• GeneralSolved

  • Apps knowing SIM/Network country code / Apps sharing accounts between themselves

  • [deleted]

  • Post #2
  • Edited

https://grapheneos.org/faq#non-hardware-identifiers

Incident #1:
Key part being "Examples of the global OS configuration available to apps are time zone, network country code and other similar global settings."

So the app wouldn't need network access to be able to see those identifiers since that's local on the device, then the app can adjust based on that.

Incident #2:
"..but that makes little difference since apps within the same profile can communicate with each other with mutual consent."
From the same article above. There they are talking about advertising ID's but the same would apply here, since they are both Amazon apps they may be using IPC (Interprocess Communication) to share your login between them. Other guess is it's using the "Accounts" section in android (though I'm less clear on how the Accounts section in the settings works).

Okay, but on #1, how would it know the "network country code" if it wasn't granted network access? And even if it was granted network access, wouldn't it be going to the VPN network and not the direct one to which I was connected?

    • [deleted]

    • Post #4
    • Edited

    rsm I believe by "network" they are referring to the cellular network your phone is communicating with. But I'm not 100% knowledgeable about that.

    edit:
    If it was granted network access then network traffic should be tunneled through the VPN, but this is all done on device so the VPN is never involved.

    edit 2:
    It can read the network country code because that is one of the variables apps have access to, it doesn't have anything to do with network.

    • rsm replied to this.
    • de0u likes this.

        For your first question, you likely weren't using airplane mode, so the app was able to determine the country code based on the surrounding cell towers and/or the SIM card in your phone, using the country code burnt in it. There's nothing unusual about this, and it's all documented on the GrapheneOS website.

        For your second question, the Amazon app you had in the same profile provided this to the Prime app, as the other user above said, apps can mutually agree to pass data back and forth. This is expected. If you don't want apps to be able to communicate with mutual consent, put them in different user profiles.

        For your first concern, there's already a filed feature request on the issue tracker:

        https://github.com/GrapheneOS/os-issue-tracker/issues/502

        For restricting app communication within the same profile, the project has been working on a feature that does this in a comprehensive manner, which will take a lot of work so that it's not leaky. Again, for now, using user profiles to isolate apps from one another is the correct approach. Details on this potentially upcoming feature here:

        https://twitter.com/GrapheneOS/status/1636042398043086850

        Now, if I may: it's perfectly fine to have questions and concerns. After all, you're using GrapheneOS because you care about security and privacy. But your wording makes it sound like what you experienced is outside of the norm, not documented or unknown, which is not the case. I would like to ask you to please frame questions like this as what they are... questions, and to not make claims that GrapheneOS is somehow not secure or private just because you experienced something you did not understand.

        I will also take the liberty to change the title of this thread to better describe your actual questions instead of the current title, which is sensational at best. Thank you for your understanding.

        matchboxbananasynergy changed the title to Apps knowing SIM/Network country code / Apps sharing accounts between themselves .

        On point #2, understood. I had read so many comments on here and the prior reddit forum which merely stated that "apps are walled off from one another." Perhaps it would be better as a community to couch that going forward so that these matters don't feel unusual.

        On point #1, while a fast learner, I'm not as tech savvy as many of the engineers and individuals who deal with GrapheneOS, so I'm not sure I fully understand the article. But to be plain, what you're saying is that even if a profile has no location access, no cell service, wifi and bluetooth scanning disabled, and the sole app on that profile has zero permissions whatsoever, that app can still access your country code while travelling?

        If you're not using airplane mode, yes. The same applies to cases where you're using a SIM card. Apps are able to access the SIM card's country code, which is how apps are able to "guess" your contry code when they ask for a phone number etc.

        As mentioned above, this may be eventually addressed and it's an open feature request, but it's currently working exactly as expected. In other words, nothing is "broken", there's just an open feature request to make it so apps can't necessarily do that. :) I hope that explains things further!

          matchboxbananasynergy Thanks. Obviously the sim card methodology makes sense. So too does it make sense if the app had network access. How does it access it when it has no permissions and there are no connections?