Bug found

Rookie

i just found a combination of steps in order to remove always VPN on + Block Connections Without VPN to be disabled, even when phone and data is at rest (not unlocked after restart)

Steps to recreate:

Turn On Always VPN + Block connections without VPN or just always On

Lock Thr Phone and restart

Put it to Safe Mode

Bingo Safe Mode just disabled all settings and now your traffic is routed through without encryption

Worst Part After Leaving Safe Mode Settings Arent Recovered Back So Unless you notice it, your without VPN

Somehow It also Disables VPNs Ability To Autostart On boot so no auto connection either, ofc unless you notice it

N3rdTek

Rookie this would be upstream I believe, if it was an actual bug.
Please familiarize yourself with what safe mode is and what it does; this is normal functionality. The VPN would have to be installed at a system app in order to persist
https://www.technipages.com/what-is-safe-mode-on-android-and-what-you-can-do/
https://support.google.com/android/answer/7665064?hl=en

It bypasses always-on because enabling safe mode disables all user apps

de0u

Rookie Lock Thr Phone and restart

Put it to Safe Mode

Bingo Safe Mode just disabled all settings and now your traffic is routed through without encryption

How much network traffic is there before the first unlock?

Rookie Worst Part After Leaving Safe Mode Settings Arent Recovered Back So Unless you notice it, your without VPN

I have used safe mode, and for sure not all of my settings were lost. If VPN settings in particular are lost that might be a bug, especially if it happens for all VPN clients. Which VPN clients have you observed this happening with?

Rookie

de0u Mullvad VPN

missing-root

This is important!

An attacker could just reboot into safe mode and reboot again. As auto-reboot is a thing, especially when frequent the user would not be surprised the phone rebooted.

Having some basic wireguard app as system app would be great. It is somewhat big/ bloat, but may be essential. It is not orbot though, so not for generalized anonymity.

Arti is licensed under Apache V2 or MIT license which means it is fitting for GrapheneOS right? It is on 1.0.0 now. (Arti is an official rewrite of tor in Rust)

tor is licensed under 3-clause BSD as is Orbot.

Rookie

missing-root Yea that was my point, adversary can reboot me to safe mode and read traffic open

N3rdTek

missing-root auto-reboot performs a normal reboot, not reboot into safe-mode.
Even if it did/could, it doesn't bypass BFU

missing-root Having some basic wireguard app as system app would be great. It is somewhat big/ bloat, but may be essential. It is not orbot though, so not for generalized anonymity.

Arti is licensed under Apache V2 or MIT license which means it is fitting for GrapheneOS right? It is on 1.0.0 now. (Arti is an official rewrite of tor in Rust)

This is out of scope for GoS team, but you are welcome to fork and make a build including whatever you want. Just br sure to remove any GrapheneOS branding as it would no longer officially be GoS

de0u

Rookie Yea that was my point, adversary can reboot me to safe mode and read traffic open

But how much network traffic happens before the device is unlocked?

missing-root

N3rdTek yeah I can imagine you would say that and it is understandable.

"Simply Forking GrapheneOS" is not sustainable at all. So I dont see this as a real request.

Including for example the official Wireguard App would neutrally solve this problem, and users could still disable the app.

It is Apache 2.0 licensed btw.

So I dont see GrapheneOS implementing it. At the same time, it may be required for some threat models, or also for for example work phones.

The threat model is not completely clear, as no identifiable data is probably sent over whatever router the attacker would be on that may log the traffic.

The only solution would be allowing another small app into the empty system partition. The disadvantages, apart from maintenance, would be tiny, as people can just disable it.

But the other way around is not possible.

Another option would be allowing to disable safe mode.

de0u

missing-root The threat model is not completely clear, as no identifiable data is probably sent over whatever router the attacker would be on that may log the traffic.

Can somebody explicitly state one or more threatening scenarios? Here's what I can think of:

While I'm not looking at it, somebody reboots my phone into safe mode. Because it's BFU, it mostly just sits there. But I don't notice it's in safe mode, so I unlock it and all of my apps start communicating with their favorite servers without my VPN client being active.
Somebody confiscates my phone and reboots it into safe mode. Because it's BFU, it mostly just sits there. It might contact the GrapheneOS time servers or something like that, but because my user profiles are all locked, my VPN client isn't running and none of my other apps are running either, so they aren't making network connections.

Are there other potentially problematic scenarios? Or did I make mistakes above?