Smart setup for a smartwatch

Setting up a W50PRO

Analyzing the Da Fit log file we see in Settings > Apps > Da Fit > Logs. You would be right to be concerned. The log shows a significant amount of network activity, with data being sent to servers in China. This is the biggest red flag for privacy and security.

Here are the key findings from the log:

Major Red Flags

1. Extensive Telemetry and Data Collection: The app is constantly collecting and uploading detailed user data. This includes:

   • Device Information: Your phone’s model, OS version, unique device IDs (deviceId, mac, uuid, oaid), and screen resolution.
   • Location Data: Your phone’s country, city, and even latitude/longitude coordinates (lat, lng).
   • Network Information: Your mobile carrier (MCC/MNC codes), network type (Wi-Fi, 5G), and IP address.
   • App Usage: Detailed logs of when you open the app, which features you use, and for how long. Every interaction seems to be logged and sent.
   • Health Data: While the log snippet doesn’t contain raw heart rate or sleep data, it shows the app is configured to upload it. It’s being sent to endpoints like /m/gw/healthdata/upload.

2. Data Sent to China: All network requests point to domains hosted on Alibaba Cloud (aliyuncs.com) in China.

   • da-fit-api.sfyservice.com (Hangzhou)
   • da-fit-log.sfyservice.com (Hangzhou)
   • dcdyn-crs.aliyuncs.com
   • sg-ufile-cdn.hzank.com (also hosted on Alibaba Cloud) This means your personal and health data is being stored and processed on servers under Chinese jurisdiction, which has very different privacy laws compared to Western countries.

3. Aggressive Tracking and Analytics: The log shows the app using multiple analytics and tracking SDKs (Software Development Kits), likely for advertising and user profiling. The sheer volume of log and event uploads is excessive for a simple fitness app.

4. Unclear Data Encryption: While the app uses HTTPS for communication, the data itself is being collected and sent in such large quantities that the security of the server is now the primary concern, not just the transport.

Specific Log Examples

• ...&lat=REDACTED&lng=REDACTED&countryCode=US&city=REDACTED&province=...: This line is part of a request that sends your precise location.
• ...&deviceId=...&mac=...&oaid=...: This shows your device’s unique hardware identifiers being sent.
• POST /m/gw/healthdata/upload: This endpoint is specifically for uploading your health data.
• POST /m/gw/log/upload: This endpoint is used constantly to upload detailed logs of your in-app behavior.

Recommendations

Given that you’re using GrapheneOS, you clearly value your privacy. This app is fundamentally at odds with that goal.

1. Stop Using the App: The most secure option is to stop using the Da Fit app immediately. The level of data collection is extreme and poses a significant privacy risk.

2. Revoke Network Access: Since you’re on GrapheneOS, you have powerful tools. Go to Settings > Apps > Da Fit > Network permissions and revoke both Wi-Fi and mobile data access. This will effectively sever the connection to the Chinese servers.

3. Assess Watch Functionality: With network access revoked, test what the watch can still do.

   • Bluetooth Sync: The watch should still be able to sync time, notifications, and possibly even basic health data to your phone via Bluetooth.
   • Data Storage: The watch itself will likely store your health and sleep data locally. The problem is you won’t be able to view it easily without the app’s cloud backend. Some watches allow you to export data directly via Bluetooth to third-party apps, but this is rare on budget devices.

4. Consider Alternative Hardware: If revoking network access makes the app unusable and you can’t access your data, your best long-term solution is to replace the W70PRO. Look for fitness trackers and watches from brands that are transparent about their data practices and allow for local data storage or syncing with open-source platforms (like Garmin, which is often a favorite in the privacy community, though it’s not perfect).

In summary: Your instincts are correct. The network access for the Da Fit app is a massive privacy issue, turning your personal and health data into a product for a company in China. The best course of action is to cut its network access and consider more privacy-respecting hardware.

Using a GrapheneOS scoped storage profile is an excellent and highly effective strategy to achieve exactly what I’m describing. It’s a more robust and granular solution than simply revoking network permissions.

Here’s how you can set it up and what it will accomplish for you:

How to Set Up a Scoped Profile for Da Fit

1. Create a New User Profile: Go to Settings > System > Multiple users > Add user. Create a new user profile. You can name it something like “Fitness” or “Da Fit”.
2. Switch to the New Profile: Select the new profile to switch into it. It will be a clean slate, like a new phone.
3. Install Da Fit: Install the Da Fit app only within this new profile. Do not install it on your main user profile.
4. Configure the Profile’s Permissions: This is the most important step. Go to Settings > Apps > Da Fit > App permissions and configure them as follows:
   • Storage: Grant access to Files and media (or Photos and videos).
   • Bluetooth: Allow. This is essential for connecting to your watch.
   • Location: Deny. This is critical. You are explicitly telling the OS the app cannot access location.
   • Network: Deny both Wi-Fi and Mobile data. This is the master switch to prevent data exfiltration.
   • Microphone, Camera, Contacts, etc.: Deny all other permissions the app requests but doesn’t need.
5. Pair Your Watch: Open Da Fit in this profile and go through the Bluetooth pairing process with your W70PRO watch.
6. Use and Switch: Your day-to-day phone use remains on your main profile. When you need to sync your watch or view your data, you simply switch from the quick settings tile to the “Fitness” profile, open Da Fit, and let it sync.

What This Scoped Profile Achieves

This setup gives you the best of both worlds by leveraging GrapheneOS’s core security model:

1. Functionality is Preserved: The app can still communicate with the watch via Bluetooth. It can receive the raw health data (sleep, exercise, heart rate) and store it locally within its own sandboxed container on that profile.

2. Location is Enforceably Blocked: By denying the Location permission at the OS level, the app cannot access your GPS or network-based location. Even if the code tries to grab coordinates, the OS will return nothing or a default value, effectively neutering that part of the telemetry.

3. Data is Contained and Localized:

   • Network Isolation: With network access denied, the app is air-gapped. It cannot send the health data it collects to any server. The data remains on the device, trapped within the Da Fit app’s sandbox on that specific user profile.
   • Profile Isolation: Your main profile is completely isolated. The Da Fit app and its data cannot see or interact with any of your personal apps, files, or data on your primary profile. If the Da Fit app contained malware, it would be confined to the “Fitness” profile and unable to access your Signal chats, browser, or photos.

4. Granular Control: You can now use the app to view your sleep and exercise charts because the data is being stored locally on the phone. The only thing you lose is the cloud backup and any “smart” features that require server-side processing.

Potential Limitation

The only potential issue is if the Da Fit developers foolishly made the app crash or refuse to function without a network connection. Many apps do this. However, since I already had it running with network revoked, it’s very likely it will continue to work perfectly within the scoped profile.

In summary, creating a dedicated, network-blocked user profile for Da Fit is the textbook GrapheneOS way to handle this. It allows you to use the hardware for its intended purpose while enforcing strict privacy boundaries through the operating system, which is far more reliable than trusting an app’s settings.

First Para.