Basically I’ve acquired a burner Android 8 phone and am running the target.com app which is the only way they let you get parking lot delivery at the store. I assume the Target app is spyware. I keep the phone powered off almost all the time which should limit the spying. The thing is, if I power up the phone and order something, then close the app, I still get an alert when the status of the order changes (e.g. it’s ready for pickup). So the app is still listening for network traffic from Target.
Can anyone explain what is happening in Android and whether there is a way to make an app really stop? Does the app stay in a running state even after I’ve closed the UI part of it? Is there somethng like an inetd in Android that listens for network alerts and re-launches the destination app? Are there Android app permissions associated with this, that I can revoke?
I don’t want to run this type of app on my main phone, but I had at first liked the idea of using a burner for such things. Now, though, I wonder if I need a separate burner for each suspicious app. Thanks.
What are you trying to protect against? Having a separate burner phone just for Target feels like overkill to me. If you’re worried about Target spying then why not just go into the store to buy things, and pay in cash?
It’s using Firebase Cloud Messaging which is a Google service
You can revoke notification permissions for an app, but then you won’t get notifications of course.
Just to expand on this. The app likely isn’t always running in the background listening (since that’s what it seems the op thinks). The push message causes the android system to wake the app to deal with the message. Otherwise it’s not actively running (and you can limit background running in android settings per app).
I prefer to avoid going in the Target store because of the long waits and for healh reasons. Parking lot pickup is preferable. Also, I sometimes have to take my mom with me when shopping. She is elderly, has serious mobility problems, and is probably more susceptible than most people to airborne pathogens from the holiday shoppers in Target. So it’s way easier and safer for us to sit in the car and let Target staff bring the stuff to us, instead of going into the store. Plenty of other people order everything from Amazon for similar sorts of reasons, and at least this avoids a lot of packaging and shipping.
It’s not like I went to great lengths to get the burner phone to run the Target app. I had the phone anyway, and the Target app seemed like a good use for it.
Installing the Target app from Google Play requires a Google Play account, and I didn’t want that on my main phone either. Plus using the Target app requires a target.com account, besides having the app itself installed. So the burner phone actually separates off three annoying things: 1) Google Play account, 2) target.com account, 3) Target app.
Thanks for the info about Firebase Cloud messaging. What I’m wondering now is, does the target app have to keep running to receive those messages? That means it’s potentially continuously collecting the phone’s location. That’s part of the reason I keep the phone powered off. Location permission is emabled because that makes parking lot pickup a little faster. Basically they juggle their order queue to prioritize users who are getting close to the store. So I turn on the phone and start the app when I’m a few miles away from the store.
I guess I could keep location permission disabled except when needed, but that’s more nuisance, and anyway there’s still data collection possible from other sensors and the availability of the network.
No it doesn’t. What’s happening is target’s webserver sends a message to Google’s webserver, which sends a message to your phone, which is displayed by the OS. The Target app doesn’t need to be launched for this and won’t be launched unless you tap on the notification, which typically launches the associated app.
Target’s app isn’t doing this, although they probably do record what you bought from which target and when.
Google can / probably is continuously collecting the phone’s location, to some extent. Your cell service company can do this too.
Can’t you use the target website? There’s hermit for web apps which can sandox websites for you.
Using android 8 will mean you are using a vulnerable OS so stuff like this should be common. Newer android versions limit app activity and data collection.
You can use apps like Shizuku and AppOps to limit permissions and data, apps can gather on you.
The web site lets you order stuff for home delivery or for in-store pickup (you go into the store and wait a long time at the customer service desk). Gettnig stuff brought to the parking lot requires the app. It’s annoying and I don’t know why they do that. The app also needs network connectivity when you’re in the parking lot, to let them know which parking space you are in. I don’t have a working sim in the burner phone, so I bring another phone to use as a wifi hotspot, what fun.
Other stores do let you order on the web for parking lot pickup, and then call a phone number once you get there, so Target just insists on being special.
You can highlight via email to target. Or consider getting your order close to your home.
What do you mean by highlight via email? Target is reasonably close to here. There is not really anyplace closer for kitchen stuff etc. There are a few grocery stores that are closer and I do use those. Anyway this is getting way off topic. I mostly just wanted to know what was going on inside Android resulting in the app’s observed behaviour. My shopping practices are the best I can do given my requirements, as far as I can tell.
Highlight the fact that the website doesn’t work for ordering stuff to the parking lot. I was going to suggest social media but then I realized you wouldn’t be using one in the 1st place. Nevermind