Advanced Privacy - know all about it

Thanks a lot for all you did.

But I insist, location based on IP address should be hidden with AP regardless of GPS location settings. In other words, Twitter (when used as a PWA) should not have found my real location based on IP address if I connect through Tor with AP.

A little bit like @JJR, I have a VPN ans everything pass through it.
But in AP, it says that my real IP is not protected… In fact IP of my VPN can be seen by everybody but mine, no.
So it would be good to improve AP to avoid message saying IP is not protected when a VPN is used…

There is a chance of misattribution of DNS tracker lookup to appid in AP. It’s a german language thread of a user report Advanced Privacy hat 8 Tracker entdeckt - Exodus Privacy findet keine

Ah yes, I see. EP scans for code signatures, whereas AP uses DNS lookups as the proxy/quasi-signature of a tracker. Yes, I can see that this would lead to different numbers. And it also explains why DDG gets such a high value: I use DDG instead of the default web browser.

Of course, the bing.com tracker found in DDG by AP really is a tracker, as recent revelations have shown

I decided to take this topic to the InviZible Pro Telegram channel to get some insight. The excerpt below clearly shows no definite answers but it was cool. Still unsure of things.

Marc Williams:
I personally only use InviZible on all of my ROMs, including on /e/. Was only testing out Advanced Privacy.

After disabling my VPN & InviZible, I tested AP with the Hide IP feature. Specifying “My internet activity must appear from: United States” (picked only for speed reasons I guess).

I live in Los Angeles County, California. The IP address was in Kansas City, Kansas. Shown at browserleaks and the sites you mention.
I brought up Browser (based on Bromite and/or UnGoogled Chromium). Went to Google Maps and hit the location button.
Initially the map went to Kansas City but a few seconds later it changed to my real location/street. Went to OpenStreetMap and was taken to my real location.

In Iceraven (WebRTC disabled as I do with any Firefox-based browser) it was the same as far as the map sites were concerned.

Back on the /e/ device right now I test InviZible to hide my IP. Current IP is in Amsterdam.
Went to Google Maps. Everything is in German and I get a map of Europe. Hit the location button and it ask to use my location. After quite awhile it showed a map of my actual location in California. Tried a couple more times but the site just takes forever to bring up a map.
Ah, I see the IP has changed to Berlin. Explains why it wasn’t in Dutch.
Go to OpenStreetMap. Get a map of Germany. Hit the Show My Location button and I get Albuquerque, New Mexico. Odd.

Iceraven: IP is changing rapidly. IP is now in France.
Google Maps pops up cookie info in French but then takes me to OpenStreetMap with a map of France. Location button takes me back to Albuquerque.
That was in a private tab. In a regular tab I’m immediately taken to my real location.

Kiwi browser: IP has changed to Dresden. Language is German.
Google Maps takes me to my real location.
OpenStreetMap. Get a map of Germany. Show My Location is Albuquerque again.

Lot of rambling there but it tells me that location services and IP location do different things. That one cannot assume their location will be reported to be in the same place as the IP address location.

Brahman:
Orbot can use different routes per every connection, there is a setting for that. That explains variety. ipinfo.io shows tor:true which is a good reference.

Regarding location it may be not only IP based. If apps have access permission to read wifi data, they can lookup surrounding SIDs, and locate you based on that

Marc Williams:
Yep, exactly. The microG backends, depending on which installed, may use various methods to get location.
That last round of testing, btw, was using InviZible Pro.

Brahman:
Invizible will only change your IP. It won’t prevent apps reading your wifi data or location data.

Marc Williams:
Yeah. I figure that’s the same with the Orbot used in Advanced Privacy. ??

Brahman:
Never used it, can’t say for sure.

Marc Williams:
Oh, ha ha. I just realized why I kept getting OpenStreetMap instead of Google Maps in Iceraven and Kiwi. I’m using Privacy Redirect and LibRedirect extensions, respectively.

Brahman:
Too many options, too many options

Got around to testing the Twitter PWA this time. Three tests, reboots between each just to make sure network stuff is clean.

Round One:
InviZible Pro, Hide IP with Tor (forgot to turn off DNSCrypt just in case).
IP location is Berlin.
Twitter email says location is unknown.

Round Two:
Advanced Privacy Hide IP.
IP location is somewhere in Bavaria (forgot the city name).
Email location says Nuremberg.
Ugh, a lot of captchas on that round.

Round Three A:
InviZible Pro again.
IP location is Amsterdam.
No email received but it did show up after round three B.

Round Three B:
Different phone, accessing Twitter via WebApps.
InviZible Pro again.
IP location is Amsterdam.
Email location says Amsterdam.

