- Does private space have a separate Advertising ID, Android ID, IMEI, Mac, etc? Do separate graphene profiles have these?
- If I have an app using Bluetooth/wifi in my private space, will it appear as a different device from my owner profile Bluetooth/wifi connection?
Identifiers across private space and profiles
- Edited
Privacy1st Does private space have a separate Advertising ID, Android ID, IMEI, Mac, etc? Do separate graphene profiles have these?
Apps cannot access your IMEI or MAC or other persistent hardware identifiers. Except for the Vipewine DRM identifier, but that is rarely exploited and will be fixed one day by putting it behind an app permission. At least so I heard.
Advertising ID is a Google Play feature, so doesn't exist on GrapheneOS at all by default, only if you install Google Play Services. It should be different for each profile, since no app can communicate cross-profile on GrapheneOS, not even Google Play Services. You should even be able to generate a new random one in Google Play Services settings, to change it for that profile at any time.
Your phone number will be accessible to all apps that you have granted phone or SMS permissions to. That can be seen as a persistent hardware identifier I guess, so avoid granting that permission to apps that mustn't know.
Privacy1st If I have an app using Bluetooth/wifi in my private space, will it appear as a different device from my owner profile Bluetooth/wifi connection?
I cannot answer for Bluetooth since I never used that. But each profile can have its own VPN connection, and thus its own outwards facing IP address. And other than the mentioned Vipewine DRM thingie, there should be no way for the app to get a persistent hardware identifier or cross-profile identifier.
But even if your device cannot be exactly identified as the same between profiles, there are fingerprinting possibilities that might statistically reveal the profiles are running on the same device. For example what device type (eg Pixel 7a) you are using, at what times during the day you seem to use your phone, that the two profiles are used similarly close in time or even interleaved in time but never used at exactly the same time, your country you are in since that cannot be faked yet, when the app got an update since apps are updated in all profiles at the same time (this is especially revealing for Google Play apps because of staged rollouts), and much much more. Depending on your adversary you might need to be mindful of that.
Apps can also access other device related info that in theory could act as a persistent hardware identifier like date and time your device was manufactured as seen in this app: https://f-droid.org/packages/io.nandandesai.privacybreacher/
If i remember correctly this was the same date across my profiles but it was a while ago, I could be mistaken, don’t know how unique it is to one device (maybe there are a few phones with the same date and time) or if GrapheneOS already spoofs it in some way, whatever the case I think Android is not currently capable of protecting you from malicious apps that actively try to fingerprint your device, it was not built for that purpose and implementing such protections properly doesn’t seem trivial, the only obvious way to defeat device fingerprinting it’s using multiple devices in a mindful way.
But hey, I don’t think most apps even bother fingerprinting you with advanced techniques, for most people profiles seem adequate.
- Edited
There are various ways that apps in different profiles can get indication they are running on the same device. Private Space is another type of profile as are work, user and cloned profiles.
Some techniques work better if profiles are running at the same time. Others would require recording the data over time to provide a strong correlation. It would not take long.
If its the same app, same appID and apk signature, in different profiles DRM ID gives a strong proof.
These are quick lists of data points that could be used to provide an indication that apps are on the same device. These lists are incomplete. Collecting more of these and/or logging them over time can increase confidence.
If the profiles are not running at the same time there is -
- how many battery charge cycles on phone since battery was new
- date and time apps are installed and updated on the device : apps in any profile can see when each non-system app was first installed on the device and when it was updated on the device for all apps in the same profile
- The OS update that is running
- Free storage available https://github.com/GrapheneOS/os-issue-tracker/issues/4164
- Time since device booted
- Mobile data used since last boot
- Wifi data used since last boot
- Time zone that is set for device
- Locale if set for the device
- Country code for active SIM card.
- Detected country : this issue has some details its related to various data sources including timezone, set locale and country code https://github.com/GrapheneOS/os-issue-tracker/issues/502
- Developer options enabled
- adb enabled
Its possible for users to currently mitigate some of these with careful app selection and opsec, for example changing timezones etc. before starting different profiles.
