WiFi Certificate Install in Secondary Profile added to Main Profile

user1357

I am in university in the U.S. at the moment, and to access the campus network (Eduroam) on my mobile device, it was required that we install some app (SecureW2 JoinNow), and install their certificate.

I really did not want to install something in my main profile, so I installed the app and certificate in a new (blank) secondary profile. My objective was to then use this secondary profile as a hotspot for all my devices so I would not need to download the more invasive Cisco apps that take full control of DNS and do everything possible to become persistent on the device.

But when I log back into my main profile, the certificate is still present, so my main profile is authenticating to the network. This has caused some MAJOR concern for me.

With a certificate installed like this, does my use of a VPN on my Graphene device still ensure the network is not able to see internet traffic (including DNS) on both the main or secondary profiles?
I know the hotspot connection does not go through the phone's VPN, but if I then use an independent VPN on the devices which I connect to the hotspot, does that still protect that traffic?
On the main profile, when I go into Settings > Sec. and Priv. > More sec. and priv. > Enc. and Creds. > User Creds., I can see the installed credential. I am not currently on the Eduroam network, but the certificate is listed as "Installed for Wi-Fi (in use)". What is meant by "IN USE"? Even though I am on my home network, does this certificate still allow some kind of access? The "Uninstall" is greyed out.

I appreciate the info. and assistance!!

ryrona

user1357 With a certificate installed like this, does my use of a VPN on my Graphene device still ensure the network is not able to see internet traffic (including DNS) on both the main or secondary profiles?

It is probably just an 802.1x certificate that is used to authenticate to the network, instead of or in addition to using a password to authenticate to the network like you usually do with Wifi networks. It does not affect the function of VPNs at all. So yes, any VPN you have should still ensure the network cannot see any of your internet traffic, except for the fact that you use GrapheneOS and that you are using a VPN (and which one).

user1357 I know the hotspot connection does not go through the phone's VPN, but if I then use an independent VPN on the devices which I connect to the hotspot, does that still protect that traffic?

Yes, definitely. To each device connecting to your phone hotspot, your phone is just part of the untrusted internet, just like a Wifi router and all your ISP infrastructure would be. Not even your phone can read that VPN protected traffic. You could safely connect to any untrusted phone hotspot or Wifi network as long as the VPN is running on the device connecting to it.

user1357 On the main profile, when I go into Settings > Sec. and Priv. > More sec. and priv. > Enc. and Creds. > User Creds., I can see the installed credential. I am not currently on the Eduroam network, but the certificate is listed as "Installed for Wi-Fi (in use)". What is meant by "IN USE"? Even though I am on my home network, does this certificate still allow some kind of access? The "Uninstall" is greyed out.

It is unclear to me what you mean by this. The certificate is only used to prove to the network that you are allowed to connect to it. That is all. It is basically an ID card for your device, that your device will show to the network if requested.

user1357

ryrona Thanks! After looking into it further (networking is not my area of expertise), I found it listed as a WPA EAP IEEE8021X PEAP MSCHAPV2.0. I guess I could have simplified my question down to: "does this give them the ability to MITM my internet activity?" And you answered that.

After further googling, I am feeling much better about it. Thank you for your input.