Push Notifications: https://en.wikipedia.org/wiki/Push_technology
The app isn't listening, Google Play Servicea is. The app registered with the push server to send you notifications.
Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
1. All posts must be relevant to Android devices/operating system.
2. Posts cannot be illegal or NSFW material.
3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.
4. Non-whitelisted bots will be banned.
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
Community Resources:
We are Android girls*,
In our Lemmy.world.
The back is plastic,
It's fantastic.
*Well, not just girls: people of all gender identities are welcomed here.
Our Partner Communities:
Push Notifications: https://en.wikipedia.org/wiki/Push_technology
The app isn't listening, Google Play Servicea is. The app registered with the push server to send you notifications.
I definitely use a different burner phone for every app. It's obviously the only sane way to use apps. Ive got my email phone. My weather phone. My alarm phone. A phone for each one of my contacts. Right now Im on my lemmy-only phone, with all of the others powered off and in thier separate faraday bags. Having a separate phone just for the app I use to order something is a must. How dare they tell me the status of the order I paid for? Who do they think they are!? On Sundays I use my magnet wand and wipe each and every phone, just to be sure.
Average Lemmy user.
Needs to include "I have no friends, my family are all horrible, and people of the opposite sex don't pay me any attention" to get closer to average.
I realize you're being facitious but as a matter of fact, the Target app (plus Google Play) are the only apps I have installed so far that didn't come from F-droid. Google Play was needed to install the Target app. I figure that the F-droid apps have had enough vetting that I tend to not worry about them too much. I have never installed or used Google Play on my "real" phone. I only installed it on the burner in order to install the target app there.
I confess to occasionally using some of the preinstalled google apps on my main phone, such as the camera app. I will get around to checkng out F-droid versions one of these days.
What are you trying to protect against? Having a separate burner phone just for Target feels like overkill to me. If you're worried about Target spying then why not just go into the store to buy things, and pay in cash?
Can anyone explain what is happening in Android a
It's using Firebase Cloud Messaging which is a Google service
Are there Android app permissions associated with this, that I can revoke?
You can revoke notification permissions for an app, but then you won't get notifications of course.
Just to expand on this. The app likely isn't always running in the background listening (since that's what it seems the op thinks). The push message causes the android system to wake the app to deal with the message. Otherwise it's not actively running (and you can limit background running in android settings per app).
I prefer to avoid going in the Target store because of the long waits and for healh reasons. Parking lot pickup is preferable. Also, I sometimes have to take my mom with me when shopping. She is elderly, has serious mobility problems, and is probably more susceptible than most people to airborne pathogens from the holiday shoppers in Target. So it's way easier and safer for us to sit in the car and let Target staff bring the stuff to us, instead of going into the store. Plenty of other people order everything from Amazon for similar sorts of reasons, and at least this avoids a lot of packaging and shipping.
It's not like I went to great lengths to get the burner phone to run the Target app. I had the phone anyway, and the Target app seemed like a good use for it.
Installing the Target app from Google Play requires a Google Play account, and I didn't want that on my main phone either. Plus using the Target app requires a target.com account, besides having the app itself installed. So the burner phone actually separates off three annoying things: 1) Google Play account, 2) target.com account, 3) Target app.
Thanks for the info about Firebase Cloud messaging. What I'm wondering now is, does the target app have to keep running to receive those messages? That means it's potentially continuously collecting the phone's location. That's part of the reason I keep the phone powered off. Location permission is emabled because that makes parking lot pickup a little faster. Basically they juggle their order queue to prioritize users who are getting close to the store. So I turn on the phone and start the app when I'm a few miles away from the store.
I guess I could keep location permission disabled except when needed, but that's more nuisance, and anyway there's still data collection possible from other sensors and the availability of the network.
What I'm wondering now is, does the target app have to keep running to receive those messages?
No it doesn’t. What’s happening is target’s webserver sends a message to Google’s webserver, which sends a message to your phone, which is displayed by the OS. The Target app doesn’t need to be launched for this and won’t be launched unless you tap on the notification, which typically launches the associated app.
