Hello everyone,
I recently discovered something odd and unsettling. App data is being shared across user profiles for a specific app and I have no idea how its being done.
The app in question is called Carousell, an app for selling and buying secondhand stuff. Its available for a few different countries, but markets are tied locally, so once registered to one country, you can't interact with the market from another.
I tried creating a new account using a proton alias because I wanted to get something from another country, and it flagged me for 'suspicious behaviour'. The first new account got blocked, and the second too.
Now here's the weird part. When I open the app, they show the accounts I created, asking me which one I want to login to. I can't get rid of them. I tried uninstalling and reinstalling the app, and clearing the cache and data, but the accounts still remained.
And here's the weirder part. When I install the app in a different GOS user profile, the existing app accounts also show up there. The different GOS user profiles have different google accounts and vpns. The same thing also shows up in user profiles without Play services installed.
The steps I took to try to remove the account data
- Delete the app across all profiles and reinstalling FAILED
- Delete cache and storage FAILED
- Changing VPN address FAILED
I temporarily managed to remove the app data after turning off and turning on the network permissions for the app, but after turning it on, the problem returned again.
Any ideas of what's going on?
It seems like this is a matter of human/device fingerprinting on their end to combat account misuse. But I don't know how they are doing it. (I know trying to create more accounts was against their policy)
If they managed to fingerprint so effectively, what does GOS actually do? What does this mean for our privacy?
I appreciate the input from you privacy geniuses!