0

I'm using multiple accounts for an android app in my phone. today the app blocked all my accounts because it's not allowed to have more than one . I've had android 10 on my phone . the question is:

  1. what type of data an app knows about my phone?
  2. how they know I'm using multiple accounts?
  3. What's the solution for this? how can i remain hidden with multiple accounts on one mobile phone?

App link :Slowly

app permissions app all permission list

Robert
  • 20,025
  • 6
  • 47
  • 66
Amir Khan
  • 1
  • 1
  • For 1. Whatever is said in app permissions 2. GET_ACCOUNTS permission 3. Usually by rooting your phone and preventing such access //[Edit] to mention your device and Android version – beeshyams Jun 09 '20 at 06:11
  • Is this an offline or online app? If this is an online app, there's a possibility that the server blocks them by fingerprinting the device. – Andrew T. Jun 09 '20 at 06:30
  • this is an online app. I've uploaded permission list and my android is 10. does it help ? – Amir Khan Jun 10 '20 at 06:32

1 Answers1

0

General way to identify you or your device

What information the app (and therefore the operator of the app) has about your device depends on the permissions the app have and the Android version installed on your devices (Google makes it harder to gain access to phone identifiers with ever release).

The most important ways to identify your device are:

  1. Telephone number (depends on the SIM card, requires READ_PHONE_STATE permission)
  2. IMEI (hard coded in your phone, requires READ_PHONE_STATE permission)
  3. Android-ID (a random number generated on first start of the device, factory-reset clears it. Since Android 8 every app sees a different but static Android-ID)
  4. Google Advertising ID (randomly generated, can be re-generated in Google settings)
  5. List of active accounts on your device (requires GET_ACCOUNTS permission)

Of course for online-services there exists various indicators that may indicate that only one device is used such as the IP address you use (especially relevant if IPv6 is used), and of course your usage. If two accounts are used from the same IP address but are never online at the same time this another good indicator.

Some those identifiers may change if you use a second user profile on your device, others will stay the same. In conclusion the only way to totally avoid getting detected as one user is to use two devices that use different accounts for every stored account (especially the Google account).

Slowly app

The slowly app has the following permissions:

android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.CAMERA
android.permission.INTERNET
android.permission.READ_APP_BADGE
android.permission.READ_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RECORD_AUDIO
android.permission.USE_FINGERPRINT
android.permission.VIBRATE
android.permission.WAKE_LOCK
android.permission.WRITE_EXTERNAL_STORAGE
com.anddoes.launcher.permission.UPDATE_COUNT
com.android.vending.BILLING
com.android.vending.CHECK_LICENSE
com.google.android.c2dm.permission.RECEIVE
com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE
com.htc.launcher.permission.READ_SETTINGS
com.htc.launcher.permission.UPDATE_SHORTCUT
com.huawei.android.launcher.permission.CHANGE_BADGE
com.huawei.android.launcher.permission.READ_SETTINGS
com.huawei.android.launcher.permission.WRITE_SETTINGS
com.majeur.launcher.permission.UPDATE_BADGE
com.oppo.launcher.permission.READ_SETTINGS
com.oppo.launcher.permission.WRITE_SETTINGS
com.sec.android.provider.badge.permission.READ
com.sec.android.provider.badge.permission.WRITE
com.sonyericsson.home.permission.BROADCAST_BADGE
com.sonymobile.home.permission.PROVIDER_INSERT_BADGE
me.everything.badger.permission.BADGE_COUNT_READ
me.everything.badger.permission.BADGE_COUNT_WRITE

As you can see none of the afore-mentioned permissions are present. But I am not very familiar with some of the permissions. Thinking of how I would implement suc a check I see two additional possibilities:

The permissions com.android.vending.* allow to talk to the Play Services and identify your "license" - mainly this is for checking on in-app purchases, but even free apps without in-app purchases are managed by the Google Play Store and therefore get a license. may be this allows to identify if an the app is installed on two devices with the same Google account?

Additionally WRITE_EXTERNAL_STORAGE can be used by the app to write an identifier somewehere on your internal storage. This file can even survive if you execute delete Sloly's app storage and cache and therefore can be used as permanent identifier of your device.

Robert
  • 20,025
  • 6
  • 47
  • 66