That means it's potentially continuously collecting the phone's location.
Target’s app isn’t doing this, although they probably do record what you bought from which target and when.
Google can / probably is continuously collecting the phone’s location, to some extent. Your cell service company can do this too.
Can't you use the target website? There's hermit for web apps which can sandox websites for you.
Using android 8 will mean you are using a vulnerable OS so stuff like this should be common. Newer android versions limit app activity and data collection.
You can use apps like Shizuku and AppOps to limit permissions and data, apps can gather on you.
The web site lets you order stuff for home delivery or for in-store pickup (you go into the store and wait a long time at the customer service desk). Gettnig stuff brought to the parking lot requires the app. It's annoying and I don't know why they do that. The app also needs network connectivity when you're in the parking lot, to let them know which parking space you are in. I don't have a working sim in the burner phone, so I bring another phone to use as a wifi hotspot, what fun.
Other stores do let you order on the web for parking lot pickup, and then call a phone number once you get there, so Target just insists on being special.
You can highlight via email to target. Or consider getting your order close to your home.
What do you mean by highlight via email? Target is reasonably close to here. There is not really anyplace closer for kitchen stuff etc. There are a few grocery stores that are closer and I do use those. Anyway this is getting way off topic. I mostly just wanted to know what was going on inside Android resulting in the app's observed behaviour. My shopping practices are the best I can do given my requirements, as far as I can tell.
Highlight the fact that the website doesn't work for ordering stuff to the parking lot. I was going to suggest social media but then I realized you wouldn't be using one in the 1st place. Nevermind
I wonder if I need a separate burner for each suspicious app.
That's going pretty far overboard. Just use an app like island to forcibly isolate and stop the app from running when you don't want it.
This is a pretty good answer. https://android.stackexchange.com/questions/241281/how-exactly-do-apps-not-running-in-the-background-receive-notifications
A separate burner seems like overkill. I’m no expert, but I think an Android service manages the push notifications and wakes up the app when it receives a notification.
Correct.
There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background. You can disable it, but I believe it is a per app setting.
Alternatively, if you turn on battery saver, I believe that turns off background app usage.
There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background.
That's not how notifications work though. Most apps on Android use Firebase Cloud Messaging for notifications. Your phone has a constant connection to a Google server, and all notifications come in via that connection. The phone receives the notification and tells the relevant app.
Some apps have their own connection (for example, email apps will often connect directly to an email server and use IMAP IDLE) but it's not very common.
The notifications are coming from Google Play Services.
Look into GrapheneOS. They have a sandboxed play services implementation, and you can have multiple sandboxed users, e.g. one for foss apps, one for google and proprietary apps.
Also try TrackerControl on f-droid, it lets you block trackers from apps. You'll still have Google to worry about though.
Thanks. Unfortunately GrapheneOS is only for Pixel phones, but maybe someday.
Okay, so this is not really to answer your question, but I don't think you needed a separate phone just for one app. You could've just use a "work profile" to put that app inside, and whenever you don't need the app, you can turn off the work profile, and its effectively like that part of your phone being turned off.
I use an app called Shelter to do this.
Apps in "Work Profile" are effectively the same as if it were on another phone, they cannot access the data on your main profile.
The app has registered for a receiver that's handled by Google Cloud Messaging/Firebase.
When a message for that app is received by GCM, a broadcast is fired specifically for that app and wakes it up.
You can check if the app keeps running in Settings > System settings > Developer options > Running services
Just droppin some extra info: You can use the aurora store to download apps from the google play store without a google account (Note: some apps can detect that you didn't download it from the google play store, although I only encountered that once with a banking app, so to get around that I begrudgingly created a burner google account to download it.)
Yes I think there's also an fdroid app that does that. But except for a few unusual cases I generally don't want to run Play store apps anyway. Target is the first one so far. I've gotten by without banking apps and expect to keep doing so.