My team and I are engaged in human rights work in one authoritarian country, and privacy is important to us at every stage of using the applications.
This post was compiled at the request of our technical director.
This post is based on personal observations, and does not contain misinformation (we have observed such comments in some other messages from other users on this forum).
- We are forced to use insecure applications (no way to use web version because of limited functional) from a developer from our country (government controlled) in our work, but we have installed these applications in a separate profile with a VPN that is reliable and trusted to us.
While monitoring the DNS activity of our router, queries were found for domains that belong to applications from a secondary profile protected by VPN.
That is, these requests were processed and bypassed the VPN.
These requests were intercepted by us using RethynkDNS app (from FDroid) and are related to the "Intent Filter Verfication Service" application.
For example, requests to Google Maps (safe, not a problem): https://imgur.com/a/dmW5Lj4
A threat to our privacy (requests sent outside VPN) are requests to application addresses that work in an additional profile. That is, the application is installed in a secondary profile, and the request was sent mainly through the "Intent Filter Verfication Service".
As you can see in the 3 screenshots posted on the link https://imgur.com/a/Um0XA3s , this application accesses (HTTPS) various addresses in the MAIN profile, which can ONLY be on the android secondary profile, which is protected by VPN (Wireguard official application and "always on vpn" enabled).
As you can see, a personal link (oauth token; you could see on the next screenshot) is also accessed, which unambiguously allows the application developers to see my real IP.
Our technical director asked to write about this vulnerability here. And we had to physically destroy working mobile phones and partially accounts in order to protect our privacy.
As we were able to find out, the problem is in the "Open by default" function.
For some reason, the specified application accesses the addresses specified in this function, even those set in other user profiles through the main Internet connection of the main profile, thereby passing traffic directly.
Also, as you can see in the screenshot, some applications have personal oauth tokens that refer to a specific person, which immediately allows you to identify his IP address.
Scheme of problem: Secondary Profile App "Open by Default" domains -> HTTPS requests (at least on reboot but could every some days or weeks) through "Intent Filter Verfication Service" in MAIN profile -> Router (without VPN)
Also, We tested security and anonymity when using VPN and found the following:
Any application can find out which mobile operator is installed on the phone. This in itself does not pose a privacy threat, but allows the attacker to shorten the search.
Are there any plans to fix this problem?
Any application can (and does) get a list of active (and disabled) network interfaces. The router (wifi) is not particularly important, because. 192.168.* does not allow you to deanonymize a user.
However, the rmmnet mobile adapter uses a UNIQUE local IP address, which the mobile operator probably also sees (not sure about it).
If attacher compare the data on the name of the mobile operator and the unique local IP, the head of the mobile operator can easily share information about the user to interested parties (since in our country registration of sim cards is carried out by passport and absolutely every action is logged). This is an absolute threat.
Is this local IP address visible to the mobile operator or not?
if visible, do you have any plans to proxy such connections and display fake data about network interfaces for applications?
Do you have any plans to build an application firewall?
I mean additional protection in case "always on vpn" does not help (for example, when the VPN application was accidentally deleted or when it was unsuccessfully updated, or was disabled in case of a technical error).
We had this problem one time...
Firewall, for example, with the ability to disable / enable Internet access for WIFI / Mobile / VPN