• General

  • Using Apps With Known Trackers With No Google Play Services?

Sorry, this is probably a dumb question.

I wasn't sure how to phrase this question correctly, but I'm wondering if I can use apps with known trackers, such as Spotify and the USAA banking app on my main profile that has no google play services installed and somehow prevent these apps from "spying" or tracking me.

According to Aurora store, Spotify and the USAA banking app all have trackers embedded into the app. Avoiding these trackers was one of the main reasons I switched to GrapheseOS.

On my main profile, I have nothing but FOSS apps from F-Droid installed. I don't want to have to switch to another profile just to use apps like Spotify so I can listen to music, but at the same time, I don't want Spotify to track me. From what I understand, many of these proprietary apps, such as Spotify, monitor network traffic from the router level, which is incredibly privacy invasive.

Can I use these apps without being tracked on my main profile which does not have Google play services installed?

Thanks.

    rkeenan you need to understand what an app "can see".

    Spotify is an extremely "surveiling" app filled with the worst analytics elements. Naturally an app like spotify WILL gather EVERYTHING it can see.

    My memory is not great on this but i believe it can see:

    • android ID
    • vanadium fingerprint
    • device fingerprint (??. Audio, gpu, etc. ? )
    • MediaDRM fingerprint
    • devices on the network (perhaps?)
    • list of installed apps
    • google play store IDs (if play store is installed)
    • files it has created
    • files you have given it access to.
    • system settings like: time zone, language, color mode, background colors, country code
    • ip address
    • If you click a link and it opens in a different browser than vanadium and takes you to Spotify or affiliated website then the fingerprint of that browser.

    I might have missed something.

    There are known tracker library binaries included in spotify that can be detected by apps like exodus privacy. These trackers could be blocked using some tracker blocking network filter apps, however this is not effective. Spotify can also use other methods that are unblockable to still export all data it has access to to their servers.

    If google play is present then spotify will definitely link and share data with it such that your "identity" will likely pass from one to another. Remember that spotify has your CC info and hence your identity.

    If so then that identity becomes associated with the android ID of that profile; and any other privacy invasive app that doesn't know your identity but knows your android ID and colludes with spotify/facebook then will know who that profile belongs to.

    I say facebook because spotify uses facebook analytics and colludes with facebook (aside from others). So once Spotify has your profile identity, so does facebook, and instagram, and whatsapp.

    I dont wanna scare you further by delving into what happens if they get a hold of your home IP. So lets stop here.

    So it might be a good idea to put an app like spotify in a separate profile where every app in that profile "knows" your identity and put an always on VPN on that profile. That way that can have an orgy with your identity in that profile all they want. and no further harm is done. There will be nothing to gain further for them.

      rkeenan You'll need to clarify what you mean by "being tracked" and why you believe that it can only happen if you use apps which use certain third party libraries on someone's very arbitrary blacklist.

        Exodus Privacy has inaccurate information how app permissions work and highly misleading information about what they call trackers. They have a list of specific third party libraries they decided are privacy invasive, often with questionable reasoning, and they detect whether apps contain those libraries. Lack of those libraries does not indicate an app is privacy friendly. Here's the official Facebook app:

        https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/

        We have not found code signature of any tracker we know in the application.

        The permissions list demonstrates how it's not based on the way the permission model works. They should be showing that they're grouped into permission toggles that are not granted when you install the app, special access permission toggles, the battery restriction toggle and case-by-case control for others. Why do they list them all out as if they get granted at install time?