> I think it's more of a marketing claim from less secure systems that "privacy is not security

I'm not sure Cyanogenmod had a marketing team that convinced me of anything when I first installed their rom in 2013 and explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS, you can only use the Android APIs, same as on stock

Am I brainwashed by marketing?!

I am not sure what you are trying to say.

My point is that

1. If you care about privacy, you should care about security. If your email server is compromised and your emails leak in the public internet, then they are not private anymore.

2. GrapheneOS does care about both security and privacy.

> explored my phone's capabilities with root. Accessing the sensor devices, inspecting what the different apps do, what the OS is doing, installing Xprivacy to provide fake data to tracking apps... none of that is possible on GrapheneOS

I think you're talking about something like "freedom", here. GrapheneOS doesn't claim to give you the freedom to do whatever you want. In fact, part of the Android security model is to limit your freedom.

Which is not to say that you should not want the freedom to have root access on your phone. But if that's what you want, GrapheneOS is probably not it.

My phone isn't my email server though? It's not exposed to the public internet. It connects outwards but you can't simply connect inwards to the IMAP client

You can invert your logic as well: Why care about security without privacy? If your apps are leaking everything to the internet, what's there to keep secure. One could argue this is the essential dependency, not the other way around, since security depends on the threat model but, without privacy, there's no more secrets

> I think you're talking about something like "freedom", here

In part, as well as a means to an end, yes. (GrapheneOS uses this as well, since without the freedom to bring your own OS, they couldn't run on Google's devices. I would think we all enjoy having the freedom to do what we want with our own hardware.) Note also the part where it says "provide fake data to tracking apps": that's privacy which GOS doesn't offer but a user root device / any desktop OS would

> You can invert your logic as well: Why care about security without privacy?

That's EXACTLY my point here. GrapheneOS cares about both, because GrapheneOS considers that they go together.

People come and say "GrapheneOS doesn't understand that people care about privacy and not security, therefore people are happier with less secure systems like /e/OS because /e/OS doesn't care much about security but cares about privacy".

My point is that I care about both, and I am therefore happier with GrapheneOS because GrapheneOS cares about both.

> Note also the part where it says "provide fake data to tracking apps": that's privacy which GOS

GrapheneOS offers such privacy features (like giving a permission to the app but telling the system to feed it dummy data). But yeah, maybe it's not exactly doing what you want (actually it sounds more like you just don't know what GrapheneOS can do, but it's not stopping you), therefore you can probably go around and claim that "GrapheneOS doesn't provide privacy", because why not?

This is only my opinion, but GrapheneOS's approach to privacy seems obtuse to me. They will claim that an unlocked bootloader is a risk, but then turn around and recommend you install proprietary apps GApps in their sandbox. The sandbox doesn't matter if all the private data is in the same sandbox!

Reminds me of https://xkcd.com/1200/

> recommend you install proprietary apps GApps in their sandbox

They don't recommend you to do that. They tell people that if people want to install apps, Google Play Store is a secure and easy way to get apps. They inform people about this because some have the misconception that using the Play Store defeats the whole purpose of GOS (which it doesn't) or that the Play Store is highly problematic (it's better than most alternatives). But, the user itself is free to decide what they do. If you look at project members of GrapheneOS, some say they use Play, some say they don't.

> The sandbox doesn't matter if all the private data is in the same sandbox!

That's not how sandboxing works. The sandbox is around the app. Each app is in the sandbox. On GrapheneOS even the componenents of Google Play (Play Store, Play Services and on older installs Play Services Framework) are sandboxed. On Android OSes that bundle Google Mobile Services (GMS), Play gets an exception and is a priviliged app. On GrapheneOS they are regular apps. They are each put in their own sandbox. The access of each is controlled by their own set of fine-grained run-time permissions.

With all due respect, you fundamentally misunderstand how sandboxing works, even on Android in general. I recommend reading this to understand sandboxing in the AOSP: https://source.android.com/docs/security/app-sandbox . On GrapheneOS the sandbox is hardened a bit, but that's not the most significant feature of the OS at all, and Play is forced to run sandboxed if users choose to install it.

Feels like you don't know what "the sandbox" is. It's not "their" sandbox, it's from AOSP.

When you run an app on Android, it runs in a sandbox. Meaning that your social media app cannot access the files of your banking app by default. They are "sandboxed".

