I use an anonymous google account for downloading apps and a work account with GSF, Play Services and Play store enabled but not signed in.

The problem is that I need apps for my job that are related to expensive hardware. So only very few people have this stuff. If google or anyone else gets a list of my installed apps they can do two things: 1st link my work profile to my owner profile and thus google account. 2nd find out with public information such as our company website which company I am working for and my real name.

Is it true that I have already spoiled my installation?
Is there a test service to check the uniqueness of my list of installed apps? Similar to browserleaks.com?
Is it still possible for all normal (non-google) apps to fetch a list of installed apps?

I am considering using a third completely degoogled profile for the unique apps but that makes daily life more complicated. Especially since I need another profile with a google account for one specific banking app.

I checked the FAQ but did not find the info there.

    schweizer if your threat model includes it being plausible or likely that Google would disclose information about your Google account, or that they might accidentally leak it, or that somebody could steal your phone and potentially determine which apps are installed... perhaps it would be best to isolate work apps on a second device. That would not be convenient, but if the severity and plausibility of the threat is high enough then you are probably in a situation dense with inconvenience.

    Though money is not the sole issue, it might help to ask how much money it would be worth to avoid such a disclosure. If it is much more than the cost of a second device...

      schweizer The problem is that I need apps for my job

      In this case you should use a company provided phone just for work stuff. Do not mix work and regular stuff together on one machine, it never ends well, and creates all sorts of issues.

        So basically I need one profile per app. A usabiliy nightmare. That is so sad.
        That means the approach by sideofburritos of using two profiles is useless if you download apps that are not mainstream.

          schweizer I can't believe he hasn't had time by now to go over his "in the hell podcast" transcript. Many of us though find ourselves in hell trying to navigate obstacles of modern day surveillance. Getting worse btw.

            schweizer reread @de0u 's post. Does your threat model really require that level of isolation? I'm by no means doubting it, but the most of us overthink it a bit, myself included.

            If it's not absolutely critical that Google (or someone they leak your installed apps to) isn't able to identify you based on installed apps, I wouldn't worry too much about it.

                GrouchyGrape What you do not consider is potential work implications of using such apps with a daily driver phone.

                Isolation is the key here, so even if their threat model does not call for it implicitly, they still should exercise the most cautionary approach possible.

                @schweizer, the YT content you talk about is aimed at daily driver, nothing work related. You should not take advice from a yt content if you use such apps. I am kind of surprised your work did not make it mandatory to use a company provided and managed phone with strict policies etc. but everyone is skimping on security, so I guess I should not be surprised after all..

                  GrouchyGrape Does your threat model really require that level of isolation?

                  For me a requirement is a "normal life". Reality is without whatsapp you are excluded from todays social life. I will not give up my life because some tech companies are making it virtually impossible not being spied on.

                  I do stuff that is illegal in certain non-western countries and I am required to travel internationally. So I am concerned about privacy.

                  I simply do not understand why the permissions are set in a way that virtually any app can send a list of my installed apps back to their headquarters. I do not understand why I cannot download most apps from the manufacturers website or github.

                  I doubt that just removing my special apps will be sufficient to avoid fingerprinting. Nobody has answered my question yet how to test the uniqueness of the list of installed apps. I fear the combination of locale, banking apps and threema libre is quite unique.

                  I am on friendly terms with my employer and don't have a 9 to 5 job. Some friends are customers and vice versa. Carrying two phones all the time would be very inconvenient and I fear it will not solve the problem because if two phones share the location all the time they can be correlated as well.

                      schweizer Carrying two phones all the time would be very inconvenient and I fear it will not solve the problem because if two phones share the location all the time they can be correlated as well.

                      I am not sure what you do for living and won't ask, hence maybe I don't see why you'd need to have all connectivity up 24/7 on the work phone, but the way I'd do it (and did when needed) is to block all connectivity on it and use a spare modem to give whatever network access is needed to operate the apps for work. Inconvenience? Maybe, at least at first. But if you really want to separate it, there's (imho) no "better" way.

                        I need connectivity for messengers. Voice and text. I am not alone with that need. Besides not everybody has one single job. You can have different roles in different organisations. I never mentioned that I want to separate those roles.

