Play Store links “anonymous” owner profile to daily profile & phone

MaskMan59

Hi,

I’m a bit confused and surprised by something I’ve noticed. It doesn’t really cause me any problems, but I didn’t think this was even possible, so I’m trying to understand what’s going on.

Setup

I created a brand-new, dummy “anonymous” Google account.
Fresh GrapheneOS install.
Created a brand-new, temporary user profile.
Initial setup was done on free public Wi-Fi.
No phone number verification was used.

Profiles

Owner Profile

Google Play Store + Google Play Services installed.
Logged into Play Store only with the dummy “anonymous” Google account.
Apps are installed here, internet access is disabled afterward, and the profile is never used for anything else.
Apps are “pushed” from Owner to Daily Profile.

Daily Profile

Google Play Store is disabled and has no network access.
Google Play Services is enabled with the minimum permissions required.
WhatsApp Business installed via the Owner profile.
Logged into:
- WhatsApp Business
- Google (only for Google Contacts sync)
No other apps are logged into or even used (Instagram, Facebook, etc.).

What I noticed

When I open Google Play Store in the Owner profile (logged in with the anonymous Google account), and look at apps I’ve installed in google play, Play Store shows:

“Available on more devices – Xiaomi phone”

That Xiaomi phone uses my real Google account, not the anonymous one.

The confusing part

How can a dummy, anonymous Google account in the Owner profile be aware of:

My Daily profile’s real Google account, and
Another completely separate phone (Xiaomi) using that same real account?

The anonymous account:

Has never logged into my real Google account
Shows no visible evidence of being linked
Was created fresh and separately

Possible explanations (guessing)

Somehow the Owner profile’s Play Store is learning about the Daily profile’s real Google login through the same GrapheneOS device?
Since my real Google account is used on both the Daily profile and the Xiaomi phone, Play Store is correlating them indirectly somehow to the Owner Profile?
Possibly via phone number association due to the sim card insalled in the GOS phone.

Phone number?

My personal SIM is in the GrapheneOS phone.
The anonymous Google account was not given a phone number.
Could Google still be associating the SIM/number at the device level and linking accounts that way?

Extra info

No phone number was provided to the anonymous Google account.
Both profiles have connected to the same Wi-Fi networks, including my home Wi-Fi (after initial setup).

Hopefully this makes sense. I’m mostly trying to understand how this linkage is possible from a technical/privacy perspective.

ron

What device did you use to create the Google Account?

MaskMan59

ron

I did a fresh install of GOS on my pixel device, which im currently using, then created a new user profile, then created the new anonymous google account with that profile. Nothing else was done with that user profile apart from create the account.
It probably (not definitely) had airplane mode on, or at least mobile data turned off, and was created through a large 'open' wifi service.

This new anonymous google account was then used in the Owner Profile to log into Play Store to install apps that are play store only apps. I didnt want to use Aurora store or an apk from apkpure etc. i wanted those apps to auto update through google play store logged in with my anonymous account.

pingu-the-penguin

As for the most likely option:

Apps can communicate across profiles through the loopback interface if both apps are granted the network permission and each profile does not have a VPN with the killswitch enabled. If one profile has a VPN with the killswitch enabled it should not be able to communicate. https://github.com/GrapheneOS/os-issue-tracker/issues/4772.

As for other things that may leak data:

Did you ever give Play Store or Play Services the location permission or the phone permission? WIth the location permission being granted, apps can see the WiFi SSID which could potentially link both accounts together.

The phone permission gives apps info about your SIM and your phone number. If you have granted WhatsApp the phone permission on both phones then WhatsApp could communicate the phone number with Google theoretically.

MaskMan59

pingu-the-penguin

Each profile has not had a VPN with kill switch enabled permanently.

Owner profile: Usually no VPN. I didn’t think one was necessary because no apps are actively used and no network permissions are granted to apps, apart from Google Play Store and Google Play Services (required for the phone and apps to function properly).

Daily profile: Does have a VPN with a kill switch, but it has not been enabled 100% of the time.

Location:
Location is always turned off. Google Play Store and Google Play Services do not have location permission, and as far as I’m aware, they never have.

Daily profile permissions:

Google Play Services: Network, Phone, Contacts (I assumed these were required for normal operation).

Google Play Store: Disabled.

Owner profile permissions:

Google Play Services: Network and Notifications (it previously had more permissions).

Google Play Store: Network and Notifications (also previously had more).

Phone permissions:
WhatsApp does have phone permission, as I believed this was required to make and receive calls. This is the case on both phones.

I understand how WhatsApp in the Daily profile would know that I’m logged in on another phone using the same Google account, but I didn’t expect the Owner profile to be linked as well.

Thanks for the information and links. It appears that user profiles are not fully compartmentalised or anonymous from each other, and that some communication between them does occur.

It seems that Google Play Store has found a way to link my personal Google account with my anonymous Google account on my GrapheneOS phone via different user profiles.

pingu-the-penguin

I stand corrected, using a VPN does not block apps from doing this as they are using the local network. There is no way around this yet.

More info:
https://github.com/GrapheneOS/os-issue-tracker/issues/4768
https://github.com/GrapheneOS/os-issue-tracker/issues/5554

CohibaRobusto

This has major security & privacy implications for me

Byku

MaskMan59 Google Play Services: Network, Phone, Contacts (I assumed these were required for normal operation).

In theory no permission is necessary if you use it only for compatibility with other apps. In practice people usually allow it access to Network for push notifications to work. Phone&Contacts is absolutely not required and it gives away a lot of personal info on you. Play Services now knows your phone number, all the names & phone numbers of your contacts and probably your real name if you had it saved in contacts too. That data can be enough to deanonymize you. I'm not 100% sure this happened here but it could be a possibility and it's scary - no company should be allowed to extrapolate information like that.

MaskMan59

i started off with pretty much everything denied. then slowly allowed stuff to get things to work.
note that my contacts are not in the Owner Profile, only my Daily Profile.
I thought play services did need phone and contact access to allow the pixel caller-spam feature and to match contacts with phone numbers when they call.

MaskMan59

Play services has phone and contacts access only in my Daily Profile, not in my Owner Profile.
The Owner profile still linked my anonymous logged in account to my other phone, which can only have been done by communicating Daily to Owner profile.

Byku

There is also DRM ID that is always consistant for the same app on all your profiles. Technically this could be used by an app to determine if it's installed on the same device but in different profile.

MaskMan59

this could also be the reason

google play services runs on the owner and daily profile.
google play store is only on the owner profile.
an anonymous google account was logged into on the owner profile so also used the google app.
my real google account was logged into on daily profile to use google contacts so also used the google app.