Uber App Phone Number Leak

d9780

I was setting up a burner uber account in airplane mode and the app new the real device phone number? Am I doing something wrong that it can see the phone number of my device?

DeletedUser115

d9780 Did you give Uber "Phone" permission?

treequell

d9780 I was setting up a burner uber account in airplane mode and the app new the real device phone number?

Which permissions have you given Google Play Services?

[deleted]

d9780 You probabaly got this screen telling you to select your phone number, and once you selected it, Uber got your phone number; This feature is provided by Google Play services for app developers.

d9780

DeletedUser115
It has network, notifications and sensors (it had location too but I removed it). It had those 4 approved without me doing anything/was there after download...

DeletedUser115

d9780 That's very weird. Sensors are enabled by default but others should not. And most importantly an app should not be able to get your SIM phone number without the Phone permission (they can see country code tho).

d9780

DeletedUser115
Yea, the app doesn't have phone permissions but the user profile does have call and text permission... Is that maybe where I'm getting the leak?

leoLela

Assume you have an app in a user profile (not in the main profile). You give that app Phone and SMS permissions. But the user profile does not have access to phone and SMS. Can the app still read your phone number?

d9780

treequell

treequell
I don't know how to set GPS permissions. I thought we had to do it for each app only. Please advise how I change GPS permissions.

If you wanted to be a real sport you could tell me what permissions you allow gps...??

treequell

d9780 Open Settings > Apps > Sandboxed Google Play > Play Services app info > Permissions, to manage the permissions.

Most apps that depend on Google Play Services will work fine if Google Play Services has only the network permission. You need to give it unrestricted battery usage for apps that depend on Google Play Services for push notifications. There are a few apps which have a tighter dependency on Google Play Services, and for those apps additional permissions for Google Play Services might be required.

d9780

treequell
Thank you. It had 5 permissions. I restricted it to network only. I guess I need to do that in all profiles?

d9780

treequell

I thought they needed network AND sensors?
U think most r OK with network only?

treequell

d9780 Thank you. It had 5 permissions. I restricted it to network only. I guess I need to do that in all profiles?

If you gave Google Play Services the phone permission, that's probably why Uber had access to it too.

d9780 I thought they needed network AND sensors?
U think most r OK with network only?

You don't need to give Google Play Services or any other Google apps that you use the sensors permission. One Google app that can be useful to enable sensors for is Google Camera, if you use that.

[deleted]

d9780 It had 5 permissions

Installing just a couple of messaging apps in the same profile as Play will do it. These can often be dismissed and the app will work just fine.

[deleted]

treequell If you gave Google Play Services the phone permission, that's probably why Uber had access to it too.

Do you have any evidence that Google Play services shared the phone number with Uber or is it just your assumption?

[deleted] Installing just a couple of messaging apps in the same profile as Play will do it.

The user has to grant permissions, Installing "just a couple of apps in the same profile as Play" will not do It.

d9780

[deleted]
Thanks!/What do you mean by 'will do it'?

I have signal, mysido and wickr in most of my profiles..... Should I b taking precautions in my permissions if I have multiple messaging apps in an profile?

[deleted]

d9780 It's generally a good habit to scrutinize all runtime permissions.

Sandboxed Google Play doesn't come with any standard runtime permissions (as compared to stock). If you had installed a couple of messaging apps, to take a commonplace example, in the same profile as Sandboxed Google Play, they can detect it and use it (eg. to grab the SMS verification code without their app needing the SMS permission).

If you don't scrutinize these and similar permissions (for example, by denying them and seeing is you can input code manually), Play services on your GrapheneOS device can accumulate a whole host of them. This is how you end with 'leaks' above. These Play services permissions can often be bypassed. You won't see them on regular Android devices with GMS because they start out with all the standard runtime permissions granted.

[deleted]

[deleted] The user has to grant permissions, Installing "just a couple of apps in the same profile as Play" will not do It.

I should've added 'mindlessly', but not only was it clear from the context, as OP had granted Play services 5 runtime permissions without seemingly understanding that they had done so, but also from my further reply where I underlined that these permissions need to be manually granted on GrapheneOS (as compared with GMS devices) so you're being nitpicky over nothing.

[deleted]

[deleted] Do you have any evidence that Google Play services shared the phone number with Uber

I meant:

Do you have any evidence that Google Play services shared the phone number with Uber without user consent

d9780

[deleted]
Google play didn't have phone permission in the profile nor did that profile have calling/text ability.....