Hello!
I have used fingerprint check apps on different phone profiles. In all cases, the Media DRM ID was identical, which allows app to match the profiles and see that they belong to the same person. How can I avoid this?
Thank you!

    For example, Fingerprint OSS demo app. It shows unique DRM ID which allows app to identify me between profiles...

    kirillan10 Android has a flaw where it's the same in the same app across profiles but it should be different between different apps already. Need to test with 2 different apps or a build of the same app with a different app id and signing key.

      Can demonstrate with these two apps which each show a different DRM ID. The same app in different profiles shows same DRM ID

      https://github.com/fingerprintjs/fingerprintjs-android

      https://github.com/trustdecision/trustdevice-android

      Trouble is that there are other techniques apps can use to identify that they are running on the same device. See my post here
      https://discuss.grapheneos.org/d/17118-identifiers-across-private-space-and-profiles/4

        23 days later

        Carlos-Anso
        It sounds like the other techniques are correlation attacks, while this one is a unique identifier. If anything, it should have a higher priority for fixing than the rest.

        This also especially impacts using sandboxed Google services in multiple profiles for identity isolation. I imagine getting the DRM ID can be considered legitimate, routine usage for Google services. All of them will recognize they are the same device immediately, even if you create a temporary profile for a short time.

            amusement_grievous292 All of them will recognize they are the same device immediately, even if you create a temporary profile for a short time.

            Same for install time, which is recorded to the millisecond, of any apps that are in more than one profile, Also a commonly used identifier, can see it mentioned in the Android developer docs thmf links.

            Apps have can get information about the device in various ways. It really needs thorough research to work out all the possible ways apps could attain high confidence for a given scenario. For example 'apps in profiles that never run at the same time' to make a useful implementation of 'non linkable profiles'

            As mentioned in one of my later post in this prior discussion If you are looking to be able to run the same apps in different profiles on the same device without them being able to work out they are running on the same device achieving that goal is much more realizable by running another OS in a vm or a emulator. Like I said there's currently no great solution. With Googles work on Android Virtualization Framework hopefully GrapheneOS can make it possible for users to run virtual machines before too long.

            In the past I have known developers who worked building tracking tech for Android and iOS apps use Limbo on their personal Android devices so they could run apps they really didnt want somehow tied to their real ID. Limbo has been abandoned for some time now. Was no great choice of operating systems to run and performance wasn't great.

                  Carlos-Anso
                  Thank you for the explanation. That sounds bleak. One more thing to look forward to with improved VM support in Android, then. Qemu on Termux is such a terrible experience.