top | item 46062737

(no title)

xiaomai | 3 months ago

Native phone apps give me the creeps. I assume the developer's are able to track me in various ways even without my giving permissions. Is that an unfounded fear on my part?

Can an app uniquely identify me if I don't give it control over my phone number / nearby devices?

Can apps geo-locate me if the location permission has not been granted? (seems like they could just make a network request to their servers and use the IP address of the request for a rough idea).

I _really_ wish using the network was a permission (even if it was an "advanced mode" thing).

discuss

Flere-Imsaho|3 months ago

Android 15 supports Private Space [0] that is essentially a separate profile you can install apps into that you can put to sleep. Basically I put all low trust apps into it, but can still access easily enough.

[0] https://support.google.com/android/answer/15341885?hl=en

bashkiddie|3 months ago

The web page says Private Spaces can hide an app from the user.

What I want to do is hide my address book and gallery from the app.

throw4039|3 months ago

Network is a permission on Android, it's just that phone manufacturers and likely Google don't want you to be able to control it. Most custom ROMs, including GrapheneOS expose it properly, often at the install dialog.

lsaferite|3 months ago

They really should just let me spoof all the permissions and associated data for apps if I don't want them to have the access.

TrianguloY|3 months ago

On play store you can see the permissions that an app uses and they are grouped by category. Have full network access is set in the "others" category, same as notifications and vibration. This is a category where (supposedly) permissions are automatically granted.

But to be honest, other similar dangerous permissions like "view network connections" and "receive data from internet" are also there, categories are for "camera", "microphone" etc.

I suppose that the average user is more concerned about specific features, and since basically almost all apps require internet it may be there to avoid noise. Still, an "internet" category would have been nice...

Animats|3 months ago

"Network" is too broad. What you really want for most apps is "can only talk to its home domain from which it was downloaded".

jampa|3 months ago

In the beginning of Android / iOS, just installing an app and registering was enough for the company to get your device's MAC address and thus your indoor location with accurate precision.

They could access your Wi-Fi network's BSSID (whose location is often public due to wardriving databases), and in public places, they had partner companies (malls, airports, etc.) whose routers would triangulate your position based on Wi-Fi signal strength and share information like "John is in the food court near McDonald's."

All of this happened without you even needing to connect to their Wi-Fi, because your phone used to broadcast its MAC address if the Wi-Fi was simply on. But now your MAC is now randomized, but it took a lot of time for Google / Apple to this.

fluoridation|3 months ago

What do you mean? The MAC address is used to identify the device within the same network segment. A program running on the device cannot derive location information just from the MAC address. It's a meaningless number. What the MAC address can do is make you visible to other devices in the same network segment. So for example, a wireless router can know you're nearby because your known MAC address has joined the network, but this is a problem regardless of what apps your phone is running.

m463|3 months ago

> Is that an unfounded fear on my part?

no. especially with the value of data. Many apps just link into some advertising sdk that does anything it can get away with.

and it is unfortunate that people are shamed for being conservative (want a tinfoil hat?)

disambiguation|3 months ago

Netguard solves this, available on the play store and F droid

https://netguard.me/

Flere-Imsaho|3 months ago

Pro tip: use the fdroid version as it allows you to set a host file to also filter ads, etc.

https://github.com/M66B/NetGuard/blob/master/ADBLOCKING.md

aceazzameen|3 months ago

Netguard is fantastic. I even use it on my Sony android TV to block everything except for a few streaming apps.

evilduck|3 months ago

Netguard is amazing but I'm convinced the dev is mildly colorblind and unaware of it. The color choices and even optional themes are... something.

lsaferite|3 months ago

I love netguard. Some apps refuse to work without network access, but most work fine. The lack of ads is great.

n4bz0r|3 months ago

How does it work without root? Any app can just block other apps from connecting to the internet?

ivanjermakov|3 months ago

> Can an app uniquely identify me

Even browsers can identify* you, if they really want to.

*not as cleanly though, could be tricky for fingerprinting to track one user across different devices/browsers/netowrks.

Recent discussion on fingerprinting: https://news.ycombinator.com/item?id=46016249

unknown|3 months ago

[deleted]

snthd|3 months ago

Facebook & Yandex used apps to correlate browsing sessions to the app user.

https://localmess.github.io/

noman-land|3 months ago

Simply your IP address can be used to track you so any app or website you visit knows roughly where you are with every http request unless you use an always on VPN. It can also fingerprint you in various ways without the need for any special permissions.

xiaomai|3 months ago

Agree with you about fingerprinting (also a bummer). I guess the difference here though is that I must be actively engaging with a website in order for it to be tracking me, but an app (I assume) can be tracking me basically whenever it wants.

bji9jhff|3 months ago

Then the VPN provider does geolocation instead and get the list of hosts you accessed

ChrisMarshallNY|3 months ago

iOS always asks for permissions. I suspect the same is true for unrooted Android.

But the general pattern is that you install some stupid vendor crapplet, and the first thing it does, is ask for every permission on your phone. Native apps can access a lot more stuff than ones restricted to a WebView sandbox. That's why they want you to use them.

No thankee.

raw_anon_1111|3 months ago

Exactly what do you think an app can get off of your device that a website can’t without your permission?

encom|3 months ago

>Is that an unfounded fear on my part?

Given the security record of app stores, probably not.

beAbU|3 months ago

Are you not exposed to all these things via a webpage as well?

frizlab|3 months ago

They can track you on a website perhaps even more reliably than on an app, at least on iOS…

galleywest200|3 months ago

The difference is I am not carrying around my desktop computer, the location data stays static.

raw_anon_1111|3 months ago

You realize that if you are concerned about apps tracking you without you explicitly giving it your location, a website could do the same since there are browser APIs that can retrieve the same information only gated by the same OS controls?

When you go to a website, they have always known the originating IP address.

rejhgadellaa|3 months ago

Not entirely true. Browsers are paranoid by default (because visiting a website is as easy as clicking a link). Operating systems aren't (because the user explicitly installed an app, it's been "vetted" by app store experts, and because... well, the OS vendor wants you to build native apps and not a website, so they have to make it worth the extra trouble of building a separate app for each platform instead of one website that works everywhere).

Also, browsers tend to bring their own sandbox (on top of what the OS already does). For example, Chromium was able to mitigate Meltdown/Spectre before OS vendors shipped an update (except on iOS where browsers can't bring their own engines, so iPhone users had to wait for Apple to ship an OS update...)

doctor_radium|3 months ago

Better (?) browsers also have an internal switch to disable location.