The following can also be used If profiles are running at the same time. Remember owner profile is always running -
- Battery %, temp and voltage
- Free memory
- Amount of work each CPU core is doing
- Time screen off and on
- Time device connected to or disconnected from charger
- Screen brightness
Both fingerprintjs and TrustDevice offer open source libraries to app developers which can be easily included in their app to allow them to fingerprint the device their app is running on. They both have apps to test the fingerprinting techniques they offer. The open source apps which will both work without a network connection are
https://github.com/fingerprintjs/fingerprintjs-android
https://github.com/trustdecision/trustdevice-android
It is worth noting that for many of the data points these apps collect results will be the same for every device of the same model. For many other data points it will be the same for devices on the same OS update.
Also various data points listed above are not collected by these apps.
Ongoing research is required to identify all possible ways apps could fingerprint that they are running on the same device. Potential methods apps can use will change as AOSP changes.
Currently GrapheneOS is disinclined to provide blocking for only one or a few of these, in an attempt to stop fingerprinting, as it would still be relatively trivial for apps to continue to achieve strong confidence that they are running on the same device if they so desire. It may also give the impression to users that they can not do that. There may be other reasons to block some of these data points besides blocking device fingerprinting.
As with all features added to GrapheneOS anything done to block ways apps can collect data about the device on which they are running will require maintaining over time as AOSP changes.
Carlos-Anso
Of course many apps will not be doing any of this fingerprinting.
I presume it will be more likely with banking apps, apps which want to stop multiple accounts to mitigate spam or other abuse via their services, apps which are from advertising or data aggregation companies or which include libraries from such companies.
ryrona thank you for the thorough answer!
Carlos-Anso Another great answer. This is good info to know. I'm not running the same apps on different profiles. But I am trying to keep a few nosey apps from having enough info about my device (that they undoubtedly sell), that someone could connect with identifiers to my other profiles or apps.
Carlos-Anso
Interesting
I've check out fingerprintjs-android and it appears that these identifiers and data points can be accessed without the app being granted any permissions.
Does this mean that any app would be able to uniquely identify any device with near 100% certainty provided that they integrate a library like fingerprintjs-android?
If so this means that any app would be able to uniquely identify your device whenever they like.
The only thing necessary is for the developer to push an update which integrates a fingerprinting library.
Furthermore, I don't believe there is going to be any way for the user to notice that this type of fingerprinting takes place, nor are there going to be any stumble blocks of any kind (like requiring the granting of additional permissions.)
To add onto this, apps can also read the value set for various user settings.
a month later
is there any way a feature could exist where you could spoof certain identifiers? such as spoof that you are using a pixel 7 when you are actually on a pixel 8? etc?
rellhom is there any way a feature could exist where you could spoof certain identifiers? such as spoof that you are using a pixel 7 when you are actually on a pixel 8?
It depends on what you're trying to achieve. It wouldn't be that hard to fool people who are easy to fool, but people who were serious would see that you were using a Pixel 8 that would be pretending to be a Pixel 7, and would plausibly be extra-interested.
rellhom Is it the case that "people who were serious" can also see that we are using a privacy OS in general and plausibly be extra-interested?
It's hard to answer that question in the abstract. Personally, part of my operating assumption is that if anybody genuinely well-resourced (national government, criminal gang) decided to spend genuine resources ($100,000?) on breaking into my phone, it would happen. Or if a rogue police officer wanted to acquire a detailed location track for me going back a few months, it would happen. Meanwhile, if anybody working for my carrier decides they want to see which devices connect to GrapheneOS web servers, they will turn up my device.
Meanwhile, I don't particularly want to Google to know who I text and call, or to have a location track for me, and I think they mostly don't. I don't want Facebook to know who my friends are, and I think they mostly don't.
