I’m proud to use e/os since 3 weeks now and I’m absolutely enthusiastic so far. But today I detected some strange behavior. Because of a few contacts I’m still forced to have WhatsApp on my phone. So I installed it insulated on my shelter profile on my Fairphone 3 (Version Andoid 13). But even with no rights at all (acces to galery, camera and so on is blocked), WhatsApp is still able to add files to a chat. Even worse: WhatsApp is able to take files from my private profile! Even with shelter data shuttle option off. Ironically, it’s not able to grap data from isulated profile (“forbidden by administrator”).
I isolated WhatsApp because it’s nown as sniffing App. So I wondering why it is able to have acces to my data. I already reinstalled WhatsApp (deleted all related data and so on). But same behavior after reinstallation. Can somebody reproduce the behavior on other mobiles?
What I detected is, that it seems that WhatsApp does not have a own data explorer. At least it looks like it is using the standard data explorer which is preinstalled. But strangely for some reason from private profile but not from insulated profile.
Does somebody has an idea how to fix this?
Hi Jets,
during installation via “App Launcher” there is no permission request at all but when starting. I denied all and also double checked in app permissions afterwards.
The Apps seems simply to “grap” the necessary rights during installation without permission from user. AP does not list any leaks. Maybe because there are no classical tracker. This fits to the Exodus report where a lot of permissions are marked as critical but no trackers: https://reports.exodus-privacy.eu.org/de/reports/com.whatsapp/latest/#permissions
And who needs tracker if the whole App is a tracker. Synchronised to any Meta Servers in the states, right?
(I’m from Europe btw. and we have very straight privacy rules where everything from Meta is classified as critical in the news from time to time)
WhatsApp is notorious for steeling data, it’s all over the internet. I don’t use it, my alternative and a much sounder one is Signal Private Messenger.
Hi tcecyk,
thanks for your respond. Unfortunately I do not fully get it. Is photo picker part of the system or do I have to program it on my own? I’m not so good in programming
It does not see to be part of Android 13. And I’m not sure if it solves the problem since it is the function for “attachment” not media. Maybe for better understanding a few screenshots.
For some reason the App (installed from App Lounge) seems to use my private data browser even if it is installed in work profile. I do not need the attachment function. So deactivate the rights therefore would be one workaround for me. But I do not know how or if it is possible. Maybe with Adb? Unluckily, this right cannot be easily denied in App permission settings
@Jets / @mihi: Sure I use Signal an Delta Chat on my private profile. But since WhatsApp was THE messenger for more than 5 years till it was sold, it’s still everywhere. And if you not want to get social isolated on team events or for private sport groups, there is no way out. And good luck to convince a big group of people which do not care about data protection without annoying them to death.
ah ok, that dialog isn’t the “partial access” I meant. I haven’t a WhatsApp install around to check.
What I try to convey is: if you the user sees it, it doesn’t mean the App has access. This should be the system file picker behind a ACTION_OPEN_DOCUMENT, which returns a content:// URI to the calling App - what you selected, nothing else.
Okay. Thanks for your input. So if data picker are used, the apps does not have own access to the data? The pickets just kind of “rooting it through”? That’s good to here. Still strange that the private picker is used. But as long as WhatsApp cannot search by it’s own it’s okay from my side.
Many thanks for the detailed explanation.
if you scroll down on that doc to “Persist permissions” you get an idea what the App can do after selection through that particular action:
When your app opens a file for reading or writing, the system gives your app a URI permission grant for that file, which lasts until the user’s device restarts. […]
To preserve access to files across device restarts […] your app can “take” the persistable URI permission grant that the system offers.
All that said, I’m not privy to what Intents WhatsApp uses, but I assume it is that action. logcat will tell
Okay. I understood, I think
Many thanks for your effort. It’s okay from my side to live with that behavior now.
Learnet a lot about data permission and data picker
