GlytchMeister

IcyScroll gravity-reprint @angela @[deleted] @Dumdum @de0u @doct0rX @docsbibs92 @Dobroslav @dockcom @GlytchMeister @gravity-reprint @Xtreix @matchboxbananasynergy @Michiel

Before I read them myself in detail I will copy and paste the app logs for you.
The app crashes when no permissions are given to it, and these are the logs before the crash:

type: crash
osVersion: google/cheetah/cheetah:14/AP2A.240905.003/2024090400:user/release-keys
package: com.amazon.mShop.android.shopping:1241279016
process: com.amazon.mShop.android.shopping
processUptime: 1128 + 255 ms
installer: com.apkmirror.helper.prod

java.lang.NullPointerException: Attempt to invoke interface method 'boolean java.util.Enumeration.hasMoreElements()' on a null object reference
	at java.util.Collections.list(Collections.java:5791)
	at com.amazon.mShop.error.NetworkManager.getIPAddress(NetworkManager.java:136)
	at com.amazon.mShop.error.NetworkManager.getCurrentNetwork(NetworkManager.java:69)
	at com.amazon.mShop.error.DeviceInfoProvider.initializeNetwork(DeviceInfoProvider.java:117)
	at com.amazon.mShop.error.DeviceInfoProvider.initialize(DeviceInfoProvider.java:56)
	at com.amazon.mobile.error.log.EnvInfoProviderInitializer.initialize(EnvInfoProviderInitializer.java:75)
	at com.amazon.mobile.error.log.EnvInfoProviderInitializer.initialize(EnvInfoProviderInitializer.java:95)
	at com.amazon.mobile.error.log.AppErrorDescriptor.backfillEnvInfoFields(AppErrorDescriptor.java:240)
	at com.amazon.mobile.error.log.AppErrorLogHandler.log(AppErrorLogHandler.java:117)
	at com.amazon.mShop.web.MShopWebViewClient.showErrorPage(MShopWebViewClient.java:394)
	at com.amazon.mShop.web.MShopWebViewClient.onReceivedError(MShopWebViewClient.java:638)
	at com.amazon.mShop.web.MShopWebViewClient.onReceivedError(MShopWebViewClient.java:724)
	at com.amazon.mShop.web.MShopWebViewClient.onReceivedError(MShopWebViewClient.java:696)
	at WV.XB.e(chromium-TrichromeWebView6432.apk-stable-661312733:70)
	at WV.Q5.handleMessage(chromium-TrichromeWebView6432.apk-stable-661312733:406)
	at android.os.Handler.dispatchMessage(Handler.java:107)
	at android.os.Looper.loopOnce(Looper.java:232)
	at android.os.Looper.loop(Looper.java:317)
	at android.app.ActivityThread.main(ActivityThread.java:8623)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:580)
	at com.android.internal.os.ExecInit.main(ExecInit.java:50)
	at com.android.internal.os.RuntimeInit.nativeFinishInit(Native Method)
	at com.android.internal.os.RuntimeInit.main(RuntimeInit.java:369)

And the next are the logs after:

1. Installing with no network permission.
2. Disabling permission to Sensors (which are granted by default, at these point the logs are still pretty much empty)
3. Enabling network permission, making it the only permission left.
4. Opening the app. The app switches to my country specifics and language.
5. Closing the app and disabling it.
6. Copying the logs.

In the logs, you can see the first line I found where the real country is mentioned. I took my time to pseudonimyze all country code and country code specifics like language to Mexico (mx):

CountryDetector: Getting network based country iso: mx

Then there are several other lines setting up country and language on the app, you can find them my searching "mx" on the file.
Here are the full logs:
https://drive.proton.me/urls/DR50KXP204#zLD9WXupyhIx

I think android developers would be able to draw very deterministic details about this. Keep in mind it'd be ideal to have ways to block whatever attribute the app is drawing or to at least be able to mock it.

GlytchMeister Hi @fid02, @Dumdum, @PaulDavis @angela @[deleted] @secrec @Dumdumdingdong @Xtreix @matchboxbananasynergy @Michiel

Thank you all for being so attentive.

