Hello!
My team and I are engaged in human rights work in one authoritarian country, and privacy is important to us at every stage of using the applications.
This post was compiled at the request of our technical director.
This post is based on personal observations, and does not contain misinformation (we have observed such comments in some other messages from other users on this forum).

  1. We are forced to use insecure applications (no way to use web version because of limited functional) from a developer from our country (government controlled) in our work, but we have installed these applications in a separate profile with a VPN that is reliable and trusted to us.

While monitoring the DNS activity of our router, queries were found for domains that belong to applications from a secondary profile protected by VPN.

That is, these requests were processed and bypassed the VPN.

These requests were intercepted by us using RethynkDNS app (from FDroid) and are related to the "Intent Filter Verfication Service" application.
https://i.imgur.com/F4k3wws.jpg

For example, requests to Google Maps (safe, not a problem): https://imgur.com/a/dmW5Lj4
A threat to our privacy (requests sent outside VPN) are requests to application addresses that work in an additional profile. That is, the application is installed in a secondary profile, and the request was sent mainly through the "Intent Filter Verfication Service".

As you can see in the 3 screenshots posted on the link https://imgur.com/a/Um0XA3s , this application accesses (HTTPS) various addresses in the MAIN profile, which can ONLY be on the android secondary profile, which is protected by VPN (Wireguard official application and "always on vpn" enabled).

As you can see, a personal link (oauth token; you could see on the next screenshot) is also accessed, which unambiguously allows the application developers to see my real IP.

Our technical director asked to write about this vulnerability here. And we had to physically destroy working mobile phones and partially accounts in order to protect our privacy.
https://i.imgur.com/0Qmgx2S.jpg
https://i.imgur.com/I9EZ9Ct.jpg

As we were able to find out, the problem is in the "Open by default" function.
For some reason, the specified application accesses the addresses specified in this function, even those set in other user profiles through the main Internet connection of the main profile, thereby passing traffic directly.
Also, as you can see in the screenshot, some applications have personal oauth tokens that refer to a specific person, which immediately allows you to identify his IP address.
https://i.imgur.com/H2wxCx7.jpeg

Scheme of problem: Secondary Profile App "Open by Default" domains -> HTTPS requests (at least on reboot but could every some days or weeks) through "Intent Filter Verfication Service" in MAIN profile -> Router (without VPN)

Also, We tested security and anonymity when using VPN and found the following:

  1. Any application can find out which mobile operator is installed on the phone. This in itself does not pose a privacy threat, but allows the attacker to shorten the search.
    Are there any plans to fix this problem?

  2. Any application can (and does) get a list of active (and disabled) network interfaces. The router (wifi) is not particularly important, because. 192.168.* does not allow you to deanonymize a user.
    However, the rmmnet mobile adapter uses a UNIQUE local IP address, which the mobile operator probably also sees (not sure about it).

If attacher compare the data on the name of the mobile operator and the unique local IP, the head of the mobile operator can easily share information about the user to interested parties (since in our country registration of sim cards is carried out by passport and absolutely every action is logged). This is an absolute threat.

https://i.imgur.com/9DR9BtJ.jpg

Questions:

  • Is this local IP address visible to the mobile operator or not?

  • if visible, do you have any plans to proxy such connections and display fake data about network interfaces for applications?

  • Do you have any plans to build an application firewall?
    I mean additional protection in case "always on vpn" does not help (for example, when the VPN application was accidentally deleted or when it was unsuccessfully updated, or was disabled in case of a technical error).
    We had this problem one time...

Firewall, for example, with the ability to disable / enable Internet access for WIFI / Mobile / VPN

Thank you!

    gra_ki Is this local IP address visible to the mobile operator or not?

    No.

    if visible, do you have any plans to proxy such connections and display fake data about network interfaces for applications?

    Not applicable.

    Do you have any plans to build an application firewall?
    I mean additional protection in case "always on vpn" does not help (for example, when the VPN application was accidentally deleted or when it was unsuccessfully updated, or was disabled in case of a technical error).
    We had this problem one time...

