roddyd
No, if WiFi calling is off, the actual calling won't happen, but phone will continue to try to query WiFi calling domains over WiFi. Quering domains isn't the same as connecting to queried domains. Your phone will keep making queries for WiFi calling domains over WiFi, but it won't be doing any calling and won't be connecting to the WiFi domains it queries. The probolem is that the querying itself needlessly provides information (domain names) about your carrier to the network.

    OpenSource-Ghost Do you think it would be better to use mobile data or WiFi Calling in terms of overall privacy and security? On one hand the mobile network can determine your location, but on the other hand Wifi calling gives the carrier your IP and it gives the network your carrier brand. If you have to get calls and texts somehow, which do you choose?

      unwat Only one connection should be made outside of the VPN,

      The GrapheneOS endpoint to detect a captive portal?

        ve3jlg

        Yes, that's what I meant, but I was incorrect and forgot about the other stuff, like hotspot traffic, necessary pre-VPN connection traffic, and probably others I can't think of right now.

        Until OpenSource-Ghost shared what they know, I figured wifi calling would be tunneled through the user's VPN, but I was wrong. So, I did a search on Matrix and one of the devs said that wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.

          OpenSource-Ghost thanks for the helpful info. So if I now turn off WiFi calling, will my WiFi provider being able to see my mobile phone network?
          Or will my mobile network now be able to see my WiFi network?

            spiral

            Each carrier has its own and viewing Pi Hole log should make it obvious. Usually, domain either includes carrier name, like T-Mobile...Store...something-something, or it includes ePDG...MNC...MCC. It should be easy to find and it would show up every 15 or 30 or 60 seconds. Even if blocked in Pi-Hole, an attacker would know that your phone is trying to resolve a WiFi calling domain every 15 or 30 or 60 seconds and use that for WiFi password cracking or interception (if WiFi password is known). If attacker knows your IMSI + carrier WiFi calling domains + manages to crack WiFi password, then attacker can impersonate you.

            L8437

            If WiFi calling is disabloed, WiFi network provider would know that someone with a phone that uses whichever carrier WiFi calling domains (+ your carrier's MNC and MCC numbers) is using the network, but your carrier wouldn't receive any information.

            roddyd

            I prefer to disable WiFi calling and use WiFi only when in AIrplane mode IF router for that WiFi network does not use VPN. If router has VPN (OpenVPN or WireGuard) installed, then WiFi calling is more secure. Otherwise I reduce attack surface by using carrier cellular connection for unencrypted phone calls and SMS.

            unwat

            That's not entirely true... If router itself uses OpenVPN or WireGuard VPN to connect all clients, then WiFi calling does go through those OpenVPN or WireGuard tunnels. Because that is the case, the issue is that Android simply isn't designed to tunnel WiFi calling through installed VPN apps, it can very much be tunneled.

            I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled. Domain name itself reveals MNC and MCC numbers for your carrier.

              OpenSource-Ghost

              Right. I was talking about VPNs on Android. If a router is set up to tunnel all traffic through a VPN, then it would be impossible for any device on that network to skip the VPN and connect directly.

              Maybe saying "user" and "telecom" traffic was what made what I said confusing. App traffic within a user profile goes through a VPN set up on the profile. Clearly wifi calling is a system thing, not a user thing.

                OpenSource-Ghost I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope".

                Why would they call this out of scope? It seems like this would be important to the goals of the project since it's leaking sensitive info.

                @OpenSource-Ghost Not clear why you're making unsubstantiated claims about what we consider in the scope of the project or not especially when we have already filed planned features about adding more toggles and potentially disabling the feature by default which has been worked on already.

                  roddyd It's not a bug but rather is how Wi-Fi calling works, which is one reason why we're working on adding more toggles and potentially disabling it by default. If people want it to progress faster they should contribute.

                  GrapheneOS

                  The "out-of-scope" reference was in regard to forcing WiFi calling through user-installed VPN app tunnels like WireGuard or OpenVPN and/or forcing all cellular calls to use data plan to also have them be tunneled through VPN. Maybe I was wrong.., but I thought either of the 2 features mentioned above would require major Android code re-write and would be out-of-scope for GrapeneOS...

                  unwat Clearly wifi calling is a system thing, not a user thing.

                  As stated, this makes the surprising behaviour quite clear. Thanks.

                  There's a ton of recommendations here about disabling network access to apps to gain privacy.

                  GrapheneOS is already modifying system level components. It would be ideal if they optionally allowed routing to be configured so ALL traffic had to go via the user VPN component (or firewall/adblocker). This would ensure there are no unforeseen leaks for those who care.

                    ve3jlg

                    I found it helpful to think of it like traditional networking.

                    There is no Layer 3/4 firewall. You cannot block/allow by IP or TCP/UDP port.
                    But there is Layer 2 port security. Users can entirely disable/enable networking for individual apps. Like controlling physical ports on a 48 port switch, where every app gets a port.
                    The user has control over the "user switch", but there is also a core switch upstream that users cannot control. Telecom services such as tethered devices and wifi calling use this backend network equipment.