RethinkDNS in private Space starts deactivated ?!?

starbright

With recent GOS 16, Patch 3/1 and recent RethinkDNS 5.5t from Fdroid I observe this:
When open the private space I get a warning that Rethink (in private space) gets deactivated.
Why? Do you observe same behaviour?
I mean in private space you have usually your "talking" apps, they should be blocked right from beginning.

As a normal owner this is not happening. So what might be the difference?

Onlyfun

starbright
Is it a notification that rethink is deactivated when you open private space for the first time after turning on(or restarting) the phone? Then if you lock the private space and then unlock it again what's rethink dns status?

what is rethink dns status(not in private space, in regular owner profile) upon restart the phone ? Don't you get a similar 'rethink DNS is deactivated' notification ?

For me on first unlock from BFU (in owner profile, not private space)rethink dns(starting with version 55t) is always deactivated and I have to open the app and press the blue start button on bottom of screen. I believe this behavior is design flaw in rethink dns(prior versions did start automatically upon phone restart).
I have not set it private space and wont guarantee I know how it should work there. But I have a feeling that issues are related.

In general I want to add that as long rethink dns is a brilliant concept it dose have heavier flaw such as leaking dns, you might want to pay some attention here as well.

DeletedUser728

starbright Do you observe same behaviour?

No, I don't, starts ok v055u, experimental feature "auto-start" not used (why should I if it works ok)

ignoramous

Onlyfun I believe this behavior is design flaw in rethink dns(prior versions did start automatically upon phone restart).

Yes. Unfortunately, we don't have a GrapheneOS test device to know why this happens, but we have tried to guesswork fix this in v055v, the upcoming version due in the coming days/weeks.

siberianworker200

Disable Configure > Settings > Auto-start on power-up setting and try again.

starbright

siberianworker200
Seems to work (at least in Private space - need to test in main profile as well).
But hey - I need to configure the opposite to what I want? That's weird. Any explanation?

starbright

From my previous phone I found that Rethink starts activated after boot.
Now I test this on GOS, rebootet and: right - it is not active, you need to open the app and press the blue button.
So in that way it behaves same in private space - but same terrible.
Why it won't start activated automatically?

Workaround, before reboot you need to go to flight mode and after reboot enable Rethink before enabling network.
While a reboot is not so often with normal user, it is not a good option for private space, isn't it?

I'll restarted my previous non GOS phone to check - and voila - it starts in protected mode on. !?!?
So it is a GOS issue than?

@Onlyfun : what's BFU?

Onlyfun

starbright

 what's BFU?

TLDR:

Term meaning phone has not been unlocked since powered On.


Most user's data on phone is protected by very strong encryption, believed to be not possible to decrypt. Most important part of encryption is the key used to encrypt/decrypt, this key is protected by pass code and a second pass code (a token or what ever it's called). Pass code is user based, second pass code is pixel based(contained in phone). When user enters pass code it is combined with second pass code then decryption key is provided that decrypts user's data and it becomes available.

BFU - Before First Unlock - is a term used to describe a phone's state for a period when phone has been powered On, but pass code to unlock it has not been entered. I would also apply it to when the phone is off.

Before First Unlock is considered most secure state of the phone, because  most user data on it is heavily encrypted and even if bad guys take a copy of this data to put lives on decrypting attempts they wont succeed.  Regardless of pass code complexity. That is assuming phone is a Pixel and BG cant hack or work around the security chip Titan M and are not lucky enough to just guess the pass code. Not to rely on lack of their luck or technical preparedness  use a >90 bit entropy pass code.

Then there is AFU - After First Unlock, this starts right upon entering pass code usually a phone is in this state. It is considered a lot more vulnerable to bad guys since in AFU the actual key to encryption of most user data that decrypted the data for phone become usable is kept in phone's memory. AFU state provide an additional option of decryption, no pass code, fuck security chip - they can try extract the key directly from memory and decrypt data..

AFAIK Auto reboot feature makes exploiting AFU hard, since it shrinks the AFU to as low as 10 minutes(default set to 18 hours).
Implementing emory encryption would erase AFU security concern completely, someone more knowledgeable please correct if I'm wrong.

Hopefully we'll get with Graphene own designed phone.

Elysium

starbright From my previous phone I found that Rethink starts activated after boot.

Using the old release version still, it behaves like that. Even if I turn off Auto-Start on Power up and restart, it will already be active. Even private space is always active as soon as I open, which I don't even want.

siberianworker200

Yes, you'll need to configure it the opposite in private spaces or work profile for now. It's an experimental setting in a pre-release version (v0.5.5t), so bugs like this are to be expected.

DeletedUser728

siberianworker200 Yes, you'll need to configure it the opposite in private spaces or work profile for now. It's an experimental setting in a pre-release version (v0.5.5t), so bugs like this are to be expected.

Why do people enable some experimental features without checking if they need them in the first place...

Novalissoide

ignoramous we don't have a GrapheneOS test device

Whaat? No supported Pixel6 or later?

DeletedUser728

Elysium Even private space is always active as soon as I open, which I don't even want.

Weird. Do you have RDNS as "always-on" in Android vpn settings?

Leono

I had issues with Rethink DNS auto starting.... until reading this thread...unchecked auto start experimental feature and now rethink auto starts all the time (as desired). I am on version (u). Thanks!

Novalissoide

Leono unchecked auto start experimental feature and now rethink auto starts all the time

Confirmed. Thanks a lot.
It works!
😊