rethinkdns dev here
these issues should be addressed in the OS in order to protect all Android users regardless of which apps they use.
Android's paranoid networking has always had an exception for System and OEM apps (which include Google apps). Most such bugs fixes are unlikely to fix that core assumption. Some code refs: https://github.com/celzero/rethink-app/issues/224
The leak during tunnel reconnects is harder for us to mitigate in our app. We are still looking for solutions.
Android supports seamless handover between two TUN devices (on reconfiguration). It is tricky to get it right, but implementable.
They don't even allow disabling internet permissions on a flashlight app, the OS is run by an internet ad company so it makes sense.
GrapheneOS does if you're willing to take the plunge.
Take the plunge to not do any banking on your phone.
It's an unfortunate limitation for a device I own to be handicapped this way.
Your bank doesn't have a mobile website?
It does but have to use the app to deposit checks.
Go for a walk every day, and occasionally make your walk to an ATM?
You can also contact your bank and tell them that you want to be able to deposit checks via the Web site.
If enough people do this, and don't use the overly-proprietary app, the bank might listen.
There are workarounds, but it sounds annoying and a burden. What if the closest bank branch is an hour on foot away? Or the OP lives in a rural place and it's half an hour drive? I don't have this problem since my bank works with graphene, but I would reconsider using it if most applications I use refused to load.
Minor conveniences like this are not worth the complete erosion of privacy, in my opinion. Just go to the nearest ATM to deposit checks (who uses checks anymore, btw?) and use the site for everything else. Not everyone even has a smartphone, and out of those that do, many prefer banking on their laptop over their phone anyway, which incentivizes banks to create feature-rich websites. If the mobile site isn't any good, usually the "desktop site" isn't too difficult to navigate on mobile, if you need to.
there is (or at least can be) some risk tolerance within any so-called 'threat model.' but i absolutely take your point and agree with you.
nary the case but i suppose if i absolutely needed to access any finances from my mobile device, it certainly wouldn't be from one of said institution's own mobile apps, but via web browser.
I used to do home banking from my bank's website. Recently, they created a digital-only branch for customers who mostly do home banking and only rarely need to go in person to the bank. They asked their customers if they wanted to switch and offered services at the same or lower cost than before. I made the switch, but found out that unfortunately the new website lacks some functionalities that are only available from the mobile app. I guess they are assuming that most people would just use their phone anyway and didn't bother to reach feature parity between the website and the app, preferring the app.
crazy. it's remarkable to me that lawyers actually do explicitly, if not expressly, account for these kinds of technical decisions, ultimately made in surreptitious fashion by the business, when drafting usage terms. i.e., you would've (or, a lawyer determind, should've) been able to find notice of this change somewhere buried in the new service terms. i at least have faith in that much.
i hope you switched back, lol.
Not universally true, I use banking apps on my Pixel running the latest GrapheneOS. There is literally nothing I cannot do on my phone. I think it's possible that no US banks have apps that can be used as it seems a universal experience among Americans.
Do Android Auto and VoLTE / VoWiFi work on Graphene these days? I also remember Google Maps and Uber being extremely problematic
Using banking apps on a phone is dangerous because if your phone gets hacked (and Linux kernel has extremely large attack surface), the attacker gets access to both the app's session and SMS codes that are used to confirm operations. People who use banking apps must be crazy or don't care about their money.
Excluding phones, Linux desktop, and Windows which doesn’t have a better record in vulnerabilities, leaves out essentially MacOS!
My banking apps worked for me on GrapheneOS once I installed Google Play services.
Which flashlight app? As far as I know there is no official flashlight app (though recently there is a built in flashlight feature). How is Google responsible for a third party app that refuses to work without an internet access?
GP is saying that the Android permissions model requires giving Internet access to any app you install from the Play Store; there isn't a way for an app to request "zero permissions" (or rather, there is, but basic Internet access is a permission granted to all apps, even when zero additional entitlements are requested).
That said, this isn't unique to Android. At least as of a few years ago, iOS did more or less the same thing. (You can disable an app's access to the local network, but that's not the same thing as denying (or requiring an app to request) basic network connectivity).
Google doesn't let you deny permissions for most of them.
As I understand it, apps that use the internet still need an entitlement, it's just that the Google Play store no longer shows that one in the list.
That's what it is, I think. The Play Store doesn't show it in the list of permissions anymore.
still the same. Alphabet nor Apple have any real incentive to change this (commercial incentivization to maintain it notwithstanding).
Thats exactly the point that is being made, yes.
The hypothetical flashlight app that was used as an example to demonstrate the problem of not being able to take away the permission to access the internet from an app.
Thank you, I missed the point of GP clearly. I use GrapheneOS and forgot you can't deny network access to an application in a "regular" Android.
It's just an example of an app that doesn't need internet access, yes flashlight is so useful it is built in to basically all phones now.
Can you link to the documentation explaining how developers disable Internet permissions on iOS.
Or any other operating system...
Third party app firewalls exist for at least macOS and Linux distros. It’s likely built in to the system as well, but you’d have to wrangle the command to do it in the terminal.
Depending on how blur you draw the line of os:
docker run --network none
Unfortunately a race to the bottom is a bad thing, not an excuse
My network security requirements have nothing to do with iOS. Can't we just collectively drop OS tribalism?
Is android.permission.INTERNET not a thing anymore? Unlike iOS, Android at least used to have this one.
I sometimes wish I could just configure that per-app as a user. Frustratingly, on iOS it's possible only for mobile data, but not for Wi-Fi – why!?
IIRC, there's separate permissions for web access and unrestricted internet access. The former is only apparent if you look for it on install, and isn't something you can disable on most ROMs.
A possible answer is it’s not really a privacy setting but instead to save you from carrier data charges.
I agree that there should be an app firewall to the point I’m running an older phone w the checkm8 jailbreak to have a firewall.
FWIW GrapheneOS does (it asks you before installing any app)
As I understand, it installs a pseudo-VPN and passes traffic through it. I remember using similar app (NoRoot Firewall), and it worked poorly and couldn't block everything I wanted.
That hypothetical Flashlight app, that uses location permission, would have never been approved in the first place.
https://support.google.com/googleplay/android-developer/answ...?
This is about the continuous background location permission. In the past years they have cracked down on this, yes. But nothing forbids you from requesting the foreground approximate or fine location permissions.
So yes, this hypothetical flashlight app can request the permission. The user has to allow it in some way - approx or precise, one-time or always. But also nowadays the users sees when & what app is requesting these kind of permissions. It's a moot point.
(For background location there's an extensive form in the play store, you even have to send videos in many cases - for foreground, there's nothing)
Netguard is an open-source program that helps fix this: https://netguard.me/
This depends on the firmware used. I am writing this comment from an Oneplus device which allows blocking internet access on a per-app basis - on a stock firmware.
That's what you get when you trust your device to commercial companies.