this post was submitted on 14 Jul 2025

32 points (97.1% liked)

Privacy

39892 readers

252 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Google Play Sandbox on GrapheneOS: how easy and practical is it? (lemmy.world)

submitted 1 day ago by mazzilius_marsti@lemmy.world to c/privacy@lemmy.ml

11 comments fedilink hide all child comments

I'm picking up a new Google Pixel and want to put GrapheneOS on it. Heard about Graphene since before their splits at CopperHead, but I havent had the chance the try the OS out. So I searched around and GrapheneOS allowed Google Play sandbox.

Does this function similar to a "Private Space" on newer Android or "Secure Folder" on Samsung? So I can enjoy the Graphene stuff but whenever I need Google Play specific apps, I use the sandbox environment?

Mostly, I will be using bank apps under the sandbox. Are there problems with OTP in this environment? In Samsung's Secure Folder, my bank app will have problems sending OTP unless I send it outside, i.e. out of Secure Folder.

top 11 comments

sorted by: hot top controversial new old

[–] helpImTrappedOnline@lemmy.world 3 points 9 hours ago* (last edited 9 hours ago)

Play services work great, even Android auto works.

Personally, I don't bother with seperate profiles. I want push notifications for somethings. However if you only want bank apps, a separate profile may fit your use.

There is a "compatibility mode" you can turn on for apps that don't work. This relaxes the restrictions the app has and sometimes works.

OTP works fine for google account 2fa and MS authenticator. I don't think you'll have an issue with an app's 2fa as long as whatever other app needed are also part of the profile, be that SMS, email or notification.

[–] 3aqn5k6ryk@lemmy.world 3 points 10 hours ago (1 children)

Create a private space. Install sandboxed google play in there. Install banking app or any other google play dependant app in private space.

That's the most reasonable and less hassle method in my opinon. Lock it down when not in use. Cons? no push notification when locked down.

[–] murky0106@lemmy.world 3 points 8 hours ago

This is the way

[–] irotsoma@lemmy.blahaj.zone 2 points 15 hours ago* (last edited 15 hours ago) (1 children)

Strongly recommend reviewing the compatibility of apps you can't live without, especially finance ones. And you won't be able to use Google Wallet with tap to pay. Those are often not happy about you having any amount of security or privacy in the name of security, but really usually because they're too lazy, or want to violate your privacy themselves.

I never really used it so it was fine with me. And the few apps I had to dump I mostly found open source alternatives for other than finance ones which I just use the websites instead now.

[–] syaochan@feddit.it 2 points 5 hours ago

I installed curve pay to replace google wallet as suggested elsewhere, works fine.

[–] anon5621@lemmy.ml 19 points 1 day ago

It works in a container under the hood. You can separate two profiles: one personal, and the other for everything else. When you install apps from Google Play, they are also installed in this container with Google services.

A cool thing is that Google services run in user space, like regular apps, and don’t have the elevated permissions they usually have on standard Android, where they operate almost as root with hundreds of permissions. This means you can delete them anytime, just like any other app.

[–] EnsignWashout@startrek.website 4 points 1 day ago* (last edited 1 day ago) (1 children)

While you can setup a second profile to put the Google services into, I don't recommend it.

The version of Google Services on GrapheneOS thinks it has root, but it does not.

So there's no dramatic need to setup a second profile, unless you want it for other reasons.

I personally think the second profile feature is one of the things people think they want/need from GrapheneOS, but really are happier without.

(Sure it's safer, but GrapheneOS is already so much better than other Android, and I hate to see someone quit GrapheneOS just because they didn't like the optional profiles.)

An exception I have seen is for apps mandated for a job. I'm happy to bury that stuff deep.

[–] upstroke4448@lemmy.dbzer0.com 5 points 1 day ago* (last edited 1 day ago)

The opposite happened for me. Separating out Google services to another profile made me realize how little I need to interact with Google Play Services to use my phone on a daily basis.

[–] Dave@lemmy.nz 12 points 1 day ago

Might be worth having a look at this list of banking app compatibility: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

[–] IDew@feddit.nl 8 points 1 day ago

It isn't really an environment. You can install the Google apps without granting them a single permission and it will still work. What the sandbox does is trick it into thinking it has full root access like it's supposed to have. While remaining like any other installed app: you're in control.

You could make a second profile and run it solely in there if you like none of that.

An alternative to the Play Store to install apps from is Aurora Store which is basically Google Play but without needing an account. (Though some have pointed out this is insecure and unsafe, but I find that to be over the top. It really depends what your security thread level is.)

You can use banking apps in the private space included only in the stock launcher (which I ditched because it lacks customisation). Not sure if you can put the Google sandbox in there though. Why not make a second profile on the phone only for banking/google use? It's practically the same as secure folder and you can even apply 2FA if you want to login to the profile.

As someone else mentioned: do check for your bank app's compatibility here.

[–] Luffy879@lemmy.ml 8 points 1 day ago

Does this function similar to a "Private Space" on newer Android or "Secure Folder" on Samsung?

No. Unlike those, you dont have to unlock the app nd use them, the sandbox is just a normal apk but it dosent allow gservices root access and blocks most telemetry, leaving only the necessary APIs

If you want a total user sandbox, you create another user and install gservices there.

Are there problems with OTP in this environment?

There are like 30 ways to send/generate an OTP.