• GeneralSolved
  • Apps knowing SIM/Network country code / Apps sharing accounts between themselves

I've written about issues with GrapheneOS and privacy protection in the past while using apps where I've noticed oddities that called into question privacy (see prior posts). More recently, however, two different incidents occurred that have me seriously questioning the privacy protection GrapheneOS claims.

Incident #1: I was recently travelling to a remote island outside of the U.S. While there, I created a new profile on GrapheneOS and disallowed location access from any app when doing so. I then downloaded ProtonVPN, set it to Always On, and connected to a U.S. Server. Afterward, I downloaded the Aurora Store and downloaded an app from the Aurora store (while connected to the VPN). When I downloaded the app from the Aurora Store, I did NOT grant it Network Permission--something I always prevent because I check the privacy permissions for an app after it has downloaded before allowing it any network access. I then opened the app's settings, removed the 1 permission it had (Sensors) and proceeded to then open the app, but still without Network access. Often apps which are downloaded still have the introductory protocol built in and don't need network access to show the initial page. In this instance, the app opened and prompted me to sign up, however, when it took me to enter in my phone number, it automatically adjusted the initial Country Code to begin with the remote Island where I was located. I'm not sure how an app WITHOUT Network access, on a profile with all location service turned off, and a phone which is connected to an Always On VPN for a sever in a different country, could detect that I was on a very remote island in the middle of the ocean. To be clear, this app was the only app in the entire profile as well. That seems to raise serious questions regarding privacy of the GrapheneOS operational system.

Incident #2: A while back while home, in one of the profiles I have on the phone, I have ProtonVPN Always On and, similar to the above, the profile has no other accesses to location, etc. I had previously downloaded the AuroraStore App and had downloaded Amazon on it. A while later when looking for something to watch, I downloaded the separate Amazon Prime Video app. Same processes as above--no network access or anything prior to me removing any other permissions such as Sensor permission. When I opened up the Prime Video App, however, it automatically filled in my login credentials and logged me in. I don't understand how that is possible when all apps are supposed to be walled off from one another. If I'm on a phone with an always on VPN, no other accesses or other permissions, and I should note that I also live with other individuals that access the same internet source, how could it be that the Prime Video app would recognize and be able to pull my credentials? The only explanation I can surmise is that it would have had to pull the information from the original Amazon app in the same profile. This would run contrary to the claim that all apps within GrapheneOS are walled off from one another.

  • [deleted]

  • Edited

https://grapheneos.org/faq#non-hardware-identifiers

Incident #1:
Key part being "Examples of the global OS configuration available to apps are time zone, network country code and other similar global settings."

So the app wouldn't need network access to be able to see those identifiers since that's local on the device, then the app can adjust based on that.

Incident #2:
"..but that makes little difference since apps within the same profile can communicate with each other with mutual consent."
From the same article above. There they are talking about advertising ID's but the same would apply here, since they are both Amazon apps they may be using IPC (Interprocess Communication) to share your login between them. Other guess is it's using the "Accounts" section in android (though I'm less clear on how the Accounts section in the settings works).

Okay, but on #1, how would it know the "network country code" if it wasn't granted network access? And even if it was granted network access, wouldn't it be going to the VPN network and not the direct one to which I was connected?

    • [deleted]

    • Edited

    rsm I believe by "network" they are referring to the cellular network your phone is communicating with. But I'm not 100% knowledgeable about that.

    edit:
    If it was granted network access then network traffic should be tunneled through the VPN, but this is all done on device so the VPN is never involved.

    edit 2:
    It can read the network country code because that is one of the variables apps have access to, it doesn't have anything to do with network.

    • rsm replied to this.
    • de0u likes this.

      For your first question, you likely weren't using airplane mode, so the app was able to determine the country code based on the surrounding cell towers and/or the SIM card in your phone, using the country code burnt in it. There's nothing unusual about this, and it's all documented on the GrapheneOS website.

      For your second question, the Amazon app you had in the same profile provided this to the Prime app, as the other user above said, apps can mutually agree to pass data back and forth. This is expected. If you don't want apps to be able to communicate with mutual consent, put them in different user profiles.

      For your first concern, there's already a filed feature request on the issue tracker:

      https://github.com/GrapheneOS/os-issue-tracker/issues/502

      For restricting app communication within the same profile, the project has been working on a feature that does this in a comprehensive manner, which will take a lot of work so that it's not leaky. Again, for now, using user profiles to isolate apps from one another is the correct approach. Details on this potentially upcoming feature here:

      https://twitter.com/GrapheneOS/status/1636042398043086850

      Now, if I may: it's perfectly fine to have questions and concerns. After all, you're using GrapheneOS because you care about security and privacy. But your wording makes it sound like what you experienced is outside of the norm, not documented or unknown, which is not the case. I would like to ask you to please frame questions like this as what they are... questions, and to not make claims that GrapheneOS is somehow not secure or private just because you experienced something you did not understand.

      I will also take the liberty to change the title of this thread to better describe your actual questions instead of the current title, which is sensational at best. Thank you for your understanding.

      matchboxbananasynergy changed the title to Apps knowing SIM/Network country code / Apps sharing accounts between themselves .

      On point #2, understood. I had read so many comments on here and the prior reddit forum which merely stated that "apps are walled off from one another." Perhaps it would be better as a community to couch that going forward so that these matters don't feel unusual.

      On point #1, while a fast learner, I'm not as tech savvy as many of the engineers and individuals who deal with GrapheneOS, so I'm not sure I fully understand the article. But to be plain, what you're saying is that even if a profile has no location access, no cell service, wifi and bluetooth scanning disabled, and the sole app on that profile has zero permissions whatsoever, that app can still access your country code while travelling?

      If you're not using airplane mode, yes. The same applies to cases where you're using a SIM card. Apps are able to access the SIM card's country code, which is how apps are able to "guess" your contry code when they ask for a phone number etc.

      As mentioned above, this may be eventually addressed and it's an open feature request, but it's currently working exactly as expected. In other words, nothing is "broken", there's just an open feature request to make it so apps can't necessarily do that. :) I hope that explains things further!

        matchboxbananasynergy Thanks. Obviously the sim card methodology makes sense. So too does it make sense if the app had network access. How does it access it when it has no permissions and there are no connections?