Fitbit tracker showing SMS message notifications when permissions not allowed

GrapheneMcGraphface

I have a Pixel 7 Pro with GrapheneOS, and I'm using a new Fitbit Inspire 3 fitness tracker. I don't want the Fitbit to vibrate or display every time I get a text message. I turned off all notifications in the Fitibit app but it continues to vibrate and notify about text messages. I also removed permissions for the Fitbit app itself, including SMS, and the notifications continue. My question is, how the is the Fitbit still reading and displaying text notifications? If I've set permissions for the app to 'not allowed', is Graphene failing to enforce it? Is this a defect with GrapheneOS? Has anyone experienced this before where you permission settings are being ignored?

NetRunner88

GrapheneMcGraphface
By using basic Bluetooth functionality. It doesnt use the app.

NetRunner88

GrapheneMcGraphface
For the rest, in app settings on GOS, don't allow the app to Read Notifications

mmobder

GrapheneMcGraphface I'm sorry as it wasn't part of the original question, but I've moved away from fitbit because it's all google now and one can't use their devices with https://gadgetbridge.org/ , so had to exchange nfc payments for the privacy. Latest Huawei trackers are good comparing for fitbit and aren't sharing your data if used with Gadgetbridge

other8026

GrapheneMcGraphface Does the app have access to Settings > Apps > Special app access > Notification read, reply & control?

HoosFoos

In Settings > Connected Devices > _Device _Name__ > Device Details (gear icon next to name of device) is the "Allow Access To Contacts and Call History" toggle switched off? It sounds to me that though the app may not have notification permissions, the device itself may still have permission and this may fix the issue. It has for me in a similar situation.

GrapheneMcGraphface

Thank you for all the replies. I would have posted screens but I don't see an option.
-In the Fitbit app, every single notification is set to off
-In Settings > Connected Devices > Inspire 3 > Device Details - Allow Access To Contacts and Call History is OFF
-In GOS App Permissions, only Location, Nearby Devices, Network, and Sensors are allowed - everything else is not allowed

@other8026 - Thank you, I didn't know about this setting - It's now disabled, and I hope that works :)

Now I just have more questions:
Why the heck would GOS let me set the SMS and Notifications to not allowed in App Permissions, and then go ahead and still let the app read all my texts over in some special app access section, in contradiction to my settings, and without telling me? I feel this is a huge oversight for a security/privacy focused operating system(!). Are there any other contradictions in permission settings I should know about, or other locations I need to check? How do we know which settings are the master settings when there are contradicting/redundant permission settings?

NetRunner88

GrapheneMcGraphface Now I just have more questions:
Why the heck would GOS let me set the SMS and Notifications to not allowed in App Permissions, and then go ahead and still let the app read all my texts over in some special app access section, in contradiction to my settings, and without telling me? I feel this is a huge oversight for a security/privacy focused operating system(!). Are there any other contradictions in permission settings I should know about, or other locations I need to check? How do we know which settings are the master settings when there are contradicting/redundant permission settings?

This is not GOS related

other8026

GrapheneMcGraphface Why the heck would GOS let me set the SMS and Notifications to not allowed in App Permissions, and then go ahead and still let the app read all my texts over in some special app access section, in contradiction to my settings

SMS access and notification access are very different things. Apps use them for very different reasons. When granting the notification permission, a dialog box pops up warning users about what an app can do with the permission. If the user is informed of what they're doing and they grant the permission anyway, why would the OS ignore their decision?

Keep in mind that a lot of the OS is untouched by GrapheneOS. The related code, settings, and behavior for notification access all appear to be from AOSP.

GrapheneMcGraphface in contradiction to my settings, and without telling me? I feel this is a huge oversight for a security/privacy focused operating system(!).

Considering what I wrote above about different uses and the fact that a warning pops up first, I have to disagree.

GrapheneMcGraphface

I feel confused like I'm missing something, and I'm sorry if I'm not explaining things very well.

The Fitbit app permissions were always set to:
Notifications = Not Allowed
SMS = Not Allowed

But the Fitbit device was still receiving the SMS messages and notifying me about them.

Another setting needed to be adjusted to resolve the issue:
Settings > Apps > Special app access > Notification read reply & control > Fitbit > Allow notification access - changed to Not Allowed.

Are you saying it's the way that Android is, and not something that Graphene OS did or changed?

Would it not be wise for a privacy/security-focused OS to alert the user that when they set Notifications and SMS to Not Allowed, that it will actually still be allowed against your wishes because there's a special setting buried in Android somewhere else?

I'm worried because it feels like the system is permitting actions that are specifically unauthorized. I feel like this goes against the whole point of using GOS.

Is the common practice with GOS that you have to trust but verify, and always check in two or more places to ensure the permissions will actually be enforced correctly?

other8026

GrapheneMcGraphface Notifications = Not Allowed

GrapheneMcGraphface SMS = Not Allowed

GrapheneMcGraphface Notification read reply & control > Fitbit > Allow notification access - changed to Not Allowed.

These are three different permissions, each has its own purpose.

GrapheneMcGraphface Are you saying it's the way that Android is, and not something that Graphene OS did or changed?

Yes

GrapheneMcGraphface Would it not be wise for a privacy/security-focused OS to alert the user that when they set Notifications and SMS to Not Allowed, that it will actually still be allowed against your wishes because there's a special setting buried in Android somewhere else?

As far as I can tell, the user has to grant the permission and apps aren't automatically granted that permission.

GrapheneMcGraphface I'm worried because it feels like the system is permitting actions that are specifically unauthorized.

I don't believe this is what's happening. Maybe if you set up the Fitbit again on another device or clear the Fitbit app's storage and set it up again, you'll see at some point it should ask you for that permission.

GrapheneMcGraphface I feel like this goes against the whole point of using GOS.

GrapheneOS isn't going to override users' settings in these kinds of cases. If you grant an app access to read and manage notifications, why would GrapheneOS override your choice? It makes total sense that some people might want a companion device to have access to view and manage notifications, but not to do other things.

GrapheneMcGraphface Is the common practice with GOS that you have to trust but verify, and always check in two or more places to ensure the permissions will actually be enforced correctly?

No. They're different permissions. They don't do the same thing.

de0u

GrapheneMcGraphface Another setting needed to be adjusted to resolve the issue:
Settings > Apps > Special app access > Notification read reply & control > Fitbit > Allow notification access - changed to Not Allowed.

It is genuinely quite likely that this was allowed via a manual approval pop-up at the time the app was installed. It's possible that it was overlooked at a time when multiple apps were being installed and being granted various permissions. If not, that sounds like a bug.

When was the app installed?

Sannshine

I cannot even get Fitbit to work on GrapheneOS, it says play services required.. but they are on the device and I even logged in?

When I click on log in with email I only see a white page.. When I click on sign in with google it says it needs play services?