Hello everybody, i am using Graphene OS and only FOSS apps and i have a question. Recently i see some Foss apps also have "trackers". I want to use a "firewall" like netguard to block internet connection from the apps whoem don't need it + trackercontrol to block the trackers from all the apps and OpenVPN to hide my IP adress. But i can't use these 3 apps at once because the phone recognize them all as an VPN. Does anyone have the solution for this for me?
-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
GrapheneOS best security question
- Thread starter MrJones31
- Start date
Unfortunately you're right, Android only supports a single VPN connection at a time. And (without root, at least) the only way an app could block outgoing connections from other apps would be by creating a local VPN connection. (I'm going to assume that the root options are out of the question since your concern is about security.)
There are options, though, depending on how much additional work you want to do.
I recently deployed Pi-Hole on my home network which blocks advertising and tracking for the entire network. I also have an OpenVPN Access Server configured so I can access my home network remotely. The Pi-Hole acts as the DNS server for the VPN network so all the trackers and ads are still blocked. Of course, all my mobile activity still looks like it's coming from my home IP.
I'm somewhat less concerned about hiding my IP address for most things (and I've got ProtonVPN for when I am concerned about that). I could theoretically configure the VPN client on my router so that all outbound connections traversed through yet another VPN but, again, I'm not that concerned with that.
There are options, though, depending on how much additional work you want to do.
I recently deployed Pi-Hole on my home network which blocks advertising and tracking for the entire network. I also have an OpenVPN Access Server configured so I can access my home network remotely. The Pi-Hole acts as the DNS server for the VPN network so all the trackers and ads are still blocked. Of course, all my mobile activity still looks like it's coming from my home IP.
I'm somewhat less concerned about hiding my IP address for most things (and I've got ProtonVPN for when I am concerned about that). I could theoretically configure the VPN client on my router so that all outbound connections traversed through yet another VPN but, again, I'm not that concerned with that.
Thank you for youre reply and good explanation. Is it not risky to put everything from home?
I also think what i want is not possible.
- block trackers (also on background apps)
- selected apps blocking from the internet like agenda and phonebook etc.
- block apps to communicate with each other
- VPN for surfing on the web
I also think what i want is not possible.
- block trackers (also on background apps)
- selected apps blocking from the internet like agenda and phonebook etc.
- block apps to communicate with each other
- VPN for surfing on the web
9cc3985ae3094d8b
Member
Not necessarily "not possible", but as codesplice already mentioned, it depends on how much work you are willing to put in.
You can block trackers/apps via pi-hole & possibly additional router firewall settings (in case some apps contact servers directly by IP).
You can find good pi-hole blocklists on github, there are literally hundreds. Make sure the ones you pick are maintained.
To find out what additional domains/IPs need a blocking, you could then inspect your traffic with wireshark when opening apps you want to block.
The VPN part was also already mentioned by codesplice. You'd just have to set up your router accordingly.
When it comes to inter-app communication, I'm not sure. I think I recall reading something about GrapheneOS having a special way of spawning apps that prevents this... But I could be totally off on this... Maybe someone else knows more.
Thanks guys for the greatfull tips! I am willing to put work in, some work is serieus worth it to protect my privacy.
It is just i am an "average" user i don't have a lot of tech knowledge like you guys. My router does have additional firewall settings, but it can only work if the app directly communicate from with an Ip adress to my router or Pi-hole right? Or does the Pi-hole works different?
That said, is it not risky to putt everything at "home" if i am routing my phone from my home even if i am outside?
Yeah gooad advice about wireshark i can make an list of the trackers so.
Yeah GrapheneOS does really have a lot of things in it, i just know yet how to test everything out haha. I will start with the Mac adress (from my Router) if it changes or not and see how that works. And i don't know if it is true that the mac adress can be hidden from the big data. Like privacy and security orientation for me is especially important for the BigData. But i am not sure if GrapheneOS is truely the best alternative to android/IOS. I just believe that it is and did not measure it jet.
It is just i am an "average" user i don't have a lot of tech knowledge like you guys. My router does have additional firewall settings, but it can only work if the app directly communicate from with an Ip adress to my router or Pi-hole right? Or does the Pi-hole works different?
That said, is it not risky to putt everything at "home" if i am routing my phone from my home even if i am outside?
Yeah gooad advice about wireshark i can make an list of the trackers so.
