the monthly builds on his own machines, its quite an undertaking.

From what I understand there's been a fair amount of drama in the de-googled OS space.

My experience with DOS has been exceptional and I'd encourage anyone who uses it to donate towards SZs ongoing efforts. It's pretty amazing what he's achieved on mostly his own.

Nice table, though a couple of the things are a bit out of date on Calyx, and Divest depends a lot on which device you're talking about.

I'm assuming you're a GrapheneOS proponent, because I noticed you rarely used "Google" as the answer to anything on Graphene even though that often is the answer. Graphene is very clear they're a security focused OS, and will consider privacy secondarily. The sandboxed Google Play is excellent for security, and provides the maximum equivalent compatibility possible with ASOP, but it's far less private than microG, which is only a little reduced by some of the extras GOS includes. Divest and Calyx are privacy focused first, and hardened security second. They use microG for the privacy, and actually take a number of the Graphene security patches. They're focused on making a device people can actually use while remaining relatively private. Obviously very different use cases and considerations between the two sets of projects.

My personal experience is that Graphene is very interested in deep system changes to improve security, but is inconsistent in whether Google is considered trusted or not (mostly for cases when it's convenient/inconvenient). The occasional privacy-specific feature gets thrown in too, which is usually excellent, but user experience is pretty low priority, and almost anything but the ultra hardened use case isn't really of much interest. Throwing raw GApps in as a sandboxed app is a perfect example, it's a great security limitation that it's sandboxed, but a haphazard privacy choice where Google is mostly considered "trusted" as a privacy source ("just don't use it if you want privacy"). The unfortunate reality is that most phones have huge usability problems if you don't have something acting as part of the GApps, e.g. location takes 5+ minutes to lock in on GrapheneOS without GApps if you haven't locked it in recently, and won't ever lock in if you try to use an app relying on GApps (almost all of them). I'm personally more focused on privacy than ultra hardened security since I'm not a journalist under threat by nation state actors (Graphene is ideal for that use case).

To be more clear you might consider splitting Graphene into 2 columns, 1 without GApps installed and 1 with.

NOOOOOOooooooo......

This article doesn't explain you need to log out of all Google accounts before factory reset. If that's not possible, you'll have to find an FRP bypass and hope for the best. The e4plus is nearly 7 years old. It'll probably work, but newer devices are increasingly difficult.

And if there's no Google account, you can just skip wifi during initial setup. That way you can setup a firewall first by installing the apk over usb.

chromite browser for privacy plus rethink dns to block factory apps from internet.Works on my moto E5 Android 8.
It would be cool if there was a website where people could list apps that users want de-googled. I think the biggest decoupling programmatically might be dealing removing Google Play Services