Carrier chooses to use Firebase server for provisioning

DeletedUser50

Hi,
first time posting, not very tech-savvy, and not english-speaker. Pls excuse some of the wording !

The background:
. brand new Pixel 8a
. install grapheneOS using the web-based installer
. no apps installed, no OS parameter changed, no app permissions changed
. only changed the DNS to nextDNS.io (set to my account with multiple filter, especially all of Google's, MS's, facebook's URL)
. started the device offline. to confirm everything runs OK. confirmed all good.
. restarted with my my SIM card inserted
. swithched on the data

Simulteniously, I was looking on my laptop at my nextDNS.io account: I saw multiple DNS requests to the graphene servers (as well described on the grapheneOS website), and, to my surprise, an attempted DNS request to firebaseinstallations.googleapis.com.
My nextDNS.io filters blocked the request.

It has now been 2 weeks; I sew around 10 DNS requests per day to firebaseinstallations.googleapis.com which I can't explain.

. at this point I've installed a few apps from f-droid (including ProtonVPN, hence a risk of confusion with this concern https://discuss.grapheneos.org/d/12728-proton-apps-pinging-google-api-sending-reports-back-after-opting-out), but that wouldn't explain the DNS requests I saw before installing any apps.

My theory (I don't know if it's realistic) is the the DNS request may come from the 'Sim Toolkit' app (which renamed itself 'Services *****', the name of my mobile phone operator), or similar app the the SIM card or mobile phone provider can interact with.

Is there any way for me to know which app or service is making those DNS requests?
I'm looking into RethinkDNS but it might be above my tech skills.

DeletedUser95

DeletedUser50

While it's likely nothing malicious going on I too like to know what connections my apps are making. firebaseinstallations.googleapis.com is a connection that can come from a lot of apps on Android and even in some cases some websites.

DeletedUser50 Is there any way for me to know which app or service is making those DNS requests?

While I really don't know what could be making these requests

Rethink as you mentioned could be a good idea as it gives more clear logging. Plus thanks to how rethink works you could use it in combination with nextDNS by configuring rethink to use a custom resolver which isn't too hard. I would suggest setting it up as DNS Over HTTPS if you do

Now as far as it being out of your tech skills here are my suggestions if you want to attempt it anyways.

Don't change any setting you don't understand
Take it slowly and try to understand each configuration page and what needs configuring. You don't have to actually have it active to configure it so you can keep your current setup going and leave it deactivated while you try to figure it out

Good luck and I hope you figure out someway to identify it if not rethink!

ignoramous

rdns dev here

DeletedUser95 Good luck and I hope you figure out someway to identify it if not rethink!

Ironic that our github readme points out that folks mustn't require a PhD in CS to use Rethink; and yet...

DeletedUser50 I'm looking into RethinkDNS but it might be above my tech skills.

Any multi-modal LLM is able to answer questions if given a screenshot from Rethink and most LLMs (esp the ones that can "browse the web") can answer many questions on Rethink (from our subreddit r/rethinkdns and github issues / discussions).

DeletedUser95

ignoramous

Firstly I am. Really appreciative of what you do I really am. I love how Rethink is made it feels like a all in one solution for VPN slot related activities that at the same time doesn't feel horrendous but rather really fantastic to use!
Now with that out of the way.

ignoramous Ironic that our github readme points out that folks mustn't require a PhD in CS to use Rethink; and yet...

I agree! I actually find Rethink really simple and easy to pick up and I actually use it a fair amount (I am considering using it more often possibly even consistently) which is why I was fairly suggesting of going that route!

DeletedUser95 Good luck and I hope you figure out someway to identify it if not rethink!

I only said this because well. Some things just aren't for everyone (I had tried to introduce Rethink to some people before and they just weren't really understanding how to use it) and the person said they weren't the most tech savvy. I really wasn't meaning to imply anything by that other than if Rethink didn't work out for them then I hope they would be able to find another way.

Apologies if I wasn't originally clear enough I am not the best at properly explaining things that I mean sometimes.

Byku

+1 for Rethink. You can check per app connections with it. UI is pretty straightforward and you are not required to use every feature it offers.

DeletedUser50

Thanks all for your feedback.
I installed RethinkDNS; turns out it's quite user friendly even for a non-techy person.

The connection to firebaseinstallation.googleapis. com is made by com.android. imsserviceentitlement
I guess the post below is correct:
https://github.com/GrapheneOS/os-issue-tracker/issues/2223

Google play is not installed on my phone, contrary to what the answer from the post on Gifhub suggests.

Let me know if i can do anymore test to show more details about this concern on my device.
Also, how to get the attention of the developpers of GOS to this concern?
Anf how to fix it in the short-term on my phone?

DeletedUser50

DeletedUser50 I've checked what i was able to on my phone: com.android.imsserviceentitlement connects after every reboot (and it seems multiples times a day) to both 3gppnetwork.org and firebaseinstallation.googleapis.com

I'm tempted to simply remove network permission to the app, but I don't know how it's gonna affect WiFi calling/sms, VoLTE and those functions of this app.

de0u

DeletedUser50 I've checked what i was able to on my phone: com.android.imsserviceentitlement connects after every reboot (and it seems multiples times a day) to both 3gppnetwork.org and firebaseinstallation.googleapis.com

DNS queries are not really the same thing as connections. Are you seeing DNS queries, non-DNS UDP traffic, non-DNS TCP traffic, ...?

Is Wi-Fi calling on or off?

