GrapheneOS

The "out-of-scope" reference was in regard to forcing WiFi calling through user-installed VPN app tunnels like WireGuard or OpenVPN and/or forcing all cellular calls to use data plan to also have them be tunneled through VPN. Maybe I was wrong.., but I thought either of the 2 features mentioned above would require major Android code re-write and would be out-of-scope for GrapeneOS...

unwat Clearly wifi calling is a system thing, not a user thing.

As stated, this makes the surprising behaviour quite clear. Thanks.

There's a ton of recommendations here about disabling network access to apps to gain privacy.

GrapheneOS is already modifying system level components. It would be ideal if they optionally allowed routing to be configured so ALL traffic had to go via the user VPN component (or firewall/adblocker). This would ensure there are no unforeseen leaks for those who care.

    ve3jlg

    I found it helpful to think of it like traditional networking.

    There is no Layer 3/4 firewall. You cannot block/allow by IP or TCP/UDP port.
    But there is Layer 2 port security. Users can entirely disable/enable networking for individual apps. Like controlling physical ports on a 48 port switch, where every app gets a port.
    The user has control over the "user switch", but there is also a core switch upstream that users cannot control. Telecom services such as tethered devices and wifi calling use this backend network equipment.

      Graphite This is an interesting analogy.

      But if I were to extend, I'd say the current situation is sort of like a managed ethernet switch requiring access to someone elses computer to configure traffic management i.e. VLANs, or not even going that far, pinging home.

      Hmm. Actually it is worse than that I think. If an ethernet switch on my LAN is snitchy I can easily block its outbound traffic at L2 or L3. Because my phone is on someone else's cellular network some of the time I cannot block that traffic except in the phone's network stack or at the other end of a VPN I control.

      Gee, are you saying that tethered devices also do not get routed via an on-phone VPN?

        ve3jlg are you saying that tethered devices also do not get routed via an on-phone VPN?

        Yes. It's a feature I really want. But carriers fought that fight and won a long time ago. They wanted people to pay extra for every Mbyte of tethered data, as if tethering was a feature offered by the carrier.

          Graphite I've always wondered why tethering didn't go through a VPN. So it was a feature purposely made separate due to the billing?
          See I used to try turn on hotspot and the network would see it as tethering. So I used to put the SIM card in a WiFi router and then it thought it was a phone.

          It would be so good to have all traffic go through a VPN

          unwat

          wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.

          When I first saw this thread I didn't like it either, but having thought about it some since then, in some scenarios I realized I would actually prefer this behavior to having Wi-FI calling routed over VPN. (In some other specific scenarios, I of course don't like it at all.)

          Above some reasonable baseline level of security and privacy, one of the more easily-definable portions of my threat model relates to ad tech and behavioral fingerprinting for the purposes of building consumer profiles which are sold, traded, and otherwise monetized with little regard to personal privacy.

          If my carrier already knows my phone is at [store] in [city x] on [date] I don't particularly care that they additionally know I have a Wi-Fi connection at [store] with no cell signal in [city x]. But I would be particularly troubled if I'm researching, for example, medical products over VPN while standing in that store, and a clearinghouse can later associate my search queries with carrier IP logs, which is what could (and eventually certainly would) happen if Wi-Fi calling activity was piped over the same profile's VPN interface.

          If there was a privacy-respecting carrier I would happily switch, but the practical options are all similar degrees of terrible in that regard, so by using their service I'm already conceding some ground which doesn't get much worse by having Wi-Fi calling route out directly, except in some specific scenarios I will outline at the end.

          What would bother me far more is if unavoidable carrier activity (e.g., Wi-Fi calling network checks) was routed over VPN against my will, at which point my carrier is free to sell my VPN IP address (and all related activity which they are able to scrape) to people wanting to integrate it into their consumer profiling.

          This is why I have some still-unanswered questions surrounding what apps in a given profile can see about the network interfaces of the device (within the same profile or outside), and whether private IPs are available to be logged by apps, because if they are, then any network-connected app potentially seriously undermines a threat model that makes a strong attempt to sidestep much of the ad tech hellscape in which we find ourselves.

          It's not difficult to imagine scenarios in which routing it over anything but the active connection for the profile could be disastrous (think: journalists/activists taking a meeting in the headquarters of an organization to which the host government is hostile, and needing to use Wi-Fi during the meeting), but that threat model is less likely to present an issue to most. Even for those same people, reconstructing web logs with IP logs would pose its own kind of threat. Ideally we would have the option of selecting whether or not carrier functionality happens over the cellular connection, VPN connection, or not at all, as there are legitimate reasons to prefer or avoid any one of them.

          8 months later

          Has this security issue been addressed? I'm new here, new to GOS, have searched though many threads for an update but haven't found one. Not certain that I understand this situation completely, or if it's an issue still, but it sounds like the statement from FAQ "Enabling airplane mode disables the cellular radio, but Wi-Fi can be re-enabled and used without activating the cellular radio again. This allows using the device as a Wi-Fi only device" and "Airplane mode is the only way to avoid the cellular network tracking your device and works correctly on the devices we support" are not the exciting way to get around carrier privacy violations that I was hoping it would be? Am I understanding it right that WiFi is no more private as a form of calling and messaging than connecting through a cellular carrier? Additionally, this is a long post, and much has been said, but I think I remember someone saying something about a privacy-centric cellular carrier, and the MVNO that Librem owns, Librem AweSIM and SimpleSIM, claim to function as such, but I wonder, do the providers of their service have access to the data that Librem claims not to collect, store and share? The way that data travels, is it even possible to be a privacy-centric carrier?

