this post was submitted on 22 Dec 2024
31 points (80.4% liked)

Android

28194 readers
193 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

[email protected]


founded 2 years ago
MODERATORS
 

Basically I've acquired a burner Android 8 phone and am running the target.com app which is the only way they let you get parking lot delivery at the store. I assume the Target app is spyware. I keep the phone powered off almost all the time which should limit the spying. The thing is, if I power up the phone and order something, then close the app, I still get an alert when the status of the order changes (e.g. it's ready for pickup). So the app is still listening for network traffic from Target.

Can anyone explain what is happening in Android and whether there is a way to make an app really stop? Does the app stay in a running state even after I've closed the UI part of it? Is there somethng like an inetd in Android that listens for network alerts and re-launches the destination app? Are there Android app permissions associated with this, that I can revoke?

I don't want to run this type of app on my main phone, but I had at first liked the idea of using a burner for such things. Now, though, I wonder if I need a separate burner for each suspicious app. Thanks.

top 27 comments
sorted by: hot top controversial new old
[–] [email protected] 66 points 6 days ago* (last edited 6 days ago)

Push Notifications: https://en.wikipedia.org/wiki/Push_technology

The app isn't listening, Google Play Servicea is. The app registered with the push server to send you notifications.

[–] [email protected] 33 points 6 days ago* (last edited 6 days ago) (2 children)

I definitely use a different burner phone for every app. It's obviously the only sane way to use apps. Ive got my email phone. My weather phone. My alarm phone. A phone for each one of my contacts. Right now Im on my lemmy-only phone, with all of the others powered off and in thier separate faraday bags. Having a separate phone just for the app I use to order something is a must. How dare they tell me the status of the order I paid for? Who do they think they are!? On Sundays I use my magnet wand and wipe each and every phone, just to be sure.

[–] [email protected] 8 points 6 days ago (1 children)
[–] [email protected] 4 points 6 days ago

Needs to include "I have no friends, my family are all horrible, and people of the opposite sex don't pay me any attention" to get closer to average.

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago) (1 children)

I realize you're being facitious but as a matter of fact, the Target app (plus Google Play) are the only apps I have installed so far that didn't come from F-droid. Google Play was needed to install the Target app. I figure that the F-droid apps have had enough vetting that I tend to not worry about them too much. I have never installed or used Google Play on my "real" phone. I only installed it on the burner in order to install the target app there.

I confess to occasionally using some of the preinstalled google apps on my main phone, such as the camera app. I will get around to checkng out F-droid versions one of these days.

[–] [email protected] 3 points 5 days ago

Look up microg, with that you can use apps like that without play services

https://microg.org/

[–] [email protected] 23 points 6 days ago* (last edited 6 days ago) (2 children)

What are you trying to protect against? Having a separate burner phone just for Target feels like overkill to me. If you're worried about Target spying then why not just go into the store to buy things, and pay in cash?

Can anyone explain what is happening in Android a

It's using Firebase Cloud Messaging which is a Google service

Are there Android app permissions associated with this, that I can revoke?

You can revoke notification permissions for an app, but then you won't get notifications of course.

[–] [email protected] 7 points 6 days ago

Just to expand on this. The app likely isn't always running in the background listening (since that's what it seems the op thinks). The push message causes the android system to wake the app to deal with the message. Otherwise it's not actively running (and you can limit background running in android settings per app).

[–] [email protected] 4 points 6 days ago* (last edited 6 days ago) (2 children)

I prefer to avoid going in the Target store because of the long waits and for healh reasons. Parking lot pickup is preferable. Also, I sometimes have to take my mom with me when shopping. She is elderly, has serious mobility problems, and is probably more susceptible than most people to airborne pathogens from the holiday shoppers in Target. So it's way easier and safer for us to sit in the car and let Target staff bring the stuff to us, instead of going into the store. Plenty of other people order everything from Amazon for similar sorts of reasons, and at least this avoids a lot of packaging and shipping.

It's not like I went to great lengths to get the burner phone to run the Target app. I had the phone anyway, and the Target app seemed like a good use for it.

Installing the Target app from Google Play requires a Google Play account, and I didn't want that on my main phone either. Plus using the Target app requires a target.com account, besides having the app itself installed. So the burner phone actually separates off three annoying things: 1) Google Play account, 2) target.com account, 3) Target app.

Thanks for the info about Firebase Cloud messaging. What I'm wondering now is, does the target app have to keep running to receive those messages? That means it's potentially continuously collecting the phone's location. That's part of the reason I keep the phone powered off. Location permission is emabled because that makes parking lot pickup a little faster. Basically they juggle their order queue to prioritize users who are getting close to the store. So I turn on the phone and start the app when I'm a few miles away from the store.

I guess I could keep location permission disabled except when needed, but that's more nuisance, and anyway there's still data collection possible from other sensors and the availability of the network.

[–] [email protected] 9 points 6 days ago

What I'm wondering now is, does the target app have to keep running to receive those messages?