On a normal Android, the Play Services are installed as a system app. It is privileged app that has "system" access. A system app is not sandboxed.

GrapheneOS allows you to install the Play Services and the Play Store as "sandboxed" apps in that they run unprivileged, just like WhatsApp or TikTok or your banking app.

So running the proprietary Google apps in the sandbox is obviously more private than running them as system apps, wouldn't you say?

If the Tiktok app passes your data to Play Services (say, to support notifications with GCM) then it doesn't make any difference that Play Services is nominally "sandboxed".

I agree there's some marginal benefit that sandboxed GApps need to prompt the user for permissions (rather than having privileged system level access) but at the end of the day, Google Maps will get GPS perms and Google will know everywhere your phone goes.

> If the Tiktok app passes your data to Play Services (say, to support notifications with GCM) then it doesn't make any difference that Play Services is nominally "sandboxed".

Sure, but that's the same if you run TikTok with microG (which will relay your data to the Google servers just like the Play Services) or in waydroid on a Mobile Linux. But you can't blame the system for what the apps are allowed to do by the user.

Take your Google Maps example: if the user wants to run Google Maps, obviously they will be sharing data with Google. It's very weird to blame the system for that.

What the sandbox brings is that for users who want to run the Play Services (because they want to run TikTok, knowing that it will share data with some servers, including but not limited to the Google servers through the Play Services), then at least the Play Services are not root on their OS. So then instead of running microG, you can run the Play Services and have the same kind of benefits.

Now if you don't want your apps to contact Google, then by all means, don't install the Play Services! But don't install microG either! And don't install Google Maps!

It's all about trade-offs, it's not an all or nothing situation. Sandboxed Play Services is better than privileged Play Services.

I agree it's about trade-offs. I think MicroG - which provides dummy no-op implementations of Google Play tracking APIs, and allows you to select alternative Location Providers and notification backends - is a better option than running first-party Google software.

You're of course correct that we can't blame the system for choices made by users, but I do think GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps: https://grapheneos.org/usage#sandboxed-google-play

Regarding location, please see my comment higher in the thread about the location rerouting through GrapheneOS.

Also, it's not a better option to use MicroG. MicroG is in most OSes where it's bundled running priviliged and still connects to Google. Moreover, their reimpementation isn't complete and also not as well odne as Google's.

> encouraging users to install sandboxed GApps

What you link isn't an encouragement at all. It's offered as an option, because there is a demand for it in order to keep compatability with apps high. It's a usability feature (compatability) that's implemented much more securely and privately than on other OSes because it runs in the sandbox. Users are not forced at all to use it nor are they pushed to it.

Not all GrapheneOS project members (devs and moderators) even use Google Play, so how would they be "lulling us into complacency".

> focusing on the security angle only

The app sandbox isn't only a security feature, it's a privacy feature. Access to your data is gated behind permissions due to the sandbox. This is privacy.

> I think MicroG - which provides dummy no-op implementations of Google Play tracking APIs, and allows you to select alternative Location Providers and notification backends - is a better option than running first-party Google software.

microG still forwards the requests to the Google servers. Not sure what you mean by "tracking APIs"? microG is a reverse-engineered, open source implementation of a subset of Play Services, right? It's not obviously a better option: for instance, some things that are supported in Play Services are not supported in microG, and microG sometimes breaks (because of changes in the API).

> allows you to select alternative Location Providers

GOS does that, too.

> I do think GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps

I don't get that. It does not encourage them to install Play Services, it makes it available. Because for many (most?) users, it is important to have it.

I am not sure what you are trying to say: is your opinion that there is no point in using an alternative OS (like GOS, /e/OS, LineageOS, IodeOS, ...) or are you trying to say that GOS is not the most secure/private alternative OS?

I'm trying to say the same thing I said up at the top: GOS's approach to privacy is obtuse. They deliberately conflate security with privacy (you even write "secure/private" as though they're the same thing) in a way that does a disservice to users.

My opinion is that GOS is very successful at its own stated goal of having an extremely secure mobile OS that rolls out patch updates quickly. I think it's far less successful at protecting user privacy because — as you even admit, many/most of them will find their phones unusable with vanilla GOS and immediately follow the GOS user guide to install Google Play and help them securely upload their personal data to the world's biggest adtech firm.

I think iodéOS and /e/OS are more in line with what I want from a mobile OS.

