is it possible for an app to read your phone number internally?

[deleted]

I'm curious if apps (google sandboxed or not) have any possibility of determining your phone number if you have a sim in the phone? Especially some of the more privacy invasive apps like tiktok or instagram? And I guess on a related question, if you have different profiles, so say instagram in one, tiktok in another, and instagram in yet another, is there any way for the apps to link your accounts other than public IP addresses perhaps? Is there anything internal to your phone they can read to assume you are on the same device on different accounts?

Probably9857

[deleted] I'm curious if apps (google sandboxed or not) have any possibility of determining your phone number if you have a sim in the phone?

Not by default, but yes if you grant the Phone permission.

Also, there is the possibility of communicating with another app in the same profile that has the Phone permission, if both apps are designed to cooperate that way.

[deleted] f you have different profiles, so say instagram in one, tiktok in another, and instagram in yet another, is there any way for the apps to link your accounts other than public IP addresses perhaps? Is there anything internal to your phone they can read to assume you are on the same device on different accounts?

There are no known unique identifiers that apps in 2 different profiles would have access to. You can read the official GrapheneOS answer here, and the following section about non-hardware identifiers.

However...

Every app can see every other installed app in the same profile. So you could be fingerprinted that way, depending on how unique your set of installed apps is.

Another way would be by sending multicast packets to the local network, which are able to bypass the VPN. (Release 2024091700 attempted to fix, but was rolled back due to significant compatibility issues.) If 2 apps were cooperating this way, it would allow the apps to determine that they are on the same network. Not definitive proof that they're being used by the same person, but might make it highly probable.

There is another recent thread about using AI analysis of pixels in photos to identify a device, so if you're uploading photos to 2 different services, they could (in theory) tell they were taken by the same device.

I have no doubt there are probably many other possiblities.

treenutz68

[deleted]

yes if you grant the phone permission. I believe some privacy invasive apps (whatsapp iirc) demand that permission to work correctly and therefore would have access to your sim info

rustybird

[deleted] if you have different profiles, so say instagram in one, tiktok in another, and instagram in yet another, is there any way for the apps to link your accounts

Probably9857 There are no known unique identifiers that apps in 2 different profiles would have access to.

There's the MediaDrm ID, which has come up in the forum a couple of times. It's the same across profiles, and it's not gated behind a permission.

Probably9857 You can read the official GrapheneOS answer here, and the following section about non-hardware identifiers.

https://github.com/GrapheneOS/grapheneos.org/issues/962

Carlos-Anso

[deleted] is there any way for the apps to link your accounts.

Theres various ways, particularly if user profiles are running at the same time. Along with the mentioned DRM ID, there are numerous other things that potentially could be used. With some of these data points logging over time would provide increasing confidence that its the same device.
Battery %, charge cycles, when device is on charge, time skew, the OS update running, sensor readings, network availability, time switching from cellular to wifi, device free storage, memory usage, etc.

Probably9857

Probably9857 Every app can see every other installed app in the same profile. So you could be fingerprinted that way, depending on how unique your set of installed apps is.

Also requires that unique set of apps to be installed in both profiles, so probably not very likely in practice.

[deleted]

treenutz68

so Whatsapp won't work in a sim-less phone?

[deleted]

thanks for the replies

I wonder, when you install google play services in a profile, does Google record the IP you used to install it and this persist with the install(s) after?

m4ri0g

[deleted]
it does.
if you give whatsapp phone permission it can autofill the verification code.

i have whatsapp using a number whose sim is installed in a dumb phone without internet. i just received the text on the other device and typed the code on whatsapp.

[deleted]

rustybird There's the MediaDrm ID, which has come up in the forum a couple of times. It's the same across profiles, and it's not gated behind a permission.

is this something that GrapheneOS could possibly gate behind a user toggle permission in a future update? or randomize it like an imei number

fid02

[deleted] is this something that GrapheneOS could possibly gate behind a user toggle permission in a future update?

GrapheneOS developers have recently expressed that restricting app access to the Media DRM ID is planned. I don't know about how that will be implemented specifically. Please note that I don't speak for the GrapheneOS project.

de0u

[deleted] is this something that GrapheneOS could possibly gate behind a user toggle permission in a future update?

https://github.com/GrapheneOS/os-issue-tracker/issues/2314

Please note that while it is fine to subscribe to updates on the issue, or to use reaction emoji, the developers have requested that people not make "I want this too!" or "When will this be fixed?" posts on GitHub issues, which are for pull requests and, to a limited extent, technical discussions about how an issue might be resolved. Inappropriate issue comments have resulted in commenting being locked, which only slows down progress.