FR: ConnectivityManager hide VPN

hypnotist5329

Hello. I would like to start discussion for new privacy feature - ConnectivityManager caps per app/global filter.

Context: some state-wide censors are starting to actively probe user's device capability from their controlled apps which are forced to be installed/used. Reference

One of the methods they are recommending is to detect VPN connection.

Problem: its very trivial to detect if there is any VPN active just by querying ConnectivityManager caps. Event when you have split tunneling enabled for some apps - masking IP address)

Proposed solution: masking of certain capabilities on the App or OS level. Preferably on App level as OS wide might break some network apps (including VPNs).

Workaround: having a separate device w/o tunneling specifically for compromised apps. Not practical and not accessible to wider audience.

I dont know if its possible or practical to implement in GOS currenly. I did not do any code research. I appreciate any feedback on this topic.

Oggyo

hypnotist5329 Workaround: having a separate device w/o tunneling specifically for compromised apps. Not practical and not accessible to wider audience.

What about a separate/dedicated User profile (or even Private Space) for such apps?
Every User profile has its own VPN settings separate from others.

jandolskismoustache

Oggyo

My personal experiments on OneUI shown that it leaks through second profile created by Shelter and even through so-called Knox Folder. So at least it doesn't help in default Android
A thread from two years ago confirms an issues existed on Graphene back then

So I guess it's still here

Roaming4231

Oggyo will not work, tried it already. All apps can see that VPN is enabled no matter where VPN is (private space, different profile) or the app.

Currently internet toggle blocks all internet traffic (local and remote). I suppose GOS can try to split this toggle into 2: Internet access and Localhost access, but I'm not sure if this will stop apps from scanning network interfaces.

Or somehow limit ability of apps to get all available network interfaces, like with storage and contact scopes.

Note that I'm not an Android developer and just want this conversation to reach GOS team so they will say something about this problem.

ORESHNIK

I can agree with it, this would be good option for some contryes with VPN censor, the large big companyes was forced to install and scan active tun connections on device with ConnectivityManager command

jandolskismoustache

I booted up my agonizing old realme phone and tried it with a feature called "system cloner". This time it hides everything. I guess it works on the lower level by creating a separate (to some extent) Android installation. That can be a potential feature, however it comes with a price of main system being inactive. It also supports a separate graphic key for this system, which can be used to switch from the lock screen.

ORESHNIK

jandolskismoustache its deep work with iptables and network architecture inside separate profiles, Grapheneos cannot manage

Oggyo

Roaming4231 will not work, tried it already

I see. Thanks for confirming.
Maybe it's similar to what de0u showed here - https://discuss.grapheneos.org/d/13167-how-can-secondary-profiles-detect-that-the-main-profile-uses-a-vpn/2

Roaming4231

Oggyo Yes it is. Apps are using Android's NetworkManager (or something like that, don't remember exact name) to get info about network interfaces.
This info is shared across all profiles and private spaces.

Roaming4231

I translated good article about this problem: https://github.com/mitsuha44/how-and-why-russian-apps-search-for-vpns-on-users-phones/blob/main/README.md

Key takeaway:

The analysis found that 22 out of 30 apps detect VPN usage, and 19 of them send VPN status to their servers.

Russian apps are not "hacking" android, all of this can be done by any app in any country. I think that any OS should protect against such "threats" and don't give so broad permissions to apps without user interaction.

de0u

Roaming4231 I think that any OS should protect against such "threats" and don't give so broad permissions to apps without user interaction.

So far I don't think it's at all common for operating systems to conceal network connectivity information from apps. Perhaps over time that will become the standard. But meanwhile there is an inherent tension when users wish to run apps that want to do things that the users believe are malicious. While it's possible for an OS to deny access to, or spoof, certain information, in a world with remote hardware attestation of which OS is running, apps can just refuse to run unless they're on an OS that is willing to provide whatever information they demand. This conflict isn't really winnable by users.

At some point it might be better to not run the app, or to run the app on a dedicated device.

hypnotist5329

de0u So far I don't think it's at all common for operating systems to conceal network connectivity information from apps.

I cant speak for all of OSes, but at least Linux gives you a very granular control over what you expose to the app via namespaces and cgroups. Its possible to isolate app from probing non-related network. Only privileged user/group can see all of them.

de0u At some point it might be better to not run the app, or to run the app on a dedicated device.

I understand it might be hard to imagine, but there are situations where it's not a choice to not to use those apps.

de0u

de0u So far I don't think it's at all common for operating systems to conceal network connectivity information from apps.

hypnotist5329 I cant speak for all of OSes, but at least Linux gives you a very granular control over what you expose to the app via namespaces and cgroups. Its possible to isolate app from probing non-related network. Only privileged user/group can see all of them.

For sure it's possible. And Android is a Linux, so it's possible for Android to, and perhaps Google will get around to that or perhaps the GrapheneOS developers will. But is this commonly done on Linux distributions?

de0u At some point it might be better to not run the app, or to run the app on a dedicated device.

hypnotist5329 I understand it might be hard to imagine, but there are situations where it's not a choice to not to use those apps.

Actually I already imagined it, which is why I wrote "or to run the app on a dedicated device". Because of remote hardware attestation, no matter which features the GrapheneOS developers might add to GrapheneOS, the authors of apps like that could just refuse to run the apps on GrapheneOS.

ORESHNIK

There is new research by Russian company made about 30 Russian apps from gov and banks to maps and delivery, all of them uses different methods to track the vpn using and other things such of apps list. https://habr.com/ru/news/1021908/