• GeneralPixel 8 Pro

  • SIM country location leaked to 3rd-party apps despite disabling location access?

Hello, I am a new GrapheneOS user. I recently got a Pixel and installed GrapheneOS (build 2024060500). After setting up the main profile, I inserted my SIM card and noticed some strange behaviors:

  1. When setting up a new user profile, the setup wizard suggested my local language instead of English (United States).
  2. After installing a VPN application on this second profile and trying to create a throwaway account for Sandboxed Google Play, Google asked me to input my phone number and showed the flag of my country instead of the VPN country. The VPN website reported no leaks, and I have not enabled location service for the profile, so I switched to Aurora Store, at least for now.
  3. When clicking sign up on a third-party app, it asked for my phone number and showed the flag for my country. It should have shown the flag for the VPN country instead.

Are these bugs, or are they intended features? Do the apps know my country location if I haven't inputted my phone number yet?

  • de0u replied to this.

    LukewarmSixtieth Do the apps know my country location if I haven't inputted my phone number yet?

    Yes.

    This is not only expected, but also documented.

    The GrapheneOS web site contains lots of information which is useful to users, including security and privacy information.

        de0u Thanks for the info. But wouldn't exposing the network country code by default without the ability to spoof or disable it ruin privacy? It makes no sense if I have to remove my SIM card every time I switch to the secondary profile for more privacy

            LukewarmSixtieth But wouldn't exposing the network country code by default without the ability to spoof or disable it ruin privacy?

            Sometimes people measure privacy leakage in terms of how many bits of information are leaked. If there are 6 billion people and something leaks around 34 bits of information about you, that is enough to uniquely identity you.

            There are around 7 bits of countries, and most countries have at least 30,000 people in them, so leaking one's country is very very far from uniquely identifying one.

            Meanwhile, using a Google Pixel of any model is actually pretty rare! Using a specific model is even rarer. If an app knowing which country you're in "ruins" privacy, then knowing you are using a Pixel 8 Pro presumably also "ruins" privacy -- that's the top-of-the line phone, and there really aren't that many of them.

            LukewarmSixtieth It makes no sense if I have to remove my SIM card every time I switch to the secondary profile for more privacy

            Speaking purely in terms of differential privacy, since there is no way to turn a P8P into a P6a when switching profiles, there is a case that the model number is the privacy downfall, not the cellular network country code. Meanwhile, merely running GrapheneOS means you are one person among maybe 200,000. Running GrapheneOS on a P8P might make you one of only 20,000 people.

            Meanwhile, apps knowing the country code provides many users with non-trivial convenience during the initial launch process; instead of offering a list of maybe 40 languages, which would be clumsy and incomplete, the app can offer maybe five with much better coverage. For many people, leaking a country code is a tiny bit of privacy loss and a substantial convenience -- at least, that's what the Android designers decided.

            There is a case for GrapheneOS supporting spoofing cellular network country code. But that is one feature among many that could be implemented, and it's not clear that particular thing is more important than location spoofing. And the GrapheneOS project's high-level guidance is that security and privacy are greatly increased by not using cellular infrastructure at all.

            Overall, it's not clear to me that, figured in among everything else, disclosing to apps the cellular network country code of somebody who has already chosen to use a cellular network, and is thus leaking an IMEI and a position track to at least one cellular carrier, is a big deal.