For me those are very different problem classes. "They" aren't one group of people, and "they" don't all have the same abilities. Part of my thinking is that there is no way to carry around a cellular-connected device, and to use cloud services, and meanwhile to conceal everything about me from everybody. I believe it is necessary to decide what you want to conceal from whom, and how much effort/inconvenience/money you are willing to pay.
In answer to your question: if you use "privacy software" in a general sense, then it's pretty likely that somebody in a general sense will detect that. If you use Vanadium, or Brave, or Mull, etc., some web sites that want to detect that will probably detect it. If you use a VPN, your cellular carrier will know that you are using a VPN, and your VPN provider will know which web sites you use.
Meanwhile, if you use Google Voice, or Google's dialer, or RCS, probably Google does know who you call and text. If you use Facebook, they probably know where you live and when you wake up and sleep.
Personally I don't believe it's possible to spend lots of time online but to remain inside a general privacy bubble. To some extent, spending more time/effort/money can improve privacy, especially if the time/effort/money is focused on privacy from specific entities. But after a point increasing the amount of time/effort/money by modest amounts no longer results in even modest privacy increases. It is possible to spiral into spending more and more time/effort/money while still feeling that somebody still knows things about you. I prefer to avoid that.
And there are specific "privacy" things that I personally suspect result in increased attention. IMEI editing... data-only international-roaming SIM cards... I suspect those things aren't adding privacy for most people who are doing them.
Just my thoughts!
a month later
yellow-leaves Does this mean that any app would be able to uniquely identify any device with near 100% certainty provided that they integrate a library like fingerprintjs-android?
Sorry for the late reply. It is not an easy question to answer. Depends on many things and your question is not totally clear - fingerprint to compare against what? What a different app on the same device sees? When both apps run at the same time? If it is uninstalled and then reinstalled? etc.
The post you reply to more or less answers your question.
Having control over DRM ID will help, but as my comment explains there are many other ways. Some can be addressed with careful opsec.
5 days later
I was flabbergasted by the revelations in your post, I had no idea about all those variables which are (for the most part) needlessly exposed to apps and how easily they could be used for fingerprinting.
For this very reason I just had to ask, Is this in fact true?
Carlos-Anso fingerprint to compare against what? What a different app on the same device sees? When both apps run at the same time? If it is uninstalled and then reinstalled?
It's appears to me that any app developer could easily integrate a fingerprinting library into their app allowing them with to uniquely detect devices in the first two scenarios listed below.
When it comes to the third scenario I am however less sure, please lend me your thoughts.
Different apps could detect that they're are running on same device whether there in the same profile or not as long as they both run at the same time
Detect whether the app had been installed at prior point on the same device regardless of profile.
Detect whether different apps, running in different profiles at different times where running on the same device.
lets just assume the apps are able compare identifiers somehow.
Could they identify that they're running on the same device with reasonable accuracy?
yellow-leaves
I would agree with your first 2 points.
Regarding the 3rd its not black and white and depends on many factors.
Clearly theres things that will increase or decrease confidence, frequency of you using the apps, measures you may or may not take between opening the different profiles. For example rebooting, changing the amount of free storage, time zone, locale, removing SIM.
Theres lots of data points I listed in the post above, and certainly more, that two apps in different profiles can collect and have potential to be part of a fingerprint or when logged over time would increase confidence that the apps were installed on the same device. Need to consider each point how it could be used, potential ways to mitigate its use for this purpose.
If you suspect two different apps, or the libraries within those apps, may be collecting data on you to somehow fingerprint you or link your usage of the apps, and its very important that your usage of those two different apps can not be linked by any of those developers, or anyone they may share the data, it would be well worth considering running the apps on different devices. Otherwise you need to be very careful.
Running apps in different VMs will be useful when that is available. There are apps now available that make it possible to run different operating systems within their environments. No great solutions though. Using websites/web apps instead of apps will change what the app/service provider can collect about you.
When using such methods again you need to consider what data can be collected in each case which may be able to link your usage.