MetropleX I should add about the spotify example:
I used that because it seems, reading the permissions (but not being an android developer), that the app has within it's allowed function the capability to easily glean information about my location if not more.
- Aurora says:
access bluetooth settings
, pair with bluetooth devices
run in the background
view wifi connections
(I VPN, but this sounds like scanning outside location services?) view network connections
, and discover and pair nearby bluetooth devices
- android settings post-install have very different granularity:
network
, sensors
[denied], nearby devices
[denied]
- Spotify seems fine on quick test (it displays warnings, but functions) with only
network
allowed in settings (it can play audio to a paired [at the OS] speaker, and receive events from that speaker (Pause, etc)
what else can it do? I'd argue its ~ highly technical based on a combination of sdk version, implementation details, and maybe external things like bluetooth & wifi advert specs, right?
To be specific on my threat model here - I'm trying to maximize my privacy within certain usability bounds. And I'm trying to ensure I understand my surface area so I can at least make informed consent
(even if companies don't give this to me directly). Over the last 5 years I've switched myself and the family over to GOS (previously calyx), linux desktop, protonmail, signal, always-on vpn, FOSS contact/calendar/file/password sync, and some others, but this has limits - streaming music is a great example: perhaps I'd give it up; they will not. My privacy is only as good as that of the folks I live & travel with, and who receive 90%+ of my comms. Just trying to rationalize the difference between my request and paranoia haha :)
So Spotify is an attempt to make a 100% concrete example. Since I'm obviously not well versed here, it's probably wrong :) however in the general case, even within the phone/localhost
, apps can communicate by mutual consent
(which is really opaque to the user, regardless - requires inspecting the ~ manifests AFAICT) ... having an app provably suspended means I don't have to worry at all about what it's doing, now or after a sleezy update, expect when i have it explicitly open.
I do appreciate your replies, thanks!