I'm so spooked.

I began a journey towards privacy and freedom a while ago. I already was well acquainted, have used only linux for more than 10 years, I'm a developer, and so on. But recently I got very serious.

I started experimenting with microG, took note of many tests I ran on apps, and no matter what I did, every time I downloaded, installed and opened the Amazon Shopping app apk, right after the first screen "Amazon is Worldwide", the app would default to my very specific country and language.

They'd ask me to confirm my country, the flag, the language (it's not english, I never use my devices in my first language, but they do can tell that too), the country's website domain extension; everything was guessed exactly right. So I thought well, they clearly have some privilege access to the device that bypasses the VPN, maybe they can see details about my wifi network, etc.

So I bought a Google Pixel and decided to start using Graphene. I installed Graphene and never placed a SIM card in the phone, I just connected to wifi. I installed Mullvad VPN from FDroid and transfered it to a new profile. I switched to that profile and input my mullvad credentials to connect to it in a VPN server in a different continent, and then I downloaded the APK from APKMirror; I never installed Google Play on the new profile, or anything else for that matter.

Then I installed Amazon Shopping using the APK and what do you know, Amazon Shopping was configured in the exact same way as every time in every other device; my country, my language, even hints of what they already knew.

I hadn't even used Amazon Shopping on a Google Pixel before, this device had nothing about me, it was brand new; and moreover, it was sandboxed, using a VPN, in a GrapheneOS profile with nothing installed on it other than Mullvad and Amazon Shopping; no Google Play, nothing. How could even fingerprinting apply here? Every other app and website played by "the rules" and assumed I was in whatever country my VPN was connected to, or at least that's what it seemed. But Amazon knows my real location, and this just drives me paranoid.

If amazon can do it so every other app can, if they can guess my country why not my street? or my name? tracking users in such sophisticated ways is not even about shopping, going to those extents is about something else.

Is graphene telling too much to certain apps? Maybe something about my wifi? Something about where the device was sold? Isn't graphene supposed to protect me from giving away that kind of information? Isn't Mullvad supposed to not keep any logs? I also used IVPN.

I need to know exactly what Amazon is doing with Amazon Shopping.

And then fix whatever leak they are exploiting or I won't truly be at peace. I don't want to just use Amazon Shopping in Vanadium which would seem to fix the problem; I don't think this should happen, what if it's a banking app that I can't use in a more containing browser? If Amazon is being incredibly unethical imagine a bank.

Any thoughts of this? Am I looking like too much of a rookie?

Thanks.

    DownWithBaradDur Amazon Shopping was configured in the exact same way as every time in every other device; […] hints of what they already knew.

    Which type of hints? Are you referring to personally identifiable information? If so, which categories?

        Dumdum I don't recall having used specifically my own timezone, only an equivalent. Let me change that and come back to you.

          DownWithBaradDur they kind of assume I already have an account, but it may be default.

          Could you please elaborate on the specifics of what you are seeing? What does the app present to you, exactly? Beyond the correct answer provided by Dumdum, that it's likely accessing your network country code, it's hard to answer the rest of your query without having some more tangible information.

              That application requests a lot of permissions, the consequences of which you need to make yourself aware of before making assumptions about grapheneos "leaking" information to it.

              The obvious ones for guessing your location are foreground and background location, but there are additional permissions that can lead to it being able to guess your location, such as telephony permissions which can allow it to read things like your phone number, service provider, and identifying the cell tower you are connected to.

                fid02 It really isn't much. If you give me a while I can show anonymized screenshots.

                The first screen is a loading world map with the words "Amazon is Worldwide"

                After a second/instant, that becomes the same sentence but translated to your real location's language. Then the whole app is in your language, you can see the amazon.countryextension, and so on. You can choose to not log in and just browse, and the shipping address by default is your real country's capital city.

                Changing the timezone didn't work, and about the app accessing the Network Country Code, it is my understanding that is something mobile networks provide; I have no SIM card installed, I'm using wifi.