I'll try to give reply to a few points that have been made.

@GlytchMeister I don't actually want to use Amazon Shopping on high security setups, this behavior is something I observed on 2 other devices without graphene on it, what I wanted to do was to test it on graphene by downloading the app to make sure this wouldn't persist, but it did. Other apps are important for this setup that could potentially do the same thing, so I want to rule out that vulnerability.
As I mentioned earlier, I did try amazon on vanadium which of course works on containing access for amazon to more data, and this would seem to fix the issue. All apps that can be used on Vanadium I use in Vanadium for this reason, however this doesn't address the problem, the fact that any app can correctly guess or know your location and who knows what else under conditions that shouldn't give it more access than a mere internet connection; it clearly has access to more.

@matchboxbananasynergy The only permission I give the Amazon Shopping app is Network; in this case, it's the only one necessary to be able to use the app since it needs internet access. If I remove all permissions, the all doesn't work at all, it either crashes or it shows an error screen that doesn't tell me anything about what the app still knows, which wouldn't be that important under those conditions I think.
Graphene has this great feature on showing app logs, what I'm going to do next in a few minutes is show you the crash logs when all permissions are removed, I found them very descriptive of what the app is trying to access and that should probably say something.

@fid02 I did uninstall and reinstall on new profiles after having made changes to the devices timezone but the app still correctly guesses my location. I'm replying to this before checking your links which I will do next, however it might still be necessary to address the issue in different ways since I am not using SIM cards.

angela I did pay with a credit card, the possibility you present sounds very extreme and too specific, which makes it all the more important to point out if all that tracking is being done just as you purchase a phone, because this could also imply device tampering, which would be all the more horrifying. However I need to rule out much more direct and civilized ways to track me first, Amazon in particular has no business at all guessing my location with so much power.
Indeed there shouldn't be a country code without a SIM in it. Upon further analysis however, I would also be able to make sure an app can't access that information even with a SIM card on it. However I'm not testing with SIM cards installed at the moment, so I will leave that as a next step.

Xtreix timezone was changed, network country code was sort of ruled out since I'm not using SIM, so I still need to find a different identifier and make sure that at the very least it isn't too revealing.

I may check if there's anything about my router that could tell something, however my router setup is already pretty specific and I don't anticipate for that to reveal a lot, who knows tho.

I would like to invite others to replicate these conditions, particularly of they're outside the US which I'm just guessing would make any guesses from the app more evident, and see if the issue is present.
Basically it is: No sim card, Mullvad or IVPN in very extensive configurations: relaying ipv6, lockdown mode, etc etc. Removing all permissions except of internet access, everything in a profile dedicated to just test the Amazon Shopping app, and then just about any variable you can remove.
This is something I observed across different restrictive setups and devices but I found it extraordinary to still happen on a graphene phone.

I will be pasting the apps logs in my next reply, thank you all again.

[deleted] I agree with @GlytchMeister . Using a trusted VPN like Mullvad (and not logging in to reddit of course) is pretty much the main way of obscuring your identity while using Infinity.

Infinity already sends the minimum amount of data to reddit when accessing the site, and it does block ads so using the default DNS server of your VPN is best as you don't need to use a separate DNS server to block loads of stuff. In fact I think it's almost always best to use the default DNS server when using a VPN as using another one can make you stand out. One thing I personally wouldn't do, unless you can't afford a VPN, is use Tor/Orbot to access something like infinity, or mobile phone traffic in general. I think it could make you stand out more than using a VPN as it's probably much less commonly done (except using the Tor browser, but according to GrapheneOS Gecko-based browsers are not recommended due to security concerns - look at the 'Web browsing' section in the Usage guide.

By the way, I may well be wrong in my opinions, I'm just giving you my views based on my understanding of things.

As @GlytchMeister said, privacy is an arms race and a sliding scale. So I think the best thing to do, as long as your threat model allows, is just try to take steps to improve your situation, but don't go too far down the rabbit hole trying to achieve perfect privacy. It just isn't worth it IMO