Question about location on secondary profile creation

BillHurdle

When you create a new user profile using the "Multiple Users" menu under Settings, and then switch to it, GrapheneOS behaves as though there's a new phone inside your phone. This is the right thing to do, except that this also means that location is suddenly and automatically enabled, just as it is with a new phone.

In theory, if you exported any of your apps into the new profile, then those apps now have access to your location during the period of time between when it's enabled, and when you turn it off. That's enough to save it locally in the new profile, then automatically mail it off to wherever as soon as connectivity is available. They won't have your account credentials, so for example Google Maps wouldn't necessarily know which account to associate with the location, but that's just superficial privacy that's undoable by reversing IP or VPN or whatever.

Location should never be enabled unless the user manually enables it in Settings. Same with all the antennas. Please tell the devs if they're not already lurking here. I'm unable to submit issues on the repo. Otherwise I would do so myself.

Arnauld

BillHurdle In theory, if you exported any of your apps into the new profile, then those apps now have access to your location during the period of time between when it's enabled, and when you turn it off.

What? Are you sure?

matchboxbananasynergy

No apps get the location permission by default. It's something that has to be explicitly granted on a per-app basis.

I also couldn't quite reproduce creating a new profile and it getting access to location. There is a toggle to control location within the setupwizard itself.

BillHurdle

matchboxbananasynergy Arnauld In my case, I noticed 2 apps got location permission automatically (Settings and some android.something that's an iconless system app) It might have been "only when running" but, for all I know, android.something runs all the time. (It's not easy to try this again because I need to physically move myself to an uninformative location, but I could do so and take some screenshots if nobody can reproduce what I observed.)

Yes, there's a toggle to disable location services, but it comes up enabled. That shouldn't be happening, and especially not when it's disabled in Main. No GrapheneOS user would want this feature, which saves the entire one second that's required to manually enable location.

For all I know, the location gets cached during the minute that it's on. Then android.something automatically runs for whatever reason, acquires the previously cached location data, and then mails it somewhere for whatever reason.

Probably this chain is broken somewhere. But better to have no chain at all, which is trivially possible by starting new profiles with location off by default.

In fairness, I should point out that every other Android phone works this way. They enable location services and usually all the antennas on first boot. Presumably the same is true if one creates a new profile on phones which support it. But it goes without saying that mainstream phones are optimized for convenience at the expense of security, which is exactly the opposite of the priority here. I'm sure this was just an oversight on the part of the devs when they imported the original Android behavior.