                I tried making several profiles every time disabling more and more stuff, even when I download the apk from APKMirror and the VPN is set to, say, germany, the APK file shows the timezone in Germany before download, GMT+0200.
                But then after installing, it turns into your home country's app.

                I'm not in the anglosphere. I can never get the app to be that of the country I'm connected to, it always defaults to my real location.

                    secrec I said I have no SIM card installed.

                    I never have, I'm using wifi. There are no cell towers involved. Even if there were I would be very concerned about this and I don't find it normal, but that would be a different post maybe. Again, no SIM card installed, not since the device came out of the box.

                    Before opening Amazon Shopping I remove all permissions I can from it.

                    I would invite others to test this situation in their Graphene phones and maybe replies will be more on point so we can focus on the specifics.
                    You just have to remove as many variables as you can in a new profile including the sim card and focus only on installing Amazon Shopping app.

                    Using Amazon from the browser present's no issues seemingly and I can browse in my VPN country by default. This is seen in the Amazon Shopping app. I think it's worth checking why a shopping app has so much power to track people, we should be able to know exactly what it does.

                      secrec furthermore, a few extra details. My wifi router is a second router on top of the ISP's modem. This I did so that the ISP wouldn't see what devices are connected to my network other than the second router.
                      I'm in the process of configuring it with my own OpenVPN server so that all outgoing traffic is relayed to it by default but for now it only gives the function of giving me a bit more privacy from my ISP.

                        I'd like to add more context to anyone new finding the post.

                        Whether the answer is trivial or not, which I hope it is, I'd like anyone interested to understand this is actually very critical to me.
                        I'm in a country that is transitioning to a dictatorship and it's taking strong steps to have control of all communications and dismantling institutions, with explicit intentions of prosecuting dissidents (it's not Brazil or Venezuela but you get the gist). The military spends fortunes on pegasus and infiltration software and it is constantly monitoring every corner of the national network. District Attorneys and prosecutors are placing incredible efforts to prosecute opposition and even normal citizens who just cast critical opinions with digital traces, it's crazy how much they spend on digital intelligence.

                        Something like this really worries me. I'm setting up Tor bridges for a journalist and what not, VPN endpoints, etc, but if relaying traffic does nothing against being tracked (McAffe said something about this about how they gather data before it's even sent or encrypted) a vulnerability like this could cost someone's life, I hope you don't find this as an exaggeration.

                        So hopefully this will bring enough attention so that we can get to the bottom of this issue, hopefully it's something trivial as I said or some kind of overlook, but still, it's not something I was expecting after having taken so many steps, and when you use something like graphene you trust many of these steps to be enough, it is regarded as the best option for mobiles to have privacy.

                        Thanks.

                        • de0u replied to this.

                          DownWithBaradDur Changing the timezone didn't work

                          Did you uninstall the app and reinstall it after having changed the system timezone?

                            For the heck of it, have you tried faking your GPS location, and perhaps put yourself in the middle of the Atlantic? I appreciate you might not have GPS on, but would at least rule out a possibility.
                            Is your VPN split tunneling, with Amazon going direct?
                            Are you deleting the cache etc after every app removal? What is your google account registered to, if applicable?

                              PaulDavis If the OP hasn't granted the Location permission, the app cannot access the GPS.

                              Really, this isn't magic.

                              Why speculate on apps somehow bypassing the strict Android permission model (which would be a high-severity zero-day vulnerability, and how likely is it that Amazon is in the business of making malware?), when the answer is likely in what Dumdum posted?

                              DownWithBaradDur about the app accessing the Network Country Code, it is my understanding that is something mobile networks provide; I have no SIM card installed, I'm using wifi.

                              What happens if you access your router's admin page, change the network country code to a country on the other side of the globe, reboot the router, reinstall the app and open it again?

                              • de0u replied to this.

                                    fid02 What happens if you access your router's admin page, change the network country code to a country on the other side of the globe, reboot the router, reinstall the app and open it again?

                                    Good idea.

                                    It may be that the list of non-hardware identifiers in the FAQ would benefit from an update about Wi-Fi country codes, if that pans out.