> as you even admit, many/most of them will find their phones unusable with vanilla GOS and immediately follow the GOS user guide to install Google Play

I installed the Play Services right away, just like I installed microG right away on a LineageOS system (I don't know about iodeOS, but /e/OS comes with microG by default). In terms of privacy, I don't think it is very different: microG is an open source implementation of the Play Services, that also contacts the Google servers. Many will use something like the Aurora store, which is a client for the Play Store. Etc.

GrapheneOS has proxies, e.g. for the location service. They are doing a lot for privacy, that's very clear.

> I think iodéOS and /e/OS are more in line with what I want from a mobile OS.

And that's your right. I think that GrapheneOS is more secure, and not less private than those. Actually in my experience with /e/OS, it was less secure than Stock Android (though more private, admittedly).

> They deliberately conflate security with privacy (you even write "secure/private" as though they're the same thing) in a way that does a disservice to users.

That's not really true. In fact, the way you are presenting it, as if they were seperate is doing a disservice to the reality and therefore to the users.

You can't have privacy without security. Security is what enforces the privacy. If your system is insecure, privacy controls can be bypassed.

> My opinion is that GOS is very successful at its own stated goal of having an extremely secure mobile OS that rolls out patch updates quickly.

GOS' "own stated goal" is privacy, security and usability. The main reason the project is made is to give people privacy, and the reality is that in order to give privacy you need strong security. Usability is also striven for by trying to match other mobile OSes in app compatability and accessibility features (the latter being a current work in progress with TTS and STT coming soon).

> I think it's far less successful at protecting user privacy because — as you even admit, many/most of them will find their phones unusable with vanilla GOS and immediately follow the GOS user guide to install Google Play and help them securely upload their personal data to the world's biggest adtech firm.

Many people are able to use their phone fine without installing Google Play. It depends on choices people make. If you use a different set of apps not relying on Play, it's perfectly possible to use it. If you care so much, just change the apps you use. Also installing Google Play doesn't equate to "securely uploaidng their personal data to the world's biggest adtech firm". Again totally misunderstanding how the app sandbox works.

> I think iodéOS and /e/OS are more in line with what I want from a mobile OS.

Unclear what you want. If you want something aligning to your vibes and ideology, probably. If you want privacy, not really.

> You can't have privacy without security. Security is what enforces the privacy. If your system is insecure, privacy controls can be bypassed.

Again, this is an obtuse perspective. A system that doesn't collect or store private data never needs to concern itself with securing that data.

I am concerned with reducing casual data exposure to the adtech industry. I am not worried about being targeted by nation state actors.

>GOS lulls users into complacency by focusing on the security angle only and encouraging users to install sandboxed GApps: https://grapheneos.org/usage#sandboxed-google-play

Sandboxed-Google-Play is not encouraged or promoted. It is suggested if you need apps only accessible via Google Play or needing Google services purely because it provides the maximum compatibility. GrapheneOS have always said that Android's strnegth is a large wealth of open source apps (many of which do not need Google). If more everyday apps (media streaming, taxi, food delivery & rewards, banking, government, social media) did not depend on Google, GrapheneOS would not spend the time, resources and effort that they have on sandboxed-google-play.

Communication between apps using IPC happens on mutual consent and is explicit. You can't just throw data to Play Services and expect it to accept it and process it well, that's not how it works. Communication via IPC is always very intentional and specific, so it will be very structured data for specific purposes, not just a dump of all your data. Firebase Cloud Messaging (FCM) is a push messaging service, it doesn't need to be used to send the actual notification. It's perfectly possible to just use FCM to wake the device and then handle notifications by yourself as app. The way FCM can be used is much different from Apple's system. Apple forces you to use their services for notifications while Google allows you to use FCM just for waking your device. It's also possible for apps to not use FCM at all and to just use WebSockets or UnifiedPush.

If you just grant Google Maps location permission and don't give it to Play Services and keep your sandboxed google play settings to the default, the location requests are rerouted through the GrapheneOS servers. If you want to use network location to get quicker location locks and location indoors, you can also use GrapheneOS network location, so you don't need to use the Google implementation for that.

And, even if you would decide to use Google directly for the location, you can perfectly avoid giving permanent location access. You can hand it over only once or only when the app is in use. So Google doesn't know everywhere your phone goes, at all.

They recommend you install google play services if you need it. Privacy is in no small part a user-decision - no matter how secure your device is if you just scroll Facebook all day.