FINGERPRINTING - So much data exposed to apps by default!

someone27281

Moderation team: this is a very sensationalized post presenting information that's regularly discussed in forum threads mixed with inaccurate claims. For example, it's assuming that a per-app random number generated by the OS (MediaDRM ID) as a hardware identifier. It's presented as if something we document in our FAQ is a shocking discovery and ignores the many planned features in our issue tracker. It also presents it as if privacy claims were made which were never made and in fact contradicted by our documentation, issue tracker and regular responses on the forum. Thread has been locked because this is not a good way to start a constructive discussion.

Disclaimer: First of all, of course none of this is GOS' fault, nor I am claiming GOS is enabling this explicitly (if anything stock should be worse with added Google APIs 😅)

I am one of these guys who treats User Profiles as different identities, basically playing split personality with my phone. But recently I noticed some apps acting as if it knew the connection between the "identities".

So I decided to test it. I used https://play.google.com/store/apps/details?id=flar2.devcheck to see how much data an app can get with ZERO permissions (except network, but that's pretty much a requirement these days)

Here is the screenshots of data that it was able to get a hands on (PII stripped/hidden): https://postimg.cc/gallery/YvdmhH1

As you can see:

It is ABLE to access SIM data, getting operator name, APN, Country code, local IP address. Great.
It is able to access almost all WiFi related info, like Gateway, DNS, local IP addresses, WiFi type, signal strength etc.
Complete info about installed OS ranging from build ID to active slot, root access, Language and TimeZone,
Specific Device ids and Google DRM ids (which I assume is tied to hardware, basically uniquely identifiable)

These are only the highlighted info. It can access data like mobile signal strength, battery percentage and discharge rate, CPU frequency (really?), installed apps list (🤨) and a whole bunch of stuff I don't even understand.

To be absolutely clear: ALL permissions except Network is DENIED. Including sensors. Oh also I am using a Always on VPN with leak blocking. The local IP info it showing is NOT the VPN's, it's indeed my local network's. So much for different identities.

While yes, None of this data directly identifies me to either a private company or govt (like my IP address or my Phone number), but realistically this is more than enough info to fingerprint the absolute shit out of the device to pretty much UNIQUELY identify you whatever you do. Also remember these are GLOBALLY valid data, not User profile specific.

So for anyone thinking of using GrapheneOS for anonymity, it does NOT provide anonymity. It is indeed the best we have, but it's CLEARLY not perfect. Don't be fooled into a false security.

My suggestion is wait for the Virtual Linux emulation thing and set up a proxy through Tor inside the VM. I would like some expert to provide a standard setup guide so that everyone who sets it up looks exactly alike. My understanding is since that is a VM it won't have any access to real hardware so all instances will have the same hardware fingerprint.

Anyway, do GOS plan to further harden and anonymise the app sandbox? Is there any workaround? I welcome suggestions in replies

DeletedUser237

someone27281 so wait, you run an app explicitly telling you it will have access to this data, and you were surprised it worked as advertised? Color me surprised...

What did you expect will happen?

ryrona

someone27281 Oh also I am using a Always on VPN with leak blocking. The local IP info it showing is NOT the VPN's, it's indeed my local network's. So much for different identities.

This is a major concern. This was one of the things I worried about might actually be the case, and had on my list of things to check, but didn't get around to. For many users, it is probably only a LAN IP address, if you are behind a NAT, which most are, but it might very well be your publicly routable IP address too. This may mean some apps would inadvertently leak your publicly routable IP address even when you are routing all traffic through a VPN for anonymity reasons. Same with 4G/5G IP address of course. So way worse than it merely being usable for fingerprinting.

Here is where I was thinking about this possibility:
https://discuss.grapheneos.org/d/20052-android-15-vpn-inbound-traffic-changes/7

The whole VPN design in AOSP is so poorly done. There will only be more and more things like these that keep popping up, unfortunately. It is a blacklist approach, trying to plug leaks as they gets discovered, instead of the VPN feature being designed in an actually secure way from the beginning. Unfortunately, there might not be that much the GrapheneOS developers realistically can do about it, other than keep plugging leaks like this. At least not until we can run most things in virtual machines on our phones.

someone27281 It is ABLE to access SIM data, getting operator name, APN, Country code

This was known to me, and have been mentioned many times on the forums. All apps can see exactly which country you are in, by reading operator information from the SIM card, allegedly even when device is in airplane mode.

Unplugging the SIM card is the only way to prevent this. I believe there is a ticket somewhere on the bug tracker about fixing this, and that the GrapheneOS developers are interested in fixing this leak. But it is not that serious. Apps can usually guess which country you are in anyway, because of configured timezone, system language or keyboard layout, and which country you are in is not allowing to locate or identify you specifically.

