What information can apps see about Bluetooth or USB devices?

Lock

What exactly can apps see?
Can apps without special permissions like nearby devices see the Bluetooth MAC?

I noticed that some apps show the device name of the connected Bluetooth device, I now wonder this can be prevented or if this is also the case with USB devices like dongles

telemetry83

For USB, apps can see everything (including serial number) about the devices. You can read through the Android USB API for more details:

General overview: https://developer.android.com/develop/connectivity/usb
API overview: https://developer.android.com/reference/android/hardware/usb/package-summary
How to enumerate all devices: https://developer.android.com/reference/android/hardware/usb/UsbManager#getDeviceList()
How to access unique identifiers such as serial number: https://developer.android.com/reference/android/hardware/usb/UsbDevice

As far as I know, this can all be done without any permissions and completely invisible to the user. There is nothing described in the GrapheneOS documentation that limits how these APIs can be used by apps when a USB device is connected.

Lock

Okay WTF, this is really good to know

What about the Bluetooth MAC of the connected device ?

Okay I mean even if the app could see it, it wouldn't make much off difference using a USB or Bluetooth headphone for Privacy

telemetry83

For an app to interact with the Android Bluetooth API, the app needs to declare permissions. Using the Bluetooth API, an app can read lots of ID-related information about the Bluetooth adapter and all of the remote devices it connects to.

https://developer.android.com/develop/connectivity/bluetooth

The overview in the "Key classes and interfaces" section outlines this:

BluetoothAdapter: Represents the local Bluetooth adapter (Bluetooth radio). The BluetoothAdapter is the entry-point for all Bluetooth interaction. Using this, you can discover other Bluetooth devices, query a list of bonded (paired) devices, instantiate a BluetoothDevice using a known MAC address, and create a BluetoothServerSocket to listen for communications from other devices.

BluetoothDevice: Represents a remote Bluetooth device. Use this to request a connection with a remote device through a BluetoothSocket or query information about the device such as its name, address, class, and bonding state.

Some relevant methods:

The documentation outlines what permissions are required for different API calls. It's important to note that Bluetooth has numerous privacy flaws that can result in passive eavesdroppers calculating and tracking identifiers of devices that are connected to each other or even an identifier of a device that is only scanning.

Lock

Thanks a lot, so if I understand correctly all of this is available to all apps even without ANY permission at all (that the user can grant / block) ?

telemetry83

For Bluetooth, permissions are required. Those permissions must be granted by a user. This is done by asking the user, "Allow App to find, connect to, and determine the relative position of nearby devices?" There is a screenshot in that documentation link showing the permission dialog when an app requests to perform Bluetooth functions.

For USB, earlier I said this could be done without permissions, but that is wrong. Some, but not all, of the API calls do require permissions. getSerialNumber() is one method that actually does require permissions. I don't know what the permission dialog looks like when an app tries to call getSerialNumber().

Lock

So why can some apps see the bluetooth Device name ? (hopefully not the MAC) I guess that's not protected even when nearby devices is not granted.

For USB I think when you plug in a device you can get a pop up to grant an app access to that device. At least that's how it is with yubikeys. I guess some information is still leaked like device name or something otherwise an app couldn't request access to the device.

telemetry83

I don't know why an app would be able to see the Bluetooth device name without permissions. The API says that user-granted permission is required to list Bluetooth connected devices (BluetoothAdapter.getBondedDevices()) and to call BluetoothDevice.getName() on a connected device.

Lock

I just checked there are many apps that show device information. For USB it's vendor / product Id + device class + interfaces info + capabilities + reported name + maybe more. All of that is permission less. I would assume the same is the case with Bluetooth.

My concern was apps linking different identities even from different user profiles together. But it seems like even without a USB/Bluetooth device there is more than enough metadata to do that like DRM, battery info, timezones/ network, used storage and other device info. Using USB/Bluetooth just makes it even worse than it already is.

Probably even using a special USB cable or charger is a significant enough fingerprint

telemetry83

Lock I just checked there are many apps that show device information. For USB it's vendor / product Id + reported name + interfaces, is permission less + maybe more.

What app are you using to test with USB? What app are you using to test with Bluetooth?

telemetry83

For USB, that's expected. getSerialNumber() is the only informational method on UsbDevice that requires permission:

https://cs.android.com/android/platform/superproject/main/+/main:frameworks/base/core/java/android/hardware/usb/UsbDevice.java;l=147-162;drc=24403f7ef2fcb9c9185f33474a43af885ac3ba49

None of the other methods require permissions (getDeviceName(), getManufacturerName(), getProductName(), etc.).

For Bluetooth, I understood it to be different. Many methods seem to require various Bluetooth permissions. Maybe I'm missing something that allows an app to read basic data about a device. For example, BluetoothDevice.getName() requires the BLUETOOTH_CONNECT permission:

https://cs.android.com/android/platform/superproject/+/android-latest-release:packages/modules/Bluetooth/framework/java/android/bluetooth/BluetoothDevice.java;l=1748-1777;drc=c8838109bacd96eca1c21c9b9f618145544e4000

As you mention, there are many ways to link multiple user profiles together. This post lists more ideas:

https://discuss.grapheneos.org/d/17118-identifiers-across-private-space-and-profiles/4

Lock

telemetry83 or maybe not? Tried to read the API docs and source code, but I don't quiet understand what exactly is possible with those

Lock

For USB I used https://github.com/alt236/USB-Device-Info---Android

I haven't found anything good for Bluetooth that does not want nearby device permission. I just noticed that some music players showed my Bluetooth device name even without those...

There seem to be lots in the play store for general Device info and more

Lock

It seems "Pair with Bluetooth devices" and "Access Bluetooth settings" does not require permission. Don't know what the exact API call for that is

Question is what do these return? MAC?

Lock

BLUETOOTH and BLUETOOTH_ADMIN are permission less.

Don't know what that makes possible but Bluetooth MAC is probably exposed

telemetry83

Reading code is hard. If it was easy, 90% of the threads on this forum wouldn't even be created in the first place.

Lock

This was definitely not me begging for somebody to explain it for me.

telemetry83

Definitely not :P

Lock

Best clue I have is that the apps that show it have a low minimum SDK which does not require prompt yet.

Would be nice if you could disable those targets

Lock

Is there already a way to disable level 31 ( Android 12) ?