OpenSource-Ghost Each carrier uses its own domains for WiFi calling and your phone should only try to resolve such domains if SIM card is inserted and active, but your phone continues to try to resolve those domains when connected to WiFi in Airplane mode even if SIM card is disabled + WiFi calling itself is disabled! That happens even if you remove SIM card and fully reset all network settings. The only way to stop your phone from trying to resolve such domains when connected to WiFi is to perform full factory reset and never insert a SIM card. If you insert SIM card and connect to your carrier network just one time after full factory reset, then your phone remembers your carrier. I think if you insert a SIM card from a different carrier, then it forgets previous carrier's WiFi calling domains and starts using new carrier's WiFi calling domains. This is already reported to GOS developers and marked as upstream Android bug (not GOS bug).

Does this mean that there is no benefit to turning off Wifi Calling since the phone will attempt to connect either way?

    roddyd
    No, if WiFi calling is off, the actual calling won't happen, but phone will continue to try to query WiFi calling domains over WiFi. Quering domains isn't the same as connecting to queried domains. Your phone will keep making queries for WiFi calling domains over WiFi, but it won't be doing any calling and won't be connecting to the WiFi domains it queries. The probolem is that the querying itself needlessly provides information (domain names) about your carrier to the network.

      OpenSource-Ghost Do you think it would be better to use mobile data or WiFi Calling in terms of overall privacy and security? On one hand the mobile network can determine your location, but on the other hand Wifi calling gives the carrier your IP and it gives the network your carrier brand. If you have to get calls and texts somehow, which do you choose?

        unwat Only one connection should be made outside of the VPN,

        The GrapheneOS endpoint to detect a captive portal?

          ve3jlg

          Yes, that's what I meant, but I was incorrect and forgot about the other stuff, like hotspot traffic, necessary pre-VPN connection traffic, and probably others I can't think of right now.

          Until OpenSource-Ghost shared what they know, I figured wifi calling would be tunneled through the user's VPN, but I was wrong. So, I did a search on Matrix and one of the devs said that wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.

            OpenSource-Ghost thanks for the helpful info. So if I now turn off WiFi calling, will my WiFi provider being able to see my mobile phone network?
            Or will my mobile network now be able to see my WiFi network?

              spiral

              Each carrier has its own and viewing Pi Hole log should make it obvious. Usually, domain either includes carrier name, like T-Mobile...Store...something-something, or it includes ePDG...MNC...MCC. It should be easy to find and it would show up every 15 or 30 or 60 seconds. Even if blocked in Pi-Hole, an attacker would know that your phone is trying to resolve a WiFi calling domain every 15 or 30 or 60 seconds and use that for WiFi password cracking or interception (if WiFi password is known). If attacker knows your IMSI + carrier WiFi calling domains + manages to crack WiFi password, then attacker can impersonate you.

              L8437

              If WiFi calling is disabloed, WiFi network provider would know that someone with a phone that uses whichever carrier WiFi calling domains (+ your carrier's MNC and MCC numbers) is using the network, but your carrier wouldn't receive any information.

              roddyd

              I prefer to disable WiFi calling and use WiFi only when in AIrplane mode IF router for that WiFi network does not use VPN. If router has VPN (OpenVPN or WireGuard) installed, then WiFi calling is more secure. Otherwise I reduce attack surface by using carrier cellular connection for unencrypted phone calls and SMS.

              unwat

              That's not entirely true... If router itself uses OpenVPN or WireGuard VPN to connect all clients, then WiFi calling does go through those OpenVPN or WireGuard tunnels. Because that is the case, the issue is that Android simply isn't designed to tunnel WiFi calling through installed VPN apps, it can very much be tunneled.

              I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled. Domain name itself reveals MNC and MCC numbers for your carrier.

                OpenSource-Ghost

                Right. I was talking about VPNs on Android. If a router is set up to tunnel all traffic through a VPN, then it would be impossible for any device on that network to skip the VPN and connect directly.

                Maybe saying "user" and "telecom" traffic was what made what I said confusing. App traffic within a user profile goes through a VPN set up on the profile. Clearly wifi calling is a system thing, not a user thing.

                  OpenSource-Ghost I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope".

                  Why would they call this out of scope? It seems like this would be important to the goals of the project since it's leaking sensitive info.

                  @OpenSource-Ghost Not clear why you're making unsubstantiated claims about what we consider in the scope of the project or not especially when we have already filed planned features about adding more toggles and potentially disabling the feature by default which has been worked on already.

                    roddyd It's not a bug but rather is how Wi-Fi calling works, which is one reason why we're working on adding more toggles and potentially disabling it by default. If people want it to progress faster they should contribute.

                    GrapheneOS

                    The "out-of-scope" reference was in regard to forcing WiFi calling through user-installed VPN app tunnels like WireGuard or OpenVPN and/or forcing all cellular calls to use data plan to also have them be tunneled through VPN. Maybe I was wrong.., but I thought either of the 2 features mentioned above would require major Android code re-write and would be out-of-scope for GrapeneOS...

                    unwat Clearly wifi calling is a system thing, not a user thing.

                    As stated, this makes the surprising behaviour quite clear. Thanks.

                    There's a ton of recommendations here about disabling network access to apps to gain privacy.

                    GrapheneOS is already modifying system level components. It would be ideal if they optionally allowed routing to be configured so ALL traffic had to go via the user VPN component (or firewall/adblocker). This would ensure there are no unforeseen leaks for those who care.