GrapheneOS You guys have completely changed my life. As well as many members of my family and friend's lives, in a seriously massive way, by leading the charge and changing the game in the privacy and security world. All of this is given to us for free, which a surprising lot of people seem to forget and act as if they're entitled to something specific that they want without having even donated or contributed in any way.

I used to get annoyed about how WhatsApp won't let you even make/answer calls without the Phone permission. But now I just don't answer WhatsApp calls at all. If I get a missed call, I send them a pre-written message giving a brief explanation as to why I only enable WhatsApp to check messages once a day, then disable it again (something that is made possible/far easier thanks to GOS). I then give them multiple options to contact me on, that are far better for privacy, like Molly/Signal. If they can't be bothered then too bad.

I know the example I gave above, isn't possible for everybody. I know there are people who have to use WhatsApp for their jobs and things like that.

It just frustrates me how GOS has people upset with them because they haven't implemented every single perfect privacy preserving feature in the world yet so people can (in their minds) use seriously invasive apps but not have their privacy invaded at all.

We need to just do our best to not use apps that insult our intelligence by forcing permissions on us in a transparent attempt to get more data from us...

The clipboard control sounds very exciting, as do the other upcoming features!

Thanks as always to the GOS team!

    GrapheneOS One of our top priorities for privacy is providing control over which apps can read clipboard contents set by other apps when they focused, etc.

    Sooooo Good to hear that.
    The USB port security and clipboard privacy are main reasons I switch to an alternative OS. Looks like GrapheneOS happen to fulfill both of them.

      • [deleted]

      • Post #18
      • Edited

      The previous thread was deleted so I'm re-posting my question here

      Are there any other permissions say call logs or SMS, that could lead to the disclosure of sim phone number?

      Based on the @GrapheneOS 's previous post, it seems SMS permission will also lead to the disclosure of sim phone number as well

      Being able to make a carrier-based call implies being able to obtain the phone number, in the same way as sending a text message implies it. It's straightforward that it would simply give access to it directly too. Even if it didn't, it could be obtained by making a call.

        [deleted] The SMS and call log permission groups are regarded by Google as highly sensitive permissions.

        See:

        So yes, the call log and SMS permissions absolutely do allow the app access to your phone number.

        After all, the permissions give the app access to your call logs or your SMS messages, and both those logs contain your phone number within.

            I installed a banking app. When I launched it, initially it asked for the Phone permission, and if not given, it would refuse to work. Apparently, one of the permissions under it was CALL_PHONE, which has such a note (read the AOSP permissions manifest):

            An app holding this permission can also call carrier MMI codes to change settings such as call forwarding or call waiting preferences.

            This is just an expansion on what has been said before. My personal choice was to choose another bank that does not force me to accept this privacy unfriendly permission, even though calls by the app could be made without holding it.

            • [deleted]

            • Post #21

            treequell and both those logs contain your phone number within

            The call log not only provides access to the incoming and outgoing numbers of the other party but also to the SIM card of the phone itself, I see.

            From your link

            Apps must be actively registered as the default SMS, Phone, or Assistant handler before prompting users to accept any of SMS or Call Log permissions.

            It's strange that the Phone permission prompt doesn't have such requirement, i.e must be actively registered as default SMS, Phone, or Assistant handler. This will eliminate those blocking phone permission prompt like in mysudo or whatsapp

              • [deleted]

              • Post #22
              • Edited

              DeletedUser115 Is there a known workaround to avoid granting WhatsApp the Phone permission while still being able to make or receive voice calls?

              My current workaround is to have an iPhone for any apps that requires phone/sms/call log permission. On iOS, no app is allowed to ever access sim card phone number/sms/call log regardless of what permission you give, absent of a jailbreak. https://developer.apple.com/forums/thread/16685

                @[deleted] Your link is about third party iOS app's access to incoming sms, not about access to the phone number. So is there a real source that "On iOS, no app is allowed to ever access sim card phone number"?

                @876fi I also had an android banking app (wallet) that asked for the phone permission. check https://discuss.grapheneos.org/d/14652-does-nfc-payment-apps-need-phone-permission I still got no explanation, why they keep asking for this permission.