Yeah GrapheneOS does really have a lot of things in it, i just know yet how to test everything out haha. I will start with the Mac adress (from my Router) if it changes or not and see how that works. And i don't know if it is true that the mac adress can be hidden from the big data. Like privacy and security orientation for me is especially important for the BigData. But i am not sure if GrapheneOS is truely the best alternative to android/IOS. I just believe that it is and did not measure it jet.
9cc3985ae3094d8b
Member
The network from your phone's POV would look somewhat like this:
Phone->Home network ( -[DNS-Traffic]-> Pi-hole ) ->Router firewall[Blocks unwanted IPs] ->VPN-Provider->Internet
So the only VPN you would need to run on your phone would connect you to your home network.
All the filtering and connecting to your VPN-Provider would be taken care of by your home network configuration.
How risky this is depends largely on what you do with it.
If you intend to do some cyberstalking on your phone, then it's risky even if you use a VPN.
But if you just do regular browsing, it's very unlikely a VPN company will ruin it's reputation just to spy on that.
Of course it also depends on your definition of "risk".
If you find it risky to access the internet through the same IP with all your devices (for what ever reason you might think that), then it could be considered risky.
I personally don't think it's risky (unless you're doing lots of illegal stuff online).
Especially when you use a VPN+Pi-hole+Router Firewall to block all unwanted connections...
But in the end, it's your call to make.
GrapheneOS (and stock Android, for that matter) has an option to advertise a bogus MAC when you connect to a new network. That's handy to prevent public WiFi providers from being able to track that particular device identifier as you move between networks. There's not really much point in worrying about the MAC on your home network though. MAC addresses don't travel beyond the "next hop" network, they're only useful within a single network segment. In other words, your MACs don't leave your home.
It's admirable to be concerned about your privacy and security, but it's equally important to be sure you understand the minute details that you're obsessing over.
I do really like GrapheneOS. It's a very polished project with a clear emphasis on privacy and security. If those are your primary concerns, I think it's about the best option out there. I keep it running on one of my spare phones. Unfortunately I'm just too tied in to Google's services to be able to use something like GrapheneOS full time. I instead take smaller steps to maintain control over what data I share with whom, and for what purpose.
CalyxOS is another solid security-minded option, and it provides a bit better support for integrating with Googly things while still maintaining your privacy. That might be another OS to explore if you're still in the experimenting phase.
There's pretty much always going to be a sliding scale between privacy+security and convenience. Like @9cc3985ae3094d8b said, it's your call to decide where you sit on that scale.
Thank you for youre great explanation.
I understand now what it would look a like. So all my things at home will run also on the same VPN right? Like tv, laptops, ps4 etc.
I am a regular browser person and do nothing illigal so that is not a problem, but i mean is that not risky like if somebody hacks my phone or tv or ps4, do they have acces to everything as the IP adressess are all the same?
And blocking connections would be really crazy haha i just saw the trackers from tracker control and i am talking really about hundreds of trackers. Especially google and facebook trackers, despite in am not using google on the GrapheneOS phone.
I understand, so it is harder for Bigtech to follow me "outside" like via wifi triangling and wifi triangulation? And you also see on the stock os that despite the wifi, bleutooth, location are disabled they still give alle the information to google and other trackers. I hope Graphene does not have the same. If Google can still track me like where i am, what my shopping behavior is, then there is no need for use Graphene and i better can use my stock Galaxy S20 instead of Pixel 4. I don't know if you have ideas like how they can track me on Graphene?
You can also use a lot of google services using Aurora store in Graphene. I downloaded some apps but cloned them to another profile with "insular" so if necessary i can use that apps. If the profile is off, then these apps does not have the possibelity to connect to the internet. But you never know, maybe the apps record everything and then when i connect they send everything.
I was thinking to use the "android" phone as a second phone just at home "i have an own office from home and work from home" so that phone don't have to leave the house and i will use Graphene as the main phone. If you think i am putting too much efford for nothing because they can also track me via another way please tell me so haha.
9cc3985ae3094d8b
Member
Right.
This is a complicated issue, but to be brief: No. It's not like "hack one device and get the rest of them for free".
But you are right in that your other devices are at greater risk once one of them got hacked/infected.
Still, this has little to do with them using the same IP.
That's why you should probably use a premade blocklist (they contain thousands of ad-/spy-/malware-domains) with Pi-hole and then possibly check with Wireshark which unwanted connections are still left.
