• GeneralSolved

  • does grapheneos prevent sending metadata to whatsapp?

yourmother Realistically, there's not going to be much difference in the metadata you send to WhatsApp using GrapheneOS compared to stock Android. There are some benefits of the additional hardening of GrapheneOS, as per the features https://grapheneos.org/features listed, but most of the metadata is provided by you using the app itself.

GrapheneOS does help limit WhatsApp's use of sensitive permissions, which can help somewhat. The camera, microphone and location permissions you can give access one time only, if required at all. Only select Files and Contacts can be shared with Storage and Contact scopes features.

On WhatsApp, conversations are end-to-end encrypted, meaning the content of the messages can't be read by WhatsApp. But WhatsApp lacks a feature like Sealed Sender from Signal which when enabled has minimal metadata collection: https://signal.org/blog/sealed-sender/. Broadly speaking, this means that WhatsApp knows when and with whom you are speaking, but not what you are saying.

Metadata can be collected and used, as per WhatsApp's privacy policy: https://www.whatsapp.com/legal/privacy-policy.
Their privacy policy can also be arbitrarily changed, the most recent of which in 2021 generated a fair amount of controversy:
https://www.wired.co.uk/article/whatsapp-instagram-facebook-data.

Hope that somewhat helps to clarify things for you.

      treequell
      thank you very much for your answer. i appreciate it
      Bit disappointing that grapheneos can't do more about it
      that no-one has invented a sandbox or virtualbox or something that can filter or scrambled the metadata.

          • [deleted]

          • Post #7
          • Edited

          yourmother That's not possible. WhatsApp is garbage, and there is nothing that can be done about it. Only Meta can change that, but they won't because they make good money from your metadata.

          You should be disappointed by WhatsApp and Meta and not by anything else.

            • [deleted]

            • Post #9
            • Edited

            yourmother GrapheneOS cannot, should not and will not somehow arbitrarily modify Whatsapp at runtime and send less metadata to Whatsapp servers, because Whatsapp servers will detect that as a malicious and may block the device from using Whatsapp.

              I'm probably fooling myself with this setup, but to minimize the amount of data collection from Whatsapp, I do the following:

              • Remove all permissions from the app with the exception of Network, which for obvious reasons is needed for the app to work.
              • If I need to share, say an image, I remove the Exif data from it, I use the gallery app to share that image with Whatsapp instead of giving it access to Storage. I typically delete the modified image right after sharing it.
              • I run Whatsapp through a VPN (in my case Adguard) and enable a tracker blocking DNS within the VPN app

              I know this will not block all trackers or will not limit all data collection within the app. Unfortunately for a number of my contacts, it's either that or using SMS. they won't move to alternatives like Signal etc. because they don't want another app on their phone....

                What are metadata ? They are the time, the sender, the receiver of a message for example. There is no way you can prevent any communication app from accessing that kind of data. Plus I suppose they collect data such as what kind of terminal you are using, ... So the best (if not only) way to avoid WhatsApp from getting metadata from you is not to use WhatsApp.

                a month later

                Max-Zorin I run Whatsapp through a VPN (in my case Adguard) and enable a tracker blocking DNS within the VPN app

                why? vpn does not preventing collecting private data.
                metadata like time, the sender, the receiver of a message etc are in the message. vpn can'nt block that.

                    6 days later

                    yourmother

                    So Whatsapp / Meta doesn't know my real IP address as I'm assuming it collects that information. I have the VPN location in another city.

                    I also use a burner phone number and not my main number for Whatsapp.

                        • [deleted]

                        • Post #15
                        • Edited

                        Max-Zorin I also use a burner phone number and not my main number for Whatsapp.

                        What's the point of using burner number with WhatsApp/Signal? Numbers are there to make it easier for others to find you (ostensibly). But even if you initiate every conversation, having some random number has to create some amount of cognitive burden for family/friends/colleagues. Unless you're using WhatsApp to participate in random groups outside of your circle of friends or something along those lines.

                        WhatsApp already has your main number anyway.

                          • [deleted]

                          • Post #16
                          • Edited

                          I use WhatsApp as my secondary messenger. Because pretty much everyone has it, it allows for E2EE messaging with anyone without pestering people to install yet another messenger so we can exchange some mundane information.

                          I don't stress about metadata collection too much even though WhatsApp privacy notices remains pretty opaque.

                          That said, if someone wants to have regular back-and-fourths with me, I will insist on moving to Signal. I find it's a good balance and I have yet to encounter any resistance.

                          What really creeps me out is Telegram, not WhatsApp.

                            [deleted] What really creeps me out is Telegram, not WhatsApp.

                            I also don't like Telegram, because to have a fully encrypted conversation using opensource part of the messenger, you have to specifically initiate "Secret Chat". Which is OK, but inconvenient when you like to continue the same conversation on a desktop client...

                                • [deleted]

                                • Post #18

                                katemason As Moxie put it, Telegram app on your phone is just a "view" onto their servers, where the data actually lives.

                                And as anyone who ever used it in the wild with 'regular' folks can attest, no one is using their Secret Chats. But to stay on topic, unlike WhatsApp which at least tries to put its metadata retention in semi-concrete terms involving time periods, Telegram privacy notice doesn't even make an attempt at that, basically saying they store what they store as long as it is necessary.

                                Ever-present Durov rants, their silly 'No-SIM Signup' and other blockchain nonsense also do any inspire any confidence in its future.

                                When it comes to E2EE messaging defaults matter as this study demonstrates. The amount of people I meet that insist on moving our conversation from WhatsApp to Telegram because 'it's more secure that way' is pretty amazing. Telegram's marketing has really done a number on a lot of people

                                  8 months later

                                  Hello, treequell
                                  I recently sent a product link to my friend who lives abroad to buy it for me. I didnt search for it anywhere. Soon as i opened insta, adflood began related to that product. I never searched for anything related to that product before. I used hardened brave to search for the link.

                                    5 months later

                                    Max-Zorin I haven't used WhatsApp for years but am currently thinking about a similar setup (because of people who refuse to install literally anything else), but what I am asking myself regarding the VPN: Is WhatsApp able to e.g. access the current radio cell my smartphone is logged in? Or is it able to scan all nearby WiFis? Because then the VPN would not be so helpful because they can always get your location from these sources.

                                        6 days later

                                        snafu

                                        That's a good question and I really can't answer it. Like I said in my original post, maybe I'm fooling myself on some things with my setup.

                                        I was hoping with the location permission denied to Whatsapp, even if I gave it Network permission somehow the location would not be included through WiFi scanning or Cell tower scanning. But to know that someone would need to understand the inner workings of GOS and Android.

                                            6 days later

                                            Max-Zorin Ok thanks. I installed WhatsApp now in a separate profile with VPN always on and gave it only network, contacts (no problem in the separate profile) and microphone for being able to send voice messages. Should be pretty ok. The only thing they probably still can steal is the timezone because I assume that this is publicly available to all apps and also cannot be changed on a per profile basis but only for the whole smartphone. This might not be relevant if you're always in the same timezone, but for me it would be a nice feature to fake this because I am switching more or less frequently.