No it doesn’t. What’s happening is target’s webserver sends a message to Google’s webserver, which sends a message to your phone, which is displayed by the OS. The Target app doesn’t need to be launched for this and won’t be launched unless you tap on the notification, which typically launches the associated app.

That means it's potentially continuously collecting the phone's location.

Target’s app isn’t doing this, although they probably do record what you bought from which target and when.

Google can / probably is continuously collecting the phone’s location, to some extent. Your cell service company can do this too.

[–] [email protected] 6 points 6 days ago (1 children)

Can't you use the target website? There's hermit for web apps which can sandox websites for you.

Using android 8 will mean you are using a vulnerable OS so stuff like this should be common. Newer android versions limit app activity and data collection.

You can use apps like Shizuku and AppOps to limit permissions and data, apps can gather on you.

[–] [email protected] 2 points 6 days ago (1 children)

The web site lets you order stuff for home delivery or for in-store pickup (you go into the store and wait a long time at the customer service desk). Gettnig stuff brought to the parking lot requires the app. It's annoying and I don't know why they do that. The app also needs network connectivity when you're in the parking lot, to let them know which parking space you are in. I don't have a working sim in the burner phone, so I bring another phone to use as a wifi hotspot, what fun.

Other stores do let you order on the web for parking lot pickup, and then call a phone number once you get there, so Target just insists on being special.

[–] [email protected] 3 points 6 days ago* (last edited 6 days ago) (1 children)

You can highlight via email to target. Or consider getting your order close to your home.

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago) (1 children)

What do you mean by highlight via email? Target is reasonably close to here. There is not really anyplace closer for kitchen stuff etc. There are a few grocery stores that are closer and I do use those. Anyway this is getting way off topic. I mostly just wanted to know what was going on inside Android resulting in the app's observed behaviour. My shopping practices are the best I can do given my requirements, as far as I can tell.

[–] [email protected] 3 points 6 days ago* (last edited 6 days ago)

Highlight the fact that the website doesn't work for ordering stuff to the parking lot. I was going to suggest social media but then I realized you wouldn't be using one in the 1st place. Nevermind

[–] [email protected] 14 points 6 days ago* (last edited 6 days ago)

I wonder if I need a separate burner for each suspicious app.

That's going pretty far overboard. Just use an app like island to forcibly isolate and stop the app from running when you don't want it.

This is a pretty good answer. https://android.stackexchange.com/questions/241281/how-exactly-do-apps-not-running-in-the-background-receive-notifications

[–] [email protected] 14 points 6 days ago (1 children)

A separate burner seems like overkill. I’m no expert, but I think an Android service manages the push notifications and wakes up the app when it receives a notification.

[–] [email protected] 4 points 6 days ago
[–] [email protected] 6 points 6 days ago (1 children)

There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background. You can disable it, but I believe it is a per app setting.

Alternatively, if you turn on battery saver, I believe that turns off background app usage.

[–] [email protected] 7 points 6 days ago* (last edited 6 days ago)

There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background.

That's not how notifications work though. Most apps on Android use Firebase Cloud Messaging for notifications. Your phone has a constant connection to a Google server, and all notifications come in via that connection. The phone receives the notification and tells the relevant app.

Some apps have their own connection (for example, email apps will often connect directly to an email server and use IMAP IDLE) but it's not very common.

[–] [email protected] 4 points 5 days ago (1 children)

The notifications are coming from Google Play Services.

Look into GrapheneOS. They have a sandboxed play services implementation, and you can have multiple sandboxed users, e.g. one for foss apps, one for google and proprietary apps.

Also try TrackerControl on f-droid, it lets you block trackers from apps. You'll still have Google to worry about though.

[–] [email protected] 1 points 5 days ago

Thanks. Unfortunately GrapheneOS is only for Pixel phones, but maybe someday.

[–] [email protected] 5 points 6 days ago

Okay, so this is not really to answer your question, but I don't think you needed a separate phone just for one app. You could've just use a "work profile" to put that app inside, and whenever you don't need the app, you can turn off the work profile, and its effectively like that part of your phone being turned off.

I use an app called Shelter to do this.

Apps in "Work Profile" are effectively the same as if it were on another phone, they cannot access the data on your main profile.

[–] [email protected] 5 points 6 days ago* (last edited 6 days ago)

The app has registered for a receiver that's handled by Google Cloud Messaging/Firebase.

When a message for that app is received by GCM, a broadcast is fired specifically for that app and wakes it up.

[–] [email protected] 4 points 6 days ago

You can check if the app keeps running in Settings > System settings > Developer options > Running services

[–] [email protected] 1 points 5 days ago (1 children)

Just droppin some extra info: You can use the aurora store to download apps from the google play store without a google account (Note: some apps can detect that you didn't download it from the google play store, although I only encountered that once with a banking app, so to get around that I begrudgingly created a burner google account to download it.)

[–] [email protected] 1 points 5 days ago

Yes I think there's also an fdroid app that does that. But except for a few unusual cases I generally don't want to run Play store apps anyway. Target is the first one so far. I've gotten by without banking apps and expect to keep doing so.