What information can get the andriod application with full network access on the latest androids?
Previously application with full network access permission could get all information about wifi connection (ap name/ap mac address etc) even with VPN connected. But I know google changed some permissions in android 10.
Is it possible to hide from the application real internet connection settings and allow to see only vpn connection settings?
On Android 11+, turn ON Block connections without VPN (Gemini). That, in theory, should prevent apps from “seeing” the underlying networks a VPN may use.
Some of the “information” now requires location permission, for example accessing SSID isn’t possible without it. Though, network info (such as DNS servers, search domains, routing table etc) may be fingerprintable, I’d not worry about it too much, tbh.
I do this always. Yes remote server will not get real ip address and traffic will flow over vpn only. But the main issue meta data that application itself can get about connection.
In theory, maybe. But I want to know how it’s in reality 
For me fingerprinting is not an issue. Leaking important information as router ip address of the parent mobile connection ip address of the mobile connection or mac address of the wifi router of the main connection (not vpn) breaks any anonymity at all.
ok, but when I look in all permission list I can see also “view wi-fi connections” and “view network connections”. What exactly these setting can allow for the application? And how can I disable it
Does any official documentation exist, where explained what data can be get with these permissions?
Router IP of the parent Mobile connection IP address? Not sure what you mean by that. Can you elaborate?
MAC addresses are randomized by default (unless disabled) on all Androids running 11+ (thanks to patches from the GrapheneOS team).
I am not aware of an exhaustive study on the topic by any of the usual Android security shops (like CureFit, TrailOfBits, QuarksLab, GoogleProjectZero/ATAG, GitHubSec etc), but likely you’ll have to pay an expert to get a report on possible network-info related identity leaks. Though, if there were any serious reported leaks, I’d expect teams at GrapheneOS, CalyxOS, DivestOS, LineageOS to fix those (even if AOSP didn’t).
I am not aware of anyone documenting this in one place. Android’s developer documentation and source code is where I’d look.
Hm. The two are closely related?
As an aside, aiming for anonymity with a smartphone is a very tall ask.
I will try to explain in detail.
Right now almost any application that requires internet access (all messengers/browsers/etc) has these permissions:
Full network access
View network connection
View Wi-Fi connections
And even when phone connected to the VPN (on GraphenOS as example) with blocking connection without VPN application can get local ip address of parent connection (WiFi or Mobile)
I don’t know how to test mobile connection, but local WiFi ip address can be seen in any network tools application (as example really old “Network Scanner” from F-Droid appstore). But I think it will be the same for mobile connection.
Leaking real (not vpn) ip address to the third party application breaks any anonymity. Any vpn doesn’t have any sense if the real Ip address of mobile connection can be seen by application (yes server will see vpn address)
I don’t want full anonymity of full device. I want to fully isolate a few (1-3) application only. But applications still have access to private data (local ip address of main connection)
Yes, these permissions do give apps access to network information (such as interface IP address, NAT64 prefix, routing information, connectivity status, connection type, etc), as you’d expect.
I’m not sure if DivestOS, CalyxOS, GrapheneOS let you disable these permissions. Tagging @SkewedZeppelin (DivestOS lead).
Gotcha. A VPN + Block connections without VPN enabled should isolate apps to an inescapable network namespace, but as before, I haven’t audited the entire API surface area in Android nor do I know if anyone else has to give you a definitive answer.
GrapheneOS has the ability to limit internet access on a per-app basis altogether but it isn’t exactly what you’re after, I imagine.
You sure? Per my (perhaps antiquated) understanding, apps can not access underlying networks (wifi, mobile) when Block connections without VPN is turned ON.
All popular android roms (vanilla androidm graphenos etc.) can disable “Full network access” permission only, but not “View network connection” and “View Wi-Fi connections”
I’m sure. You can check it by self. Install “Network Scanner” from f-droid, connect to the VPN, enable vpn always on, and block connections without vpn. Yes connections will be blocked, but information about local ip address of wifi connection can be seen inside this application (I think it’s the same for mobile connection, but I don’t know how to check)