Recently looking into the multiple android alternative offerings like CalyxOS, e/OS/, etc and came across these few issues which point towards privacy/security concerns.

  • microG Push notifications still go through Google’s servers just like with Play Services

  • microG uses proprietary Google Binaries for some of its components such as DroidGuard

  • Choosing a network location like Mozilla to use with microG provides little to no privacy benefit over Google because you are still submitting the same data and trusting them to not profile you.

Are they true and how can I circumvent them?

  • hendrik@palaver.p3x.de
    link
    fedilink
    English
    arrow-up
    3
    ·
    3 months ago

    I can’t comment on 1 and 2. But concerning 3: The benefit is your data doesn’t end up on Google’s servers but on Mozilla’s. They have a different privacy policy and might or might not store that information. I haven’t checked. Use “Local GSM Location” and the “Local NLP Backend” to download cell tower locations to do it entirely on device and not send data anywhere.

  • ParticleAccelerator@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    3 months ago

    For those interested in the answer, I quote an answer.

    Push notifications still go through Google’s servers just like with Play Services

    Yes; that’s unavoidable if you want to use applications that make use of them, as they send the notifications to Google server-side, you can’t just tell them to do it differently. If you want push notifications that don’t go through Google, you can use UnifiedPush, but then the apps must explicitly support it (it’s the case for a few apps on F-Droid).

    uses proprietary Google Binaries for some of its components such as DroidGuard

    Only for DroidGuard, which isn’t downloaded at all if you don’t enable SafetyNet. Your apps will also still include Google binaries of course.

    Choosing a network location like Mozilla to use with microG provides little to no privacy benefit over Google because you are still submitting the same data and trusting them to not profile you.

    That’s fairly subjective. You could trust Mozilla more than Google (but in any case Mozilla doesn’t provide its network location service any longer, you will have to use something like BeaconDB instead, and of course the same how’s for them), and you could still prefer for your location-related data to go to whoever they go without all the identifiers attached that Google gets, since microG doesn’t really tell them who you are aside from the unavoidable IP address.

    Finally, at least back in UnifiedNLP times, you could use location providers that weren’t actually “network” but let you download offline databases of cells instead. Unofrtunately, that sort of option is much more limited in current versions of microG.