Help me understand Network toggle

indigomadelin

The official documentation states that

The device-local network (localhost) is also guarded by this permission, which is important for preventing apps from using it to communicate between profiles.

However, I recall the official GrapheneOS account mentioning that apps with the network toggle disabled still have access to the loopback interface. I may be mistaken, and it could have been a different issue related to the lo interface.

Another question concerns the purpose of the network toggle - what is it designed for? It doesn't prevent data exfiltration, since IPC remains available and could potentially be used to transfer data such as telemetry, ads, or benign content.

Delaney

indigomadelin Another question concerns the purpose of the network toggle - what is it designed for?

Well... It's for revoking network access to the app. You should consider it like any other runtime permission: Limiting what the app can do.

userofgos

indigomadelin Another question concerns the purpose of the network toggle - what is it designed for?

https://grapheneos.org/features#network-permission-toggle

nandohyphen1

indigomadelin I don't know how hard it is to understand the network toggle. It is a toggle that allows an app access to the internet if it is enabled.

userofgos

indigomadelin Another question concerns the purpose of the network toggle - what is it designed for? It doesn't prevent data exfiltration

Just came across another thread where the GrapheneOS project account explains (emphasis added): https://discuss.grapheneos.org/d/4024-in-what-extent-can-apps-communicate-with-each-other/10

The purpose of the Network toggle is not to be a data exfiltration toggle, and it shouldn't be used as one for multiple reasons. The focus is meant to be on carefully limiting the data you enter into apps and what they can access. You shouldn't be giving apps more access than you would otherwise based on the Network toggle being disabled. It's problematic if that's how people are using it. What if the apps screw up and have a locally exploitable vulnerability? They don't have to be malicious for that to be a problem. They could simply accidentally expose a service that's exploitable by other apps to gain control over them or leak the data unintentionally. Apps within a profile being able to communicate with mutual consent is not something unique in absolutely any way to sandboxed Google Play and it has no special ability to bypass the usual constraints on communication.

Trying to use Network as a complete data exfiltration toggle isn't the intended purpose, and you should always consider apps within the profile being able to communicate for ALL data and access including permissions. It is not something only relevant to Network.

indigomadelin

userofgos If I have quoted the docs, then I have read already.

indigomadelin

nandohyphen1 So you don't understand either.

userofgos

indigomadelin I didn't realise you had quoted from the docs until you pointed it out.

https://discuss.grapheneos.org/d/22889-meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/43

Dealing with loopback has been something we've wanted to do for a very, very long time. However, it is a very invasive change which is best done upstream. They are unlikely to do it so we will eventually have to take it on, but it won't be easy.

To substantiate what I'm saying, here's a post from March 2023 where we express that this is something we want to implement in the future:

https://x.com/GrapheneOS/status/1636042803623997440

The reason our Network toggle isn't granular is because those kinds of granular controls can generally by trivially bypassed. In the future, we do plan to split it into a toggle for external networking and internal (localhost, also known as loopback) networking within the device.

nandohyphen1

indigomadelin isn't that all it does? Thats all I've known it to do. I've never really done a deep dive into how it works.

Watermelon

userofgos Network permission is still good for blocking data infiltration :) (but this too can be bypassed by intercommunication between apps) indigomadelin