If you wanna go really crazy, I've heard of people blocking companies by ASN (= autonomous system number). This means, blocking all connections to all known servers of a company. When talking Google, this WILL break lots of websites. Don't know how severe the impact of a Facebook block would be; I've never dabbled in this.
9cc3985ae3094d8b
Member
AFAIK your MAC address has nothing to do with WiFi triangulation. To avoid WiFi triangulation you'd either have to trust that, once WiFi has been switched off, your device really doesn't scan for WiFis anymore or you'd have to use something like a faraday pocket to shield it from the waves of the WiFis around you.
Graphene is literally the current gold standard of mobile privacy/security. It certainly wouldn't be, if it handed all your data over to Google/trackers.
That's why you should stick to FOSS apps (f-droid) whenever possible!
Last edited:
Yeah i only use FOSS apps, except in the other profile with INSULAR app. The app created a "clone" for the apps from aurora and it only works when i put it on. Otherwise it will block everything, i tested the connection out with Signal. But do you think unless there is no internet connection and insular makes an separate "closed" profile the apps can grab some of my data? If yes then it is better to delete them and use Grapehene as mainphone with android in a faraday and only use it when neccesary? And what if it is safer not to use the aurora apps on Graphene. Do you think it is safe for privacy if when neccesary (like parking app, or bank payment etc.) i connect the android phone outside with hotspot on my Graphene? Or is it not smart to connect the two phones to each other?
I am sorry i am new here and using my phone, i am not using the "quote" good. If you want i can post it again?
9cc3985ae3094d8b
Member
I'm not sure I understood every question correctly, but I tried my best:
1. no WiFi-AP can log your Android-phone's MAC
and
2. all apps on the A-phone that like to log the MAC of the connected WiFi will log a randomized/useless MAC (if Graphene is setup this way),
I see no real privacy benefit in this.
This is still not an effective tool against WiFi triangulation, because your phone will still gather the MACs of all other surrounding WiFis.
And if your necessary apps phone home, all data they gathered still runs off to the companies.
Of course, when combined with Insular, the data they are able to gather is limited.
In this regard, I don't think there is much of a difference between connecting the A-phone through Graphene or connecting it directly.
But again, it depends on you and how likely you find such a scenario.
You should probably do a lot of reading on the threats you find the most important/areas where you see yourself at risk.
That way you gain an understanding of what to do/avoid and a general sense of how likely certain things are/how much effort adversaries would have to invest.
You really need to figure out your own, personal threat model. There is no one-size-fits-all solution.
Apps isolated by Insular shouldn't be able to grab your personal information. But AFAIK they will still be able to grab device-specific information (like your IMEI).
This is up to you. But given how privacy conscious you are, you should probably go with the Graphene as main phone.
It most certainly is safer not to use aurora apps - in general. Simply because of their proprietary nature.
Other than the facts, that
1. no WiFi-AP can log your Android-phone's MAC
and
2. all apps on the A-phone that like to log the MAC of the connected WiFi will log a randomized/useless MAC (if Graphene is setup this way),
I see no real privacy benefit in this.
This is still not an effective tool against WiFi triangulation, because your phone will still gather the MACs of all other surrounding WiFis.
And if your necessary apps phone home, all data they gathered still runs off to the companies.
Of course, when combined with Insular, the data they are able to gather is limited.
In this regard, I don't think there is much of a difference between connecting the A-phone through Graphene or connecting it directly.
In theory, by connecting the phones, malware could spread from one to the other.
But again, it depends on you and how likely you find such a scenario.
You should probably do a lot of reading on the threats you find the most important/areas where you see yourself at risk.
That way you gain an understanding of what to do/avoid and a general sense of how likely certain things are/how much effort adversaries would have to invest.
You really need to figure out your own, personal threat model. There is no one-size-fits-all solution.
Last edited:
Thank you very much again for youre great advice!!
The things you mentioned make sense to me, and i will search about more information about the important areas where i want to keep my privacy.
I have still one question haha. In GrapheneOs it says it randomizes MAC adresses. GrapheneOs also metions that it does not WIFI triangulation. So in fact this means every time when i connect via wifi it looks like it is a new phone right? Or does it not work like that way? Because i think the Big Tech company's still can find my imei number (maybe more work) but still possible right?
And the second question is. What if i don't make connection via Wifi and only via 4g/LTE? Does it still creates randomized Mac adressess. And what are the pro's and con's with working with Wifi/Wifi "small hub" and directly from a prepaid card 4g/LTE?
Thank you very much.