DeletedUser50

de0u I'm afraid I'm at my limit of technical knowledge, I don't know the answer to your question (or how to find the answer).
I can see in RethinkDNS that each connection to firebaseinstallation.googleapis.com sends about 1 KB of data and receives about 6 KB, which seems like a high number for just a 'ping'. The numbers are roughly the same for 3gppnetwork.org

Yes, wifi calling was on. But WiFi was off; I only use cell data (but I want to keep the ability to use WiFi calling when I travel)

DeletedUser50

de0u DeletedUser95 ignoramous
It took me a bit of time, but I've reset my phone to confirm the unwanted connexion to firebasinstallations.googleapis.com

Here is how I proceeded in order to interfere as little as possible with the installation of grapheneos:
. factory reset
. go through the initialisation process with the few confirmation clicks (no wifi connexion, no sim card in the phone)
. restart
. set private DNS to a new nextDNS account with no filters set (left the wifi calling off, as by default)
. switch off the phone and insert sim card
. restart and switch on the internet connexion for my sim (a major French mobile network provider)

within seconds I can see some DNS requests on the nextDNS.io account:
. several connexions to grapheneos servers (.org, .online, supl, etc.)
. one connexion to firebasinstallations.googleapis.com (no connexion to 3gppnetwork.org)

I waited one hour with interacting with the phone other than waking up the screen, and saw no other DNS request.
Restarted the phone (data left on during the reboot), and saw a similar patern of DNS requests in the first few seconds after the reboot:
. several connexions to grapheneos servers (.org, .online, supl, etc.)
. one connexion to firebasinstallations.googleapis.com (no connexion to 3gppnetwork.org)

I waited again one hour with minimal interaction with the phone other than waking up and unlocking the screen, and saw no new DNS request.

Just 2 minutes ago, installed f-droid, installed and setup rethinkDNS, rebooted.
On reboot, I can see the network activity:
. DNS requests on nextDNS.io for both firebasinstallations.googleapis.com and 3gppnetwork.org
. In RethinkDNS, I can see that com.android.imsserviceentitle is resposible for both requests
- to firebasinstallations.googleapis.com sent 855 B and received 6.0 KB
- to 3gppnetwork.org sent 1.0 KB and received 5.5 KB

Because of the few descriptions I found online of com.android.imsserviceentitle, I guess it is indeed a carrier specific thing. I suspect my carrier is able to interact with grapheneos and get it to connect to whatever server they want.

I'd love to hear your thought, and even more from the development team (or someone able to read through the code).

Maybe the dev team should caution of this type of connexion on this section https://grapheneos.org/faq#default-connections of their website.

It's already a very long post, I take this this opportunity to write how awesome GrapheneOS is. I've been free of Google, MS, all social networks on my computer. I switched to Linux a year ago, and went full-on tin-foil hat with no-google no-MS no-facebook no-X no-adds filters in ublock origin, in hosts file, at DNS level, and it's been glorious.
With GrapheneOS, apart from this unwanted/unexplained connexion to firebaseinstallations.googleapis.com , this final step towards my no-big-tech life has been really easy.

de0u

DeletedUser50 Yes, wifi calling was on. But WiFi was off; I only use cell data (but I want to keep the ability to use WiFi calling when I travel)

It would be interesting to see whether turning Wi-Fi calling off puts a stop to that network traffic. I think it's plausible but not certain.

ignoramous

DeletedUser50 can see in RethinkDNS that each connection to firebaseinstallation.googleapis.com sends about 1 KB of data and receives about 6 KB

If it is a TLS / HTTPS connection, then 3KB to 4KB of it could be just the "TLS Handshake" (certs, key exchange params, protocol extensions, etc)

DeletedUser95 had tried to introduce Rethink to some people before and they just weren't really understanding how to use

I am aware. This is pretty common (: I'm now nudging folks to use LLMs as helper / assistant. Must say, it sounds ridiculous to some... 🥶

DeletedUser95 Really appreciative of what you do I really am

Thank you (and you didn't really have to apologize when I was infact agreeing with you).

DeletedUser50

Turning off wifi calling doesn't stop the connections to firebaaeinstallations.googleapis.com

I'm tempted to factory reset the phone, and repeat the exact same initial setup process i described in my first post above, just to screen capture on nextDNS.io the connection made by com.android.imsserviceentitlement
And then reactivate the ticket https://github.com/GrapheneOS/os-issue-tracker/issues/2223
I can see that grapheneos does indeed connect to firebaseinstallations on the very first 'sim data available', at least with my sim card.

DeletedUser87

I haven't seen any connections to firebase* from my owner profile in my DNS logs, so I guess this is carrier dependant.

DeletedUser95

DeletedUser50

Well if it really is just coming from the carrier connections I'd say there isn't too much to worry about. Yeah it kind of sucks that is there but realistically the truth is most people depend on one or two or more apps that will make the same connection anyways. As I said firebaseinstallations.googleapis.com is a very common connection in the world of AOSP/Android.

You could have nextDNS continue to block it though and see what happens. If it continues to work fine then you could just leave it that way and not worry about it.

Do keep in mind you can always use Rethink and nextDNS in combination too if you want to have all the benefits of nextDNS while having the awesome benefits of Rethink as well so you can continue keeping a better eye on your apps.

Either way I'm glad you are enjoying GrapheneOS and hope you continue to do so!

GrapheneOS

DeletedUser50 This is a carrier-related connection caused by how your carrier works, not a default connection made by GrapheneOS. Default connections section in the FAQ is not supposed to include connections only made with specific carriers. There's no carrier by default and not everyone has a carrier using Firebase-based provisioning.

GrapheneOS

The misinformation someone posted in that old issue on our tracker has been removed since clearly debunking it there wasn't enough.