Feature Request: Native TProxy to mitigate VPN fingerprinting

space

Hello GrapheneOS Team,

I am writing to propose a paradigm shift in how GrapheneOS handles network routing for privacy-focused users. Currently, the Android VpnService API is a major privacy liability because it is "loud" by design, making it trivial for any app to fingerprint and restrict users based on their network security choices.

The Context:
In high-censorship regions like Russia, we have seen a leaked internal methodology (originating from "Roskomnadzor" - the state censorship body) that provides a unified approach for detecting VPNs/Proxies. This document is now being implemented by banking and service apps to deny access to users who protect their traffic.

The Flaws of VpnService:
The leaked methodology lists several triggers that current VPN apps cannot hide without Root:

Direct Flags: Standard APIs report TRANSPORT_VPN and IS_VPN.
Native Enumeration: Native calls like getifaddrs() reveal virtual interfaces (e.g., tun0, wg0).
Routing & MTU: Apps detect route-overrides and non-standard MTU values (e.g., 1350/1400).
Latency Analysis (SNITCH): Comparing RTT to landmarks to detect distance-latency mismatches.

The Proposal: System-Level Transparent Proxy (TProxy) Provider
I suggest implementing a mechanism where a user-selected app can act as a TProxy Provider instead of a traditional VPN Provider. Instead of the app asking the OS for a TUN interface, it would register a local port (e.g., SOCKS5/HTTP) with the OS.

Technical Implementation:

Kernel Interception: GrapheneOS would use nftables/iptables with TPROXY and fwmark at the OS level to intercept outgoing packets and route them to the app's local port at the socket level.
Socket-level Redirection: This avoids creating any virtual network interfaces (tun0) and keeps the TRANSPORT_VPN flag set to false.
OS Integrity: To the application-level networking APIs, the device appears to be on a clean, standard Wi-Fi or Cellular connection.
DNS Stealth: DNS queries can be intercepted and routed through the same stealth channel, avoiding the "Fake-IP" (198.18.x.x) anomalies that current proxies often produce.

Why GrapheneOS?
GrapheneOS already leads the way in anti-fingerprinting (IMEI/Serial obfuscation). Network state fingerprinting is the next frontier. By decoupling secure routing from the VpnService API, GrapheneOS can provide "User Agency" and prevent apps from "interrogating" the OS to find out if a user is protecting their traffic.

Without this, users in high-risk environments will be forced to choose between essential services and their fundamental right to privacy.

Thank you for your commitment to security and digital freedom.

Chipper

space I'm far from an expert on these things however have you read the graphene roadmap? It seems to me that moving down this road, aside from having many great effects will additionally prevent this type of "promiscuous" system access by apps without the users consent.
The fact that as a result your bank app won't function to me is a fault of the banks attempting to act inappropriately, this is best addressed not by entering into cat and mouse games with them but just simply refusing to engage with them. (If they won't respect your right to privacy don't use them)

other8026

If I understand the request here correctly, we already have a few feature requests open for this.

Locking because we have rules about AI generated posts, and this appears to be one. I could be wrong. Either way, we still do have open feature requests for this kind of issue.