                @GrapheneOS Thanks for your statement.

                  DeletedUser59
                  Banking applications want this authorisation to protect against fraud.
                  When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

                  BTW: My bank app requires access to location and phone (device location, WLAN name and IMEI)
                  This app also works without these authorisations, but then without the extended account protection that my bank offers me when authorisations are granted.

                  The background to such requests for authorisations from banks is that everything now works with just one app and no really good additional protection such as a second device is required.
                  If such an app is successfully attacked, your money can be gone.
                  The bank saves itself the expense of separate devices and pays in the event of a loss if you have given the app authorisation and something happens anyway.

                  But: read your bank's terms and conditions and data protection regulations, because your bank may not protect you any better if you give their app all the authorisations.

                      Eagle_Owl Banking applications want this authorisation to protect against fraud.
                      When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

                      As per the post by DeletedUser59, starting with Android 10, apps are not allowed to access IMEIs. So if a bank is telling you that their app is protecting your account by reading IMEIs, they are blatantly lying to you.

                      Eagle_Owl When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

                      This does not make sense and if your bank is telling you this then they are again lying to you. An IMEI does not follow a person. If someone steals your phone, the IMEI does not change. There is no way that your bank is detecting that someone grabbed your phone and stole your device credentials based on an IMEI which their banking app cannot even access.

                              If they use the phone permission to check the phone number of your SIM it gives them some extra confidence. It is either you or someone has managed to take control of your phone number by stealing your SIM card or tricking your carrier to issue a new SIM with the same number.

                                Carlos-Anso You may be right, but I'm not sure if I can follow your reasoning.

                                The bank initially doesen't have my mobile phone number. I install their wallet app. (Activation must be confirmed by 2FA.) The app asks for phone permission and let's say they get it. Then they know the mobile phone number of that device. And possibly can make calls and read the phone history. What for? Why would this lead to "some extra confidence"?

                                The app keeps using the phone permission by the way. You cannot revoke it after installation.

                                Is your reasoning, that they link my app installation to the phone number and thus achieve more security? Sorry, I don't understand, how this would be achieved.

                                It's only the banks wallet app that asks for the phone permission. Their normal banking app doesn't.

                                    DeletedUser59 The app keeps using the phone permission by the way. You cannot revoke it after installation.

                                    Why shouldn't you be able to revoke phone permission for an app?

                                        DeletedUser59 Is your reasoning, that they link my app installation to the phone number and thus achieve more security? Sorry, I don't understand, how this would be achieved.

                                        It is their guarantee for using their banking app as a secure solution although you can do everything with their app and no second app or extra device is used for security.
                                        They use the ‘phone’ permission not to obtain the phone number, but the IMEI, and argue that this allows them to recognise whether I am making transfers from this device or using a completely different device (which would then be a reason to suspect fraud).

                                        But If the stock Android OS don't give this information to other apps since Android version 10, then they are lying or assuming that many customers are still using such old devices/software.
                                        The second authorisation they demand for ‘extended account protection’ is localisation.
                                        This is really practical for a plausibility check. I have granted this authorisation.

                                          fid02 Eagle_Owl When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

                                          This does not make sense and if your bank is telling you this then they are again lying to you. An IMEI does not follow a person. If someone steals your phone, the IMEI does not change. There is no way that your bank is detecting that someone grabbed your phone and stole your device credentials based on an IMEI which their banking app cannot even access.

                                          Yes, you are right, this IMEI check alone (if possible!) isn't a protection, only together with a location check or a location check alone would help in that case.

                                            sav Why shouldn't you be able to revoke phone permission for an app?

                                            Because the app I am talking about then won't work anymore, so that I could also delete it right away. There are other apps, that ask for phone permission, where you can grant it, revoke it or not grant it and still use the app. Not in the case of my banks wallet app.

                                              2 months later

                                              In the new private profile (Android 15) there seems to be no phone or sms app, unlike in user profiles.

                                              What are the consequences for apps that require phone permission and that are installed in such a private profile?

                                              Will those apps still be able to read the sim cards phone number if phone permission is granted?