GrapheneOS provides the option to switch back to connecting to Google’s servers for many of these background connections if you prefer, but it is far more robust/foolproof to use a trusted VPN and enable Android’s native VPN kill switch to hide information like this from adversaries on your network.
Connectivity checks still happen outside the VPN tunnel, using the VPN alone will not cut it, one needs to also change connectivity checks to Google if they want to hide the fact that they’re using GrapheneOS.
One more thing is that GrapheneOS enables Always-on VPN and Block connections without VPN by default. So the user doesn’t really have to enable or do anything.
You need to use a VPN and switch the connectivity checks to Standard (Google) if you want to hide the fact that you’re using GrapheneOS. Doing one while not doing the other is pointless.
The killswitch part is also redundant when it comes to GrapheneOS because it’s enabled by default, like I said in my post above.
I can make the wording clearer to emphasize this. Thanks for pointing it out.
Yes, it is enabled by default. That’s why I changed the wording from
enable Android’s native VPN kill switch
to
[keep] Android’s native VPN kill switch enabled
I don’t think it’s redundant though because people can turn off the kill switch for purposes like enabling Split Tunneling. And I’m not sure that people whose threat models call for hiding OS info from their network or ISP know to not disable the kill switch.
In the latest revision, I couldn’t find a clean way to fit in the note about the VPN kill switch, so I removed it. Here’s the latest version:
If you want to hide information like this from an adversary on your network or ISP, you must use a trusted VPN in addition to changing the connectivity check setting to Standard (Google). It can be found in Settings → Network & internet → Internet connectivity checks. This option allows you to connect to Google’s servers for connectivity checks, which, alongside the usage of a VPN, helps you blend in with a larger pool of Android devices.
You could change the wording to “blend in with billions of other Android devices," but that’s up to you. To me, “larger pool” sounds like there are multiple pools, which isn’t really the case, I can only think of two.
One more thing is that if one chooses to switch from GrapheneOS to Standard (Google), then they will make other people who are using the GrapheneOS option stand out more, so unless one needs to hide the fact that they’re using GrapheneOS, they should keep using GrapheneOS servers to help create a bigger pool and reduce the reliance on Google.
One other option on Graphene (not sure if its android or Graphene specific) is to disble connectivity checks entirely. I did that a few months ago and haven’t had any issues, i get notified by my DNS or VPN when they can’t connect.
I mean, anything other than Google will stand out so yeah. Just mentioning option 3 exists. As to breakages it can cause, do you have a link to somewhere I could read about those? I haven’t had any issues myself and would be interested in reading more on it.
Thanks. Captive portal issues, that explains why I haven’t had any issues yet. I’ll keep that in mind for when I’m connecting to guest wifi every now and then.
redoomed1
Changed assignment status for redoomed1
15
Settings → Network & internet → Internet connectivity checks. This option allows you to connect to Google’s servers for connectivity checks, which, alongside the usage of a VPN, helps you blend in with a larger pool of Android devices.