Dumdum I don't recall having used specifically my own timezone, only an equivalent. Let me change that and come back to you.

    DownWithBaradDur they kind of assume I already have an account, but it may be default.

    Could you please elaborate on the specifics of what you are seeing? What does the app present to you, exactly? Beyond the correct answer provided by Dumdum, that it's likely accessing your network country code, it's hard to answer the rest of your query without having some more tangible information.

        That application requests a lot of permissions, the consequences of which you need to make yourself aware of before making assumptions about grapheneos "leaking" information to it.

        The obvious ones for guessing your location are foreground and background location, but there are additional permissions that can lead to it being able to guess your location, such as telephony permissions which can allow it to read things like your phone number, service provider, and identifying the cell tower you are connected to.

          fid02 It really isn't much. If you give me a while I can show anonymized screenshots.

          The first screen is a loading world map with the words "Amazon is Worldwide"

          After a second/instant, that becomes the same sentence but translated to your real location's language. Then the whole app is in your language, you can see the amazon.countryextension, and so on. You can choose to not log in and just browse, and the shipping address by default is your real country's capital city.

          Changing the timezone didn't work, and about the app accessing the Network Country Code, it is my understanding that is something mobile networks provide; I have no SIM card installed, I'm using wifi.

          I tried making several profiles every time disabling more and more stuff, even when I download the apk from APKMirror and the VPN is set to, say, germany, the APK file shows the timezone in Germany before download, GMT+0200.
          But then after installing, it turns into your home country's app.

          I'm not in the anglosphere. I can never get the app to be that of the country I'm connected to, it always defaults to my real location.

              secrec I said I have no SIM card installed.

              I never have, I'm using wifi. There are no cell towers involved. Even if there were I would be very concerned about this and I don't find it normal, but that would be a different post maybe. Again, no SIM card installed, not since the device came out of the box.

              Before opening Amazon Shopping I remove all permissions I can from it.

              I would invite others to test this situation in their Graphene phones and maybe replies will be more on point so we can focus on the specifics.
              You just have to remove as many variables as you can in a new profile including the sim card and focus only on installing Amazon Shopping app.

              Using Amazon from the browser present's no issues seemingly and I can browse in my VPN country by default. This is seen in the Amazon Shopping app. I think it's worth checking why a shopping app has so much power to track people, we should be able to know exactly what it does.

                secrec furthermore, a few extra details. My wifi router is a second router on top of the ISP's modem. This I did so that the ISP wouldn't see what devices are connected to my network other than the second router.
                I'm in the process of configuring it with my own OpenVPN server so that all outgoing traffic is relayed to it by default but for now it only gives the function of giving me a bit more privacy from my ISP.

                  I'd like to add more context to anyone new finding the post.

                  Whether the answer is trivial or not, which I hope it is, I'd like anyone interested to understand this is actually very critical to me.
                  I'm in a country that is transitioning to a dictatorship and it's taking strong steps to have control of all communications and dismantling institutions, with explicit intentions of prosecuting dissidents (it's not Brazil or Venezuela but you get the gist). The military spends fortunes on pegasus and infiltration software and it is constantly monitoring every corner of the national network. District Attorneys and prosecutors are placing incredible efforts to prosecute opposition and even normal citizens who just cast critical opinions with digital traces, it's crazy how much they spend on digital intelligence.

                  Something like this really worries me. I'm setting up Tor bridges for a journalist and what not, VPN endpoints, etc, but if relaying traffic does nothing against being tracked (McAffe said something about this about how they gather data before it's even sent or encrypted) a vulnerability like this could cost someone's life, I hope you don't find this as an exaggeration.

                  So hopefully this will bring enough attention so that we can get to the bottom of this issue, hopefully it's something trivial as I said or some kind of overlook, but still, it's not something I was expecting after having taken so many steps, and when you use something like graphene you trust many of these steps to be enough, it is regarded as the best option for mobiles to have privacy.

                  Thanks.

                  • de0u replied to this.

                    DownWithBaradDur Changing the timezone didn't work

                    Did you uninstall the app and reinstall it after having changed the system timezone?

                      For the heck of it, have you tried faking your GPS location, and perhaps put yourself in the middle of the Atlantic? I appreciate you might not have GPS on, but would at least rule out a possibility.
                      Is your VPN split tunneling, with Amazon going direct?
                      Are you deleting the cache etc after every app removal? What is your google account registered to, if applicable?

                        PaulDavis If the OP hasn't granted the Location permission, the app cannot access the GPS.

                        Really, this isn't magic.

                        Why speculate on apps somehow bypassing the strict Android permission model (which would be a high-severity zero-day vulnerability, and how likely is it that Amazon is in the business of making malware?), when the answer is likely in what Dumdum posted?

                        DownWithBaradDur about the app accessing the Network Country Code, it is my understanding that is something mobile networks provide; I have no SIM card installed, I'm using wifi.

                        What happens if you access your router's admin page, change the network country code to a country on the other side of the globe, reboot the router, reinstall the app and open it again?

                        • de0u replied to this.

                              fid02 What happens if you access your router's admin page, change the network country code to a country on the other side of the globe, reboot the router, reinstall the app and open it again?

                              Good idea.

                              It may be that the list of non-hardware identifiers in the FAQ would benefit from an update about Wi-Fi country codes, if that pans out.

                                ... Have you tried just using amazon on vanadium?

                                Also, if you are using amazon, I would hope you are also doing something to keep it from knowing where you live just by virtue of having stuff delivered to you. You are clearly serious, I just wanted to point that out just in case.

                                  DownWithBaradDur

                                  You paid with a credit card probably for the phone.

                                  The credit card sold your name to the store. The store sold that information which included the serial number to a data broker. The data broker also bought phone identifier information from Google. These were sold to Amazon. You are using an App, it accessed the identifiers, and so it knew it was you.

                                  Places like Target also use AI to track shoppers and so if you purchased there with cash your name could be linked to serial # of phone.

                                  There are also cross prifile identifiers like WideVine identifiers and so if other profile has app that got real information and knew it was you then they can identify you in new profile.