The IP address on the other hand might be far more concerning, and I did not know about that.

someone27281 It is able to access almost all WiFi related info, like Gateway, DNS, local IP addresses, WiFi type, signal strength etc.

Is it able to access SSID or BSSID of the connected Wifi? That would also be a considerable concern if that is available when using a VPN for anonymity. It is not clear from your screenshots whether that is the case. It is not as serious as IP addresses being available, as the risk apps are inadvertently leaking that is probably somewhat lower.

My understanding is that information about SSID and BSSID are guarded by Nearby Devices permission. If that is the case, nothing to worry much about.

someone27281 Specific Device ids and Google DRM ids

These should be app specific. In the case of MediaDRM identifier, I think I have heard it is the same for the same app, if the same app is installed in multiple user profiles. But it should be different for each app, and after factory reset. Thus it is not that much of a fingerprinting concern.

someone27281 So for anyone thinking of using GrapheneOS for anonymity, it does NOT provide anonymity. It is indeed the best we have, but it's CLEARLY not perfect.

It is the best we have for mobile phones, but for computers we have better alternatives for anonymity. QubesOS is correctly designed in most regards, from the beginning, just to mention one.

someone27281 Anyway, do GOS plan to further harden and anonymise the app sandbox?

I certainly hope the plug the IP address leak somewhat quickly now when that has been discovered. It is just unfortunate this was not discovered before, as there apparently is an app already that shows this information, and the GrapheneOS developers said they checked a lot of things pretty thoroughly back when they plugged the last set of leaks.

There are other known issues with profile isolation that have pretty low priority though. Like the network loopback device reuse issue.

GrapheneOS

someone27281 Many of the claims in your post are false. What you've done is make a sensationalist post mixing real info with misinformation which is the opposite of constructive or helpful. You've made inaccurate claims about hardware identifiers, carrier information and various other things. You did not look at the FAQ, did not look at our planned features and didn't search for existing threads. If you want the answer to your question about what is planned, you simply have to look for it.

GrapheneOS

someone27281

My suggestion is wait for the Virtual Linux emulation thing and set up a proxy through Tor inside the VM. I would like some expert to provide a standard setup guide so that everyone who sets it up looks exactly alike. My understanding is since that is a VM it won't have any access to real hardware so all instances will have the same hardware fingerprint.

This is an experimental feature as a proof of concept and should not be used for this purpose. If you had done basic research, you would know the plans for virtualization and that running much less secure operating systems in a VM is not the way the feature will be used for improving privacy and security.

dawt

Most of the items aren't as identifying as you think.

It is ABLE to access SIM data, getting operator name, APN, Country code, local IP address. Great.

All of those basically correspond 1:1 to the carrier you're using.

It is able to access almost all WiFi related info, like Gateway, DNS, local IP addresses, WiFi type, signal strength etc.

Nothing there is very identifying. The only thing that's vaguely unique is your local IP, which allows developers to disambiguate devices behind NAT, but that's about it. Everything else is going to be a static value like "192.0.0.1" that everyone else has, or changes far too frequently to be fingerprintable.

Complete info about installed OS ranging from build ID to active slot, root access, Language and TimeZone,

If you keep your phone reasonably up to date, there's nothing really identifying about the OS build info, because it'll be the same as most other people. Language and timezone reveal approximately the same amount of information as geo ip, which can't be blocked.

Specific Device ids and Google DRM ids (which I assume is tied to hardware, basically uniquely identifiable)

Yeah that's the only thing that's worrying, although that's on the roadmap to be fixed.

GrapheneOS

dawt

Yeah that's the only thing that's worrying

MediaDRM ID is not a hardware identifier and is per-app. 2 different apps querying it will get a different value. The issue with it is that it wasn't namespaced per-profile, but it's such an insignificant issue since despite this sensationalized post acting as if it has discovered a scandal, there isn't any claim that it isn't trivial to fingerprint the device simply based on something like basic battery info. It is clearly easy to do that and even removing all the non-inaccurate things above (which would break a lot of things) would not solve it.

Canardo_Sanchez

DeletedUser237 you might have missed the point about permissions 🫠

DeletedUser237

Canardo_Sanchez You may want to see the permissions which cannot be revoked, and are detailed on the apps page by the dev.

GrapheneOS

ryrona You do not understand what's happening with the IPs. It has nothing to do with a VPN leak. It's mainly due to the Linux kernel exposing lots of information to applications.

Android's VPN implementation needs a major overhaul but it does not work in the way you're describing.

GrapheneOS

Thread has been locked. It's an example of how not to do things by not doing basic research such as checking our FAQ, planned features and many other threads about the topics before making a sensationalized post presented as a set of shocking discoveries which are a mix of well known and even well documented info with other parts that are simply inaccurate claims.