                          schweizer to answer your original question, unfortunately, it's virtually impossible to live a normal digital life and completely avoid fingerprinting against a motivated actor.

                          However, that isn't to say that a few basic practices (private spaces, multiple profiles, etc ) don't help and make fingerprinting more "expensive".

                            schweizer yes, you did not say you'd want to separate your life and work but at the same time you want to avoid profiling and identification due to work apps that have a very small number of users you can't expect miracle solution.

                              schweizer I simply do not understand why the permissions are set in a way that virtually any app can send a list of my installed apps back to their headquarters.

                              I think the short answer is something like:

                              1. In general it is expected on Android that the overall user experience is based on multiple apps working together, so there are cases where one app might wish to offer to share some data with some other app if it is installed,
                              2. Android has multiple features that enable users to separate apps from each other (secondary user profiles, Private Space, guest user).

                              At present the user-profile system has limitations, quirks, and annoyances, but it does exist. It is not the case that Android forces all users to allow all apps to report on the presence of all other apps.

                                schweizer Nobody has answered my question yet how to test the uniqueness of the list of installed apps.

                                I think the only way to do that would be for users to voluntarily install an app that would report the identity of the device and the list of installed apps to a database which could then estimate uniqueness.

                                It's unclear to me that anybody worried about "app fingerprinting" would be willing to install and run such an app, so...

                                • fph replied to this.

                                    de0u Actually for this purpose you don't need to upload the whole list, a cryptographic hash is sufficient.

                                        fph Actually for this purpose you don't need to upload the whole list, a cryptographic hash is sufficient.

                                        Good point!

                                        Though I think there are issues...

                                        1. Anybody who has only a small number of apps installed would be revealing exactly which apps. For example, if I have exactly the pre-installed apps installed plus one more, and I upload that hash, then the server can easily determine which single other app I have installed by computing the hashes of multiple hypothetical llists: baseline apps plus app A, baseline apps plus app B, etc. And it would probably be feasible to precompute hashes for pairs of fairly-common apps.
                                        2. One would need to trust the app to be uploading only the hash of the list of installed apps rather than the list itself.

                                          One could simply anonymously upload a csv list of the installed apps. There is no problem with such a list as long as it is not tied to a profile. And the list is probably not that unique on a worldwide level. But if you combine it with a locale or IP that looks different.

                                          Aurora will have such data already.

                                          schweizer if you do multiple profiles some identifiers (media identifier) will be consistent across profiles as well as other fingerprinting will be consistent across programs. It is VERY likely they could be linked.

                                          If you do anything with crypto thats not allowed in your country, or engage in unsanctioned activity, you're making a mistake likely. If all your questionable activity is in a profile with FOSS apps without trackers and you use a different VPN, it's less risky but still risky. You'll still have the same imei and so if suspicious profile 2 somehow gets linked to you (they determine wireguard packets are linked to phone imei) then they can track other imei data. If they somehow can break 1st profile with other differentVPN (like monitor packets and order going to data center and see outgoing packets to weird-unique-app update (www.apponlyusedbyanthropologistswhilesearchingfordinosaurbones.com), they can guess it's you and then collect evidence other ways.

                                          Graphene is hardened, but you could be making a mistake.

                                          If you are part of a graffiti collective, and at worst you get probation, they aren't going to be try to correlate wireguard activity. If it's something more serious, just don't do this.

                                          Just running WhatsApp will fingerprint the hardware of the device. Meta and Google have the most advanced fingerprinting along with Cloudflare, but cloudflare isn't in Apps. Meta likely has the most advanced fingerprinting of the group.

                                          They can guess who is who with vpns and also they can buy VPN accounts and try to connect to VPN and send malicious packets to correlate. Wireguard does not offer that much protection. They won't go after you if you are torrenting a new blockbuster movie but they can definitely break wireguard with malicious packets and other software they have. They do not use it for low level offenders.

                                            This leads me to the conclusion that using Aurora with anonymous downloads is actually superior to using Playstore in terms of privacy.

                                            There is no possibiity to check how unique your combination of apps is but after visiting am i unique I assume almost every combination is unique. Especially if you live in a small country.

                                            We really need a way to anonymously download (paid) apps without disclosing an official ID.