I haven't tried it with WhatsApp so I'm not sure if it would even work. I'm curious about the privacy implications before trying it.
Phone permission in user profile with "Turn on phone calls & SMS" disabled
Bump, as I am also interested about this.
- Edited
I've just done some testing using an app which displays the phone's numbers currently being used. Turns out that yes, apps can read your phone number(s) in secondary profiles with the "Turn on phone calls & SMS" toggle disabled.
- Edited
I am having a similar problem with a banking app in a user profile that will not start or stop working unless you grant "phone ID" permission, stating that it will never make a call by itself, but needs this to sort of tie the app to your phone. If you allow the app to have this "phone ID" permission, in the phone settings the banking app shows "network", "sensors" and "phone" among the permissions granted, i.e. is doesn't say "phone ID" permission and that "phone" permits to start and manage calls.
Now like @graphene32942 I am asking myself what the banking app is able to see because of this permission. I read that it should be the phone number or phone numbers (if you have a second one installed), according to @Delaney. I already don't like that too much, because I have other banking apps, that don't want this permission. But on the other hand my bank already has the mobile phone number anyway.
This brings me to the question what else the app can do with this "phone" permission. Is it able to see the IMEIs e.g.? The banking app I am talking about here also needs Google Play Services installed, i.e. not only while setting up the banking app, but to keep it running. So I am not so happy with this app as you might imagine.
Has anybody any idea or can s.o. from Graphene OS team please answer this question, what "phone" permission exactely allows an app to do and to see?
I kept searching for some hints and read* that only privileged apps seem to be able to read the IMEI, but I am not sure if this is true and my question remains what an app can do and what it can read on a GOS smartphone with "phone" permission.
*
https://stackoverflow.com/questions/72949977/how-get-imei-of-device
https://android.stackexchange.com/questions/251545/read-phone-status-and-identity-privacy-issue#
https://stackoverflow.com/questions/77319116/get-imei-number-on-rooted-device-using-adb-on-android-14
https://www.androidauthority.com/app-permissions-886758/
(Please note that I don't necessarily agree to the content of those links. I am just posting them as a reference to what I have read so far)
In my banks privacy policy it says that their payment app needs phone permission to access the "Android Serial Number", for security reasons, i.e. to make sure no one will run a copy of the app. Is this really true? Does phone permission allow to access the phone's serial number? On GOS? Or maybe only on stock android?
I have been reading articles on permissions online and what they do, but I'm still not sure, what is true. One article stated e.g. that phone permission allows to "access your phone number and network info. Required for making calls and VoIP, voicemail, call redirect, and editing call logs."
Maybe anyone with advaced knowledge on permissions can answer this, please?
Apps cannot access hardware identifiers:
https://grapheneos.org/faq#hardware-identifiers
Perhaps the app you're talking about has had that dialog for years and it's a remnant.
- Edited
matchboxbananasynergy Thanks for your reply.
My banks privacy policy, cited above, is dated september 2022. It says (translation): "Phone permission: The pay app requires access to the Android serial number of the smartphone. This access is necessary for security reasons in order to prevent the creation of copies of the App Pay and its misuse." And the pay app asks for phone permission during the installation process. If you deny that, it won't start, if you revoke it after setting it up, it won't start anymore.
So, if I get you right, the serial number would be considered a hardware identifier and thus not accessible with phone permission since Android 10. I will ask the banks it service why they still ask for this permission.
And what about the phone number? Is it true that an app with phone permission can read the phone number, i.e. the phone numbers of the sim cards in the phone?
Thank you.
Just to make sure I understand correctly, if I use WhatsApp in a secondary profile with the "Turn on phone calls & SMS" toggle disabled, it will be able to read my phone number, right? Are there any other identifiers accessible to an app with "Phone" permission in the "Owner" profile but not in a secondary profile (with the "Turn on phone calls & SMS" toggle disabled)?
nixlobster1052 if I use WhatsApp in a secondary profile with the "Turn on phone calls & SMS" toggle disabled, it will be able to read my phone number, right?
If you grant it the phone permission, yes. The "Turn on phone calls & SMS" toggle seems to focus only on what the user can do in the profile, so it has no influence over what apps can or can't access.
Are there any other identifiers accessible to an app with "Phone" permission in the "Owner" profile but not in a secondary profile
Based on my limited experimenting, apps will have access to the same identifiers regardless of whether it is an owner profile or secondary. That said, the values of some identifiers will differ for each profile, such as the ANDROID_ID, which is unique for each profile.