A couple of months ago, I created an anonymous Substack account. I never used the mobile app until today when I logged on it for the first time with my VPN. I use a VPN 24/7 on both mobile and desktop, and have so for years. After I logged into the Substack app, it suggested I give them my phone number for added security. I refused. However, the default setting for adding my number showed the flag and country code of my actual location, despite me using a VPN.
How is that possible?
This is not the first time this happens. I feel like I must start over by deleting this account, create a new one, and never use Substack on mobile again.
The app is getting this info from your OS and time zone setting most likely. That’s my best guess. And hence is showing that for you. Or it may be defaulting to the US if you are in-fact in the US. It may not know your real location but only “know” it and is guessing it at best if you are trying to obfuscate it from the get go. The same may have been inferred when you made an account if you did on desktop - using browser fingerprinting and time zone.
I was running Android 16 when I downloaded it. But only logged in for the first time months later while running Android 17. No Graphene OS. Just a regular Android phone.
That is possible. But when multiple countries are in the same time zone, how are they able to infer the right one? Suppose I am in UTC+1, the time zone shared by the most countries, how does Substack know I’m in Germany, vs Albania vs Nigeria, vs Italy, Chad?
That is great advice, that is hard to follow with some apps. With Substack, I’m happy to do that, but it’s still annoying. My current phone has never logged into a single Google account.
Population of sign ups from a particular country. It’s inference, not certainty - atleast as I understand it. I’ve never run an app so a dev could better answer how much info they get from app downloads.
PWA then?
Even for your app store?
–
I think its fingerprinting which includes time zone. And more often than not, those time zone settings also include a popular city/capital in your country so that’s how it may be inferring your location. These companies are clever when it comes to knowing as much about you as possible.
But why are you worried about metadata? It’s not a privacy conscious platform so I would not even expect anything from them - just obfuscate anything you can as best as you can. That’s my last piece of advice.
I naively thought I would be safe using Substack’s app with a VPN. I was wrong. Now I have to start a new account and never use substack on mobile again.
There are tons of ways a mobile app can end up bypassing a VPN. It could be a VPN leak in the VPN app itself, WebRTC, Google’s advertising services, etc.
IMO the only way I would trust to prevent VPN leaks is to use a VPN router, either on a separate machine like a raspberry pi, or on a virtual machine, and NEVER connect the “VPN’d” machine directly to the internet.
This is objectively not true. There are surefire ways to ensure desktop installed VPN is worked as it should without leaks. Since OP is using Mullvad, I am more sure a leak is not the case at all.
Saying it as you have said it is close to misinformation because it reads like a claim and an incorrect one - but I’ll give you the benefit of the doubt this time.
The issue trusting a VPN installed on the device itself (esp on mobile) it exposes yourself to many more methods of de-anonymization than if you’re using a VPN router, especially in the context of trying to use an untrusted app anonymously.
Programs running on your device that may be able to access potentially de-anonymizing logs, or if the untrusted app gains or has certain permissions, may be able to turn off/bypass the your VPN. If an untrusted app is running on a device with WiFi capability it can grab information about surrounding networks, which may be leveraged to geolocate you. The most important vector a separate VPN router mitigates is human error (like neglectfully turning off a VPN). Many kill switches might fail during system reboots as well.
Fair. “The only reliable way” is stating an opinion as 100% fact (what is “reliable”? Its impossible to be 100% protected against de-anonymization). I’ve edited it to just note this is about merely my level of comfort.
Thanks for the recommendation. I just downloaded it. Out of curiosity, how do you back up your data if say you change phones? Since there are no accounts. Is this the best FOSS RSS reader?
Export your RSS list and save it to the cloud/physical drive. There are other RSS readers you can try out on Fdroid. Not all of them are still actively maintained though.
Android itself isn’t as privacy focused as other operating systems like iOS. In general, Android provides way more system information to apps than iOS although Android is limiting the provided information more and more. Permissions on Android are getting stricter too over time.
Same applies to background processes, which are disallowed in general on iOS devices. An app is only able to perform background tasks once every 15 minutes or in longer intervals. On Android, users can change background activity preferences or limit those completely.
I’m on linux using the mullvad vpn client from their repository. Using dnf update, the daemon disconnects after almost all kernel updates, and the dnf update process continues running, so there are 100% times when the mullvad client has potential to leak your ip address and likely does. I believe this is well documented and acknowledged by the mullvad team, so it’s just something i choose to live with.