I'd like to add more context to anyone new finding the post.

Whether the answer is trivial or not, which I hope it is, I'd like anyone interested to understand this is actually very critical to me.
I'm in a country that is transitioning to a dictatorship and it's taking strong steps to have control of all communications and dismantling institutions, with explicit intentions of prosecuting dissidents (it's not Brazil or Venezuela but you get the gist). The military spends fortunes on pegasus and infiltration software and it is constantly monitoring every corner of the national network. District Attorneys and prosecutors are placing incredible efforts to prosecute opposition and even normal citizens who just cast critical opinions with digital traces, it's crazy how much they spend on digital intelligence.

Something like this really worries me. I'm setting up Tor bridges for a journalist and what not, VPN endpoints, etc, but if relaying traffic does nothing against being tracked (McAffe said something about this about how they gather data before it's even sent or encrypted) a vulnerability like this could cost someone's life, I hope you don't find this as an exaggeration.

So hopefully this will bring enough attention so that we can get to the bottom of this issue, hopefully it's something trivial as I said or some kind of overlook, but still, it's not something I was expecting after having taken so many steps, and when you use something like graphene you trust many of these steps to be enough, it is regarded as the best option for mobiles to have privacy.

Thanks.

  • de0u replied to this.

    DownWithBaradDur Changing the timezone didn't work

    Did you uninstall the app and reinstall it after having changed the system timezone?

      For the heck of it, have you tried faking your GPS location, and perhaps put yourself in the middle of the Atlantic? I appreciate you might not have GPS on, but would at least rule out a possibility.
      Is your VPN split tunneling, with Amazon going direct?
      Are you deleting the cache etc after every app removal? What is your google account registered to, if applicable?

        PaulDavis If the OP hasn't granted the Location permission, the app cannot access the GPS.

        Really, this isn't magic.

        Why speculate on apps somehow bypassing the strict Android permission model (which would be a high-severity zero-day vulnerability, and how likely is it that Amazon is in the business of making malware?), when the answer is likely in what Dumdum posted?

        DownWithBaradDur about the app accessing the Network Country Code, it is my understanding that is something mobile networks provide; I have no SIM card installed, I'm using wifi.

        What happens if you access your router's admin page, change the network country code to a country on the other side of the globe, reboot the router, reinstall the app and open it again?

        • de0u replied to this.

              fid02 What happens if you access your router's admin page, change the network country code to a country on the other side of the globe, reboot the router, reinstall the app and open it again?

              Good idea.

              It may be that the list of non-hardware identifiers in the FAQ would benefit from an update about Wi-Fi country codes, if that pans out.

                ... Have you tried just using amazon on vanadium?

                Also, if you are using amazon, I would hope you are also doing something to keep it from knowing where you live just by virtue of having stuff delivered to you. You are clearly serious, I just wanted to point that out just in case.

                  DownWithBaradDur

                  You paid with a credit card probably for the phone.

                  The credit card sold your name to the store. The store sold that information which included the serial number to a data broker. The data broker also bought phone identifier information from Google. These were sold to Amazon. You are using an App, it accessed the identifiers, and so it knew it was you.

                  Places like Target also use AI to track shoppers and so if you purchased there with cash your name could be linked to serial # of phone.

                  There are also cross prifile identifiers like WideVine identifiers and so if other profile has app that got real information and knew it was you then they can identify you in new profile.

                      • [deleted]

                      • Post #25
                      • Edited

                      angela when not in airplane mode your radio is till active and device still connects to nearest cell towers.

                        GlytchMeister Hi @fid02, @Dumdum, @PaulDavis @angela @[deleted] @secrec @Dumdumdingdong @Xtreix @matchboxbananasynergy @Michiel

                        Thank you all for being so attentive.

                        I'll try to give reply to a few points that have been made.

                        @GlytchMeister I don't actually want to use Amazon Shopping on high security setups, this behavior is something I observed on 2 other devices without graphene on it, what I wanted to do was to test it on graphene by downloading the app to make sure this wouldn't persist, but it did. Other apps are important for this setup that could potentially do the same thing, so I want to rule out that vulnerability.
                        As I mentioned earlier, I did try amazon on vanadium which of course works on containing access for amazon to more data, and this would seem to fix the issue. All apps that can be used on Vanadium I use in Vanadium for this reason, however this doesn't address the problem, the fact that any app can correctly guess or know your location and who knows what else under conditions that shouldn't give it more access than a mere internet connection; it clearly has access to more.

                        @matchboxbananasynergy The only permission I give the Amazon Shopping app is Network; in this case, it's the only one necessary to be able to use the app since it needs internet access. If I remove all permissions, the all doesn't work at all, it either crashes or it shows an error screen that doesn't tell me anything about what the app still knows, which wouldn't be that important under those conditions I think.
                        Graphene has this great feature on showing app logs, what I'm going to do next in a few minutes is show you the crash logs when all permissions are removed, I found them very descriptive of what the app is trying to access and that should probably say something.

                        @fid02 I did uninstall and reinstall on new profiles after having made changes to the devices timezone but the app still correctly guesses my location. I'm replying to this before checking your links which I will do next, however it might still be necessary to address the issue in different ways since I am not using SIM cards.

                        angela I did pay with a credit card, the possibility you present sounds very extreme and too specific, which makes it all the more important to point out if all that tracking is being done just as you purchase a phone, because this could also imply device tampering, which would be all the more horrifying. However I need to rule out much more direct and civilized ways to track me first, Amazon in particular has no business at all guessing my location with so much power.
                        Indeed there shouldn't be a country code without a SIM in it. Upon further analysis however, I would also be able to make sure an app can't access that information even with a SIM card on it. However I'm not testing with SIM cards installed at the moment, so I will leave that as a next step.

                        Xtreix timezone was changed, network country code was sort of ruled out since I'm not using SIM, so I still need to find a different identifier and make sure that at the very least it isn't too revealing.

                        I may check if there's anything about my router that could tell something, however my router setup is already pretty specific and I don't anticipate for that to reveal a lot, who knows tho.

                        I would like to invite others to replicate these conditions, particularly of they're outside the US which I'm just guessing would make any guesses from the app more evident, and see if the issue is present.
                        Basically it is: No sim card, Mullvad or IVPN in very extensive configurations: relaying ipv6, lockdown mode, etc etc. Removing all permissions except of internet access, everything in a profile dedicated to just test the Amazon Shopping app, and then just about any variable you can remove.
                        This is something I observed across different restrictive setups and devices but I found it extraordinary to still happen on a graphene phone.

                        I will be pasting the apps logs in my next reply, thank you all again.

                                angela Because SIM cards are just authentication tokens, basically. It's proving that you paid your bill, and that you can connect to certain cellular networks. Even without a sim card, you can connect to cell towers. This is why emergency services work without a SIM card. I don't know for certain, but I would guess that your country code can be determined in this way, even without a SIM card present.

                                    companies are getting better at identifying users by network characteristics. it could be something amazon does.