Hi Guys,

A have a few questions about privacy and hoping you could shed some light please as it is a little confusing. Apologises if this was answered elsewhere, I couldn't find it.

  1. If we install an app and revoke Network permissions, can the app still collect information / spy, etc on us? Can it still communicate with other apps and spy/send information to web somehow? If yes, what is the defence mechanism against it?

For example, I am using Nova Launcher, Google Camera and a few other closed source apps with revoked Network permissions, can they still spy?

  1. The same question but with Google Play services installed: can an app with revoked Network permissions use Google Play services and send / receive telemetry/personal data (apart from push notifications)?

  2. Generally, do apps communicate with each other or each app sees itself as the only app in the system (sandboxed) so cannot see what other apps are installed and communicate with them?

  3. I have Google services installed and logged in to my account once to download an app I purchased. I then removed my Google account from the phone. Is it a big deal privacy-wise, i.e. will Sandboxed Google still keep some traces about my account to track my activities?

  4. Is it a good idea to not change the default Graphene wallpaper (black one)? Will changing wallpaper affect privacy? I've heard that some websites can fingerprint using Android wallpaper but not sure if its a big deal or true?

Thanks a lot!

I'll try to stick to the facts here:

  1. Yes, technically speaking an app can still collect information without network privileges; however, it might not be able to send that data anywhere without it.

    Apps can share information between each other, with mutual consent, via inter-process communication (IPC). There may be limitations on the breadth of data shared via IPC (I can't say definitively), but ultimately data can be shared.

    If one of the apps in this equation has network capability, I feel that is a weak link with respect to the privacy of the other app.

  2. Elements of Google Play Services/Store and Google Services Framework (GSF) are used by many apps for notifications, telemetry, and other functionality.

    It is for this reason, that I choose not use Play Services/Store, and I do not grant network permissions to GSF.

  3. I believe the app developer determines whether an app can take advantage of IPC, and it does require mutual consent of both apps in the equation.

    Personally, I just assume that any apps made by the same developer will have some form of IPC enabled (IPC between Google apps, IPC between Meta apps such as Facebook, Instagram and WhatsApp, etc.).

    It's my understanding that apps can see all other apps that are installed within the same profile.

  4. I don't know that anyone can answer that question definitively. Your IP address would have been associated to your account at the time of using the Play Store, and perhaps your IP remains the same now, and that you're using apps that in some way tie into Google services where your Google account, IP address or other identifiable information continues to be reported upstream. It's difficult to say.

  5. Good question. I saw Side of Burritos' video and wondered the same as well.

Edit:

I just wanted to add that @MetropleX summed it up nicely in another thread recently:

When it comes to security, GrapheneOS has you covered, as far as Privacy is concerned, GrapheneOS at first install is the perfect environment, everything you start to add after that while secure, only adds anti-privacy elements which are only as private as the information you provide to them. That includes your usage of them. You should use the tools GrapheneOS provide such as network to mitigate this as much as you can where it is a concern.

The weakest link to the privacy of your device is YOU.

    mythodical

    Thanks a lot for the info.

    Do you know by a chance what information apps can exchange - is it personal info or just generic telemetry rubbish? Lets say an app doesn't have any built-in trackers (as reported by Exodus app), does it mean it can still communicate with other apps and exchange info?

    I wonder if push notifications always use the same address to dial in home - in this case we can block all other traffic from the GSF and only allow traffic to that specific domain for push notifications only (I am using AdGuard Home/DNS so can configure that).

    The wallpaper part is tricky - I also watched Side of Burritos' videos (a great channel by the way!) but then followed his advise and turned off Enable Native Code Debugging which broke banking apps and PayPal app. So I thought maybe the issue with wallpaper fingerprinting is just a theoretical possibility not something we need to be concerned about. So this part is confusing.