Basically I’ve acquired a burner Android 8 phone and am running the target.com app which is the only way they let you get parking lot delivery at the store. I assume the Target app is spyware. I keep the phone powered off almost all the time which should limit the spying. The thing is, if I power up the phone and order something, then close the app, I still get an alert when the status of the order changes (e.g. it’s ready for pickup). So the app is still listening for network traffic from Target.
Can anyone explain what is happening in Android and whether there is a way to make an app really stop? Does the app stay in a running state even after I’ve closed the UI part of it? Is there somethng like an inetd in Android that listens for network alerts and re-launches the destination app? Are there Android app permissions associated with this, that I can revoke?
I don’t want to run this type of app on my main phone, but I had at first liked the idea of using a burner for such things. Now, though, I wonder if I need a separate burner for each suspicious app. Thanks.
You must log in or register to comment.
I definitely use a different burner phone for every app. It’s obviously the only sane way to use apps. Ive got my email phone. My weather phone. My alarm phone. A phone for each one of my contacts. Right now Im on my lemmy-only phone, with all of the others powered off and in thier separate faraday bags. Having a separate phone just for the app I use to order something is a must. How dare they tell me the status of the order I paid for? Who do they think they are!? On Sundays I use my magnet wand and wipe each and every phone, just to be sure.
Average Lemmy user.
Needs to include “I have no friends, my family are all horrible, and people of the opposite sex don’t pay me any attention” to get closer to average.
I realize you’re being facitious but as a matter of fact, the Target app (plus Google Play) are the only apps I have installed so far that didn’t come from F-droid. Google Play was needed to install the Target app. I figure that the F-droid apps have had enough vetting that I tend to not worry about them too much. I have never installed or used Google Play on my “real” phone. I only installed it on the burner in order to install the target app there.
I confess to occasionally using some of the preinstalled google apps on my main phone, such as the camera app. I will get around to checkng out F-droid versions one of these days.
Push Notifications: https://en.wikipedia.org/wiki/Push_technology
The app isn’t listening, Google Play Servicea is. The app registered with the push server to send you notifications.
What are you trying to protect against? Having a separate burner phone just for Target feels like overkill to me. If you’re worried about Target spying then why not just go into the store to buy things, and pay in cash?
Can anyone explain what is happening in Android a
It’s using Firebase Cloud Messaging which is a Google service
Are there Android app permissions associated with this, that I can revoke?
You can revoke notification permissions for an app, but then you won’t get notifications of course.
Just to expand on this. The app likely isn’t always running in the background listening (since that’s what it seems the op thinks). The push message causes the android system to wake the app to deal with the message. Otherwise it’s not actively running (and you can limit background running in android settings per app).
I prefer to avoid going in the Target store because of the long waits and for healh reasons. Parking lot pickup is preferable. Also, I sometimes have to take my mom with me when shopping. She is elderly, has serious mobility problems, and is probably more susceptible than most people to airborne pathogens from the holiday shoppers in Target. So it’s way easier and safer for us to sit in the car and let Target staff bring the stuff to us, instead of going into the store. Plenty of other people order everything from Amazon for similar sorts of reasons, and at least this avoids a lot of packaging and shipping.
It’s not like I went to great lengths to get the burner phone to run the Target app. I had the phone anyway, and the Target app seemed like a good use for it.
Installing the Target app from Google Play requires a Google Play account, and I didn’t want that on my main phone either. Plus using the Target app requires a target.com account, besides having the app itself installed. So the burner phone actually separates off three annoying things: 1) Google Play account, 2) target.com account, 3) Target app.
Thanks for the info about Firebase Cloud messaging. What I’m wondering now is, does the target app have to keep running to receive those messages? That means it’s potentially continuously collecting the phone’s location. That’s part of the reason I keep the phone powered off. Location permission is emabled because that makes parking lot pickup a little faster. Basically they juggle their order queue to prioritize users who are getting close to the store. So I turn on the phone and start the app when I’m a few miles away from the store.
I guess I could keep location permission disabled except when needed, but that’s more nuisance, and anyway there’s still data collection possible from other sensors and the availability of the network.
What I’m wondering now is, does the target app have to keep running to receive those messages?
No it doesn’t. What’s happening is target’s webserver sends a message to Google’s webserver, which sends a message to your phone, which is displayed by the OS. The Target app doesn’t need to be launched for this and won’t be launched unless you tap on the notification, which typically launches the associated app.
That means it’s potentially continuously collecting the phone’s location.
Target’s app isn’t doing this, although they probably do record what you bought from which target and when.
Google can / probably is continuously collecting the phone’s location, to some extent. Your cell service company can do this too.
Can’t you use the target website? There’s hermit for web apps which can sandox websites for you.
Using android 8 will mean you are using a vulnerable OS so stuff like this should be common. Newer android versions limit app activity and data collection.
You can use apps like Shizuku and AppOps to limit permissions and data, apps can gather on you.
The web site lets you order stuff for home delivery or for in-store pickup (you go into the store and wait a long time at the customer service desk). Gettnig stuff brought to the parking lot requires the app. It’s annoying and I don’t know why they do that. The app also needs network connectivity when you’re in the parking lot, to let them know which parking space you are in. I don’t have a working sim in the burner phone, so I bring another phone to use as a wifi hotspot, what fun.
Other stores do let you order on the web for parking lot pickup, and then call a phone number once you get there, so Target just insists on being special.
You can highlight via email to target. Or consider getting your order close to your home.
What do you mean by highlight via email? Target is reasonably close to here. There is not really anyplace closer for kitchen stuff etc. There are a few grocery stores that are closer and I do use those. Anyway this is getting way off topic. I mostly just wanted to know what was going on inside Android resulting in the app’s observed behaviour. My shopping practices are the best I can do given my requirements, as far as I can tell.
Highlight the fact that the website doesn’t work for ordering stuff to the parking lot. I was going to suggest social media but then I realized you wouldn’t be using one in the 1st place. Nevermind
A separate burner seems like overkill. I’m no expert, but I think an Android service manages the push notifications and wakes up the app when it receives a notification.
Correct.
I wonder if I need a separate burner for each suspicious app.
That’s going pretty far overboard. Just use an app like island to forcibly isolate and stop the app from running when you don’t want it.
This is a pretty good answer. https://android.stackexchange.com/questions/241281/how-exactly-do-apps-not-running-in-the-background-receive-notifications
There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background. You can disable it, but I believe it is a per app setting.
Alternatively, if you turn on battery saver, I believe that turns off background app usage.
There is a setting in the app permissions that is typically enabled by default to allow the app to run in the background.
That’s not how notifications work though. Most apps on Android use Firebase Cloud Messaging for notifications. Your phone has a constant connection to a Google server, and all notifications come in via that connection. The phone receives the notification and tells the relevant app.
Some apps have their own connection (for example, email apps will often connect directly to an email server and use IMAP IDLE) but it’s not very common.
The app has registered for a receiver that’s handled by Google Cloud Messaging/Firebase.
When a message for that app is received by GCM, a broadcast is fired specifically for that app and wakes it up.
Okay, so this is not really to answer your question, but I don’t think you needed a separate phone just for one app. You could’ve just use a “work profile” to put that app inside, and whenever you don’t need the app, you can turn off the work profile, and its effectively like that part of your phone being turned off.
I use an app called Shelter to do this.
Apps in “Work Profile” are effectively the same as if it were on another phone, they cannot access the data on your main profile.
