I've written about issues with GrapheneOS and privacy protection in the past while using apps where I've noticed oddities that called into question privacy (see prior posts). More recently, however, two different incidents occurred that have me seriously questioning the privacy protection GrapheneOS claims.
Incident #1: I was recently travelling to a remote island outside of the U.S. While there, I created a new profile on GrapheneOS and disallowed location access from any app when doing so. I then downloaded ProtonVPN, set it to Always On, and connected to a U.S. Server. Afterward, I downloaded the Aurora Store and downloaded an app from the Aurora store (while connected to the VPN). When I downloaded the app from the Aurora Store, I did NOT grant it Network Permission--something I always prevent because I check the privacy permissions for an app after it has downloaded before allowing it any network access. I then opened the app's settings, removed the 1 permission it had (Sensors) and proceeded to then open the app, but still without Network access. Often apps which are downloaded still have the introductory protocol built in and don't need network access to show the initial page. In this instance, the app opened and prompted me to sign up, however, when it took me to enter in my phone number, it automatically adjusted the initial Country Code to begin with the remote Island where I was located. I'm not sure how an app WITHOUT Network access, on a profile with all location service turned off, and a phone which is connected to an Always On VPN for a sever in a different country, could detect that I was on a very remote island in the middle of the ocean. To be clear, this app was the only app in the entire profile as well. That seems to raise serious questions regarding privacy of the GrapheneOS operational system.
Incident #2: A while back while home, in one of the profiles I have on the phone, I have ProtonVPN Always On and, similar to the above, the profile has no other accesses to location, etc. I had previously downloaded the AuroraStore App and had downloaded Amazon on it. A while later when looking for something to watch, I downloaded the separate Amazon Prime Video app. Same processes as above--no network access or anything prior to me removing any other permissions such as Sensor permission. When I opened up the Prime Video App, however, it automatically filled in my login credentials and logged me in. I don't understand how that is possible when all apps are supposed to be walled off from one another. If I'm on a phone with an always on VPN, no other accesses or other permissions, and I should note that I also live with other individuals that access the same internet source, how could it be that the Prime Video app would recognize and be able to pull my credentials? The only explanation I can surmise is that it would have had to pull the information from the original Amazon app in the same profile. This would run contrary to the claim that all apps within GrapheneOS are walled off from one another.