    From what I can tell, GrapheneOS has no intention of patching the DNS problem, but you could mitigate it with a custom DNS provider. See System Settings --> Network & internet --> Private DNS

      csis01
      From what I can tell, GrapheneOS has no intention of patching the DNS problem, but you could mitigate it with a custom DNS provider. See System Settings --> Network & internet --> Private DNS

      Hello. I have no messages about DNS problems. What did you mean?

      Please read https://grapheneos.org/usage#app-link-verification about intent filter verification. Packages are installed globally and intent filter verification is done by the OS package manager globally. The verification success applies across profiles. This is not the apps running code and making connections. We have a section on it because it's not intuitive and is often mistaken for the apps making the connections.

      There are features filed about spoofing country code, carrier, etc. for apps. Network interfaces are also known to be available to Android apps but we don't currently have a plan for how to change that since it's a coarse Linux kernel API with the data exposed in a virtual text file format so it would be painful to partially hide some of it.

      Do you have any plans to build an application firewall?

      There is a firewall and these things are not lack of a firewall.

      Firewall, for example, with the ability to disable / enable Internet access for WIFI / Mobile / VPN

      There is a firewall. There are not separate per-interface toggles rather than the Network permission because the infrastructure to do it without leaks isn't available. We're aware of the leaky implementation of those toggles elsewhere. It is not an appropriate approach for us.

        gra_ki While monitoring the DNS activity of our router, queries were found for domains that belong to applications from a secondary profile protected by VPN.

        That is, these requests were processed and bypassed the VPN.

        Your whole issue was ABOUT DNS.

          csis01

          Your whole issue was ABOUT DNS

          No, it is not about DNS.
          You could read strcat's reply about it.

          gra_ki I have the same domain yx22d873ed2ea14b93a36a0f5a07026458.oauth.yandex.ru in the "Open by default" section of my installation of Yandex Go app. My guess is that this domain does not identify you or me in any way, but the particular Yandex app in question.

          Also, I checked the documentation on App Links https://developer.android.com/training/app-links. It says that you have to declare App Links in the app manifest. Here is the part of Yandex Go manifest where they declare the domain in question.

              <activity
                android:theme="@7F130245"
                android:label="@7F12088E"
                android:name="com.yandex.passport.internal.ui.YxAuthActivity"
                android:exported="true"
                android:process="@7F1208CA"
                android:excludeFromRecents="true">
                <intent-filter
                  android:autoVerify="true">
                  <action
                    android:name="android.intent.action.VIEW">
                  </action>
                  <category
                    android:name="android.intent.category.DEFAULT">
                  </category>
                  <category
                    android:name="android.intent.category.BROWSABLE">
                  </category>
                  <data
                    android:scheme="https"
                    android:host="yx22d873ed2ea14b93a36a0f5a07026458.oauth.yandex.ru"
                    android:path="/magic-link/ru.yandex.taxi/finish">
                  </data>
                </intent-filter>
              </activity>

          This requirement of declaring App Links in the manifest provides guarantee that every installation of an app from the same source will request to open by default the same domains. Therefore network requests from Intent Filter Verification Service to those domains won't be as much of a privacy issue.

          • de0u replied to this.

            wcnafuqe android:host="yx22d873ed2ea14b93a36a0f5a07026458.oauth.yandex.ru"

            I wonder if the part after "yx" is a commit hash, so they know how many people are running which versions?

              de0u It's a great guess! But, actually, it's not the case. The old version 3.162.0 from 2020 has the same domain declared in com.yandex.passport.internal.ui.YxAuthActivity.

              • de0u replied to this.
                17 days later

                strcat
                Hello. Tell me please, could mobile operator get local rmnet0 IP address or not. https://i.imgur.com/9DR9BtJ.jpg
                I see nothing information about it in the internet.

                If it can, then any application controlled by the government can collect these ip addresses and then compare with data from a cell operator. This will be 100% deanonymization even when using VPN and with absolutely all enabled privacy options.