          Also, what about running an app like InviZible Pro with Orbot and Purple I2P that claims to hide your IP among other things? Would that compensate for the problem of information leaked via the way info doesn't flow through the VPN?

          Does this issue also affect the privacy and security of end to end encryption services over WiFi?

            OpenSource-Ghost

            Please, advise... I'm trying to understand this...

            OpenSource-Ghost Carrier WiFi xalling uses IPSec tunnel, which is an old and insecure VPN protocol and usage of WiFi calling opens you to more attack surface"

            So, are you saying that Carrier Wi-Fi calling is open to more attack surface? WiFi calling, in general? Or that WiFi calling via Carrier WiFi calling enabled is open to more attack surface? And what do you mean my more attack surface? More than simply using a SIM and carrier for communication?

            OpenSource-Ghost Each carrier uses its own domains for WiFi calling and your phone should only try to resolve such domains if SIM card is inserted and active, but your phone continues to try to resolve those domains when connected to WiFi in Airplane mode even if SIM card is disabled + WiFi calling itself is disabled!

            I have read this over and over again, and can't wrap my head around it. You're saying that if you insert a SIM, your phone will endlessly try and resolve carrier WiFi domains, with the SIM card disabled, whilst connected to WiFi, in airplane mode, with WiFi calling disabled? How? Why? If the phone isn't asked to connect to WiFi, why would it be trying to resolve domains? Is this the same regardless of your phone's DNS settings?

            OpenSource-Ghost Carrier WiFi calling doesn't use specified private DNS servers from Android settings. It uses WiFi network's specified DNS addresses.

            In light of this, I guess that means that your phone's DNS settings are irrelevant. So, it uses WiFi specified DNS? Meaning the home network that you are using, for instance, not the carrier's WiFi network? And if you are referring to your home WiFi Network, can anything be done on that end with DNS and VPN settings that would make a difference? Is this problem all due to the eternal attempt to resolve domain?! Whether WiFi calling is enabled or disabled, it's all the same? This is super confusing.

            OpenSource-Ghost That means the WiFi network to which you connect immediately knows that someone with phone with your carrier is connected to it, even though no actual carrier WiFi calls are possible when its disabled.

            But, if you have never inserted a SIM, can WiFi calling be acheived? And are you any less exposed? Does your home network DNS and or VPN settings, or your phones DNS and or VPN settings make any difference with being identified by your home network WiFi provider?

            OpenSource-Ghost The only way around that is to connect to your own WiFi network that blocks carrier WiFi calling domains via local DNS server/forwarder (like Pi-Hole) and/or IP's to those domains.

            So, this whole thing can be circumvented via PiHole? With and/or without the presence of a carrier SIM? And are you saying this isn't optimal due to the lack of portability? Or something else? It would work ok for at home base, where ever it is that you set that up, though, right?

            And, would any of this carrier WiFi calling issue be mitigated by toggling off "Mobile data always active" in Developer options?

            My primary concern is that whilst Google and Apple are massive privacy invading whores, mobile carriers are worse, because it seems like there are ways to shut down Google, Apple and the like, but mobile carriers don't just know you're number, your name (if you have to register your SIM with ID), where you are at any given moment, who you know and communicate and spend time with, your lifestyle choices and habits, etc., they also collect and store every conversation and every text and every picture or video you send! In my mind they are the worst! I know, if I choose to use a cellular device for telecommunication, there's not much that can be done to keep certain aspects out of their servers, but it would be great to be able, at bare minimum, to keep conversations, and conversational content from them. So, is this goal able to be achieved using services like Signal, and email? And can these be done with your phone, without a mobile carrier? And/or with a mobile carrier? What even ARE our options? It seems awfully bleak.

              8 months later

              I tried to install wifi-calling to avoid roaming abroad. And I've just realized that it does bypass the VPN.

              To make GOS work with wifi-calling abroad, I had to install a VPN on a physical router. And connect GOS to my physical router.

              And then, as if by magic, wifi-calling worked.

              So it would be cool to prevent wifi-calling from bypassing the VPN. This would allow you to have an IP from the country where your operator is, and avoid roaming on wifi.

                16 days later

                gos-users Yeah it's another by-design leak in the android VPN implementation few know about.

                2 months later

                Anonymous not sure if this is robust enough, so someone with more knowledge please correct me if im wrong, but best option is to use an LTE router with a valid VPN on it.
                Assuming router doesnt have same weak spots as the phone, such as "carrier communications" being routed outside the tunnel/dns.

                gos-users So it would be cool to prevent wifi-calling from bypassing the VPN. This would allow you to have an IP from the country where your operator is, and avoid roaming on wifi.

                it would be cool to have controll of ALL connections of an OWNED device.

                Graphite But carriers fought that fight and won a long time ago.

                Not absolutely! stiil possible to obfuscate tethered data in case if client device allows to adjust its TTL, like any windows machine.

                Anonymous not sure if this is robust enough, so someone with more knowledge please correct me if im wrong, but best option is to use an LTE router with a valid VPN on it.
                Assuming router doesnt have same weak spots as the phone, such as "carrier communications" being routed outside the tunnel/dns.

                edit:
                and assuming LTE carrier wont categorize the setup as tethered connection(if it would, maybe router has option to adjust the TTL to hide that its sharing web access)

                personally only planning to implement the router setup and would greatly appreciate any concerns shared. it is out of scope of GOS obviously, but thought this thread seems best place to ask due to massive discussed above.