What Can Apps Really See?

freelancer

So I made a post asking if apps on GrapheneOS can see other apps, and the answer is yes.

But my question is, what can apps see on your device besides limited / scopes permissions. People ask say "mutual consent" and what not but I can't find a clear answer in our GrapheneOS docs or AOSP docs, which just states that apps can't see any information anymore after X update. I'm just really confused since I obviously need to download apps I don't trust for work or other reasons and what to know what I'm giving, and separate profiles are too limited with how notifications can be.

I think having a master sheet of what apps can see and do would be greatly appreciated, I know I'm not the only one always questioning this.

Thank you anyone for their time. :)

de0u

freelancer But my question is, what can apps see on your device besides limited / scopes permissions. People ask say "mutual consent" and what not but I can't find a clear answer in our GrapheneOS docs or AOSP docs, which just states that apps can't see any information anymore after X update.

Which statement is being referred to?

Panther5362

I think OP means to "Mutual Consent".
For example my "M&S" Banking App just gave me this message:

"we've introduced additional checks to protect your account. The following apps have been downloaded from unofficial app stores. Your access to the M&S Banking app has been suspended on this device until you've taken access to restore it. Identified apps: Bitwarden"

It then tells me I need to remove it.

Surely it shouldn't be able to see any other apps or where I downloaded it from!

de0u

Panther5362 I think OP means to "Mutual Consent".

The original poster indicated that either the GrapheneOS documentation or the AOSP documentation (unclear which) says "apps can't see any information anymore". Clearly that isn't accurate, so I asked for a specific statement.

Panther5362 For example my "M&S" Banking App just gave me this message:

"we've introduced additional checks to protect your account. The following apps have been downloaded from unofficial app stores. Your access to the M&S Banking app has been suspended on this device until you've taken access to restore it. Identified apps: Bitwarden"

It then tells me I need to remove it.

Surely it shouldn't be able to see any other apps or where I downloaded it from!

There are various legitimate reasons why it would be useful for one app to be able to tell whether some other app is installed, or even potentially to list all installed apps. For example, lots of apps published in Google's Play Store verify that Google Play is installed when they launch. Some of them do this because they actually won't work without Google Play being installed, and would prefer to provide the user with a useful failure message instead of just a cryptic crash dump.

In this case the bank app is trying to protect the bank's users (and also the bank itself) against behaviors that malware might plausibly use. Somebody might actually create a fake version of Bitwarden which would send passwords to a third party. The author of the bank app might believe that the version of Bitwarden available in the Play Store is probably not malware, and might be concerned that programs called Bitwarden downloaded from other places might not be legitimate.

A user with the Aurora app probably has a legitimate version of it... and thus a user with Bitwarden from Aurora probably has a legitimate version of Bitwarden... but how many users check? The author of an app published on the Play Store might believe it's a lot safer to require a version of Bitwarden that also comes from the Play Store, and the AOSP authors apparently thought it would be good to make such checks possible.

wuseman

de0u but how many users check?

How many users download Bitwarden from outside the Play Store? Probably close to none, statistically speaking.

The moment my bank starts complaining over whether or not I've installed an app from the Play Store is the day I'm switching to another bank.

Panther5362

Personally I think this is really bad. I had no idea about his. Whilst I don't doubt the makers of the banking app have good intention the fact that they can get this data is bad, what happens if their intentions change or they share the data accidentally or on purpose?
If I lived in a country where VPNs are banned my backing app would be snitching on me.
If I lived in a country where E2EE was banned, and we all nearly do, my banking app would be snitching on me.
If I lived in a country where Crypto is banned, and we all nearly do, my banking app would be snitching on me.
I could be de-banked for having a certain app!
Makers of apps could potentially sell my app list, X users vs Threads users is probably useful voting data.
Google could see I am de-googled through installing one google app... (I'm asking for that I guess)
Meta could see that the details I have given them are BS, because I also have simplelogin, a vpn and a burner app.

I guess I need to start using a whole bunch of different profiles! Oh joy!

HMC

Panther5362

Why is it always banking apps?

My bank's app was the first to go when it started exhibiting suspicious behaviour. That was years ago. Now a web browser with its relatively restricted access is trusted a lot more than a banking app.

I have a very short list of installed apps. Not much I do needs more than a web browser.

Ammako

It's not possible to prevent apps from being allowed to query a list of installed packages without breaking certain functionality, so that's not likely to ever be implemented (either upstream, or by GOS.)

You could always try installing the bank app in private space instead, or in a different profile. I don't know if an app in private space can query and see installed packages from the main owner profile but it's worth a try.

Either way there are tools at your disposal if you want to keep certain apps separate, if you're paranoid about an app ever being updated to do something malicious with the information then you could have a separate user profile for every app, but there is a limit to how many user profiles you can have.

Also: https://developer.android.com/training/package-visibility

Oggyo

What about fingerprinting based on the list of apps?
I think the list combinations are pretty unique among users even purely based on the app names.

Panther5362

Yeah, I think I'm going to have to look at grouping certain apps together in different profiles, those which I'm happy for organisations to know I use and those I want to keep private, and combine that with more VPN & DNS research.

Oggyo, I think app list fingerprinting must be on the cards if it's not already. Hmmm.

Thanks guys.

Oggyo

wuseman How many users download Bitwarden from outside the Play Store?

Android-based on GrapheneOS-based? Because close to 100% of those who use Obtanium download the BW app from GitHub, incl. me.

wuseman

Oggyo
I was thinking about Android users as a whole.