So in those tests I got the results that you were expecting on your end I think. So now I’m even more confused on all of this.

Wow very interesting and confusing…what were your Manage My Location settings in these tests?

When using AP I decided not to mess with that and leave it at the use my real location setting.
Right now the Teracube is back to normal, VPN with InviZible Pro. What seems weird is that the little mapbox in the manage my location section is showing Santa Fe, New Mexico despite me being in California and my current VPN IP being in Idaho.
Not sure if that little map is current or not. I assume it is.

EDIT: Did a quick test on the Essential PH1 and /e/OS 1.2-q.
Advanced Privacy Hide IP and Twitter PWA.
IP location in Germany. Twitter email also says location was Germany.
The little mapbox shows my real location.

Awhile back the InviZible Pro dev chimed in with a couple of comments. Can’t say it really clears anything up but appreciated nonetheless.

Regarding my original query about the PWA returning real location:

Alexander Ged_sh:
InviZible, Orbot and other VPNs can’t do anything with GPS location. If you give the app location permission, it can send your exact location to remote servers.
On the other hand, if you logged into your account with your real IP address and then re-logged in with Tor, your real location is still stored on the server. The application will use it instead of the new Tor IP address.

Regarding getting WiFi data (from Brahman’s comment):

Apps can’t get this data without location permissions in modern versions of Android.

Btw @marcdw the /e/ team found my Twitter PWA problem. I had the “System” app unselected in Hide my IP. Still unclear to me because I thought PWAs were basically shortcuts from the browser, but not entirely apparently.

Oh, interesting. Confirmed. I had System checked already. A few tests with it unchecked did indeed result in my real location in the Twitter emails. Didn’t have to deal with captchas either which confused me at first

/e/OS has PWA Player which handles those. It’s a system app. I noticed it can use the location permission. I granted it just to see if it would make a difference during testing.

Also noticed that clearing data of PWA Player will remove installed PWAs.

I’ve noticed a couple of interesting things when mixing AP with the Work profile.

I use Shelter to have a second (Work) profile (mostly so that I can run two instances of Signal simultaneously on the one dual-SIM phone, one for each number).

I noticed that even though my IP address was masked in the Main profile by ProtonVPN, it was not similarly masked in the Work profile, and was revealed there when I checked what the Work profile instance of AP was doing. Setting the Work profile instance of AP to Hide my real IP address and asking that My internet activity must appear from: Australia did not in fact work. Instead, it appeared to be from wherever the Tor exit node was (since the masking uses Tor).

I got around this by cloning the ProtonVPN app from Main into the Work profile and having that cloned instance also running. It too now chooses Australia, so I have two instances of the ProtonVPN notification dot in the Status Bar under normal operations. This now reassures me that both Main and Work profiles have masked IP addresses (even though AP says otherwise since it does not yet recognise that a suitable VPN will automatically mask the IP – probably a future addition).

One amusing thing: when I set the Hide my real IP address setting, and then turned on ProtonVPN, since it was looking for the Fastest connection (default setting), it connected to Nigeria! For a brief moment, I was a Nigerian Prince …

There may be some implications here for what is going on above. There are two separate instances of AP in operation, one for each of the two profiles, Main and Work, which latter includes the usual suspects of Contacts, Files, and any other apps cloned to Work from Main, not to mention the System apps that are not shown by default unless you choose to Show All Apps in the Shelter settings.

So, there is a bit of complexity to navigate in order to set up both profiles to be comparably hardened for privacy. I was caught out by assuming that the VPN on Main would also be routing traffic from Work. Nope. That was fully exposed, which I didn’t realise until I checked the Work AP instance (by doing an https://whatismyip.com test from within the browser in the Work profile). So, a tip for new players at this.

Now, I’d like to figure out how to use one SIM for data in Main/Personal, and the other SIM’s data in the Work profile, since that second number is a work number…

Any ideas?

Does Advanced Privacy impact cell phone reception and/or call quality?

Advanced Privacy gets you through Tor while browsing, does location spoofing and blocks apps trackers. Nothing there to impact call reception quality in my opinion. As far as I’m concerned, no problem regarding that aspect!

(if you have the ip-hide feature enabled) I wonder if a Dialer Vo(LTE/Wifi) call does bypass Androids VPN. I guess it surely does but haven’t checked - 2g calls wouldn’t be affected anyway. So if I’m right, then no, it should not influence those calls.

But any App with voice-calls (whatsapp/signal etc) will - and depending on the length and number of network hops there will be higher latency and reduced bandwidth affecting call quality.

If we exclude a voip app from the ip-hide feature, will we still experience the reduced bandwidth and increased latency? Thank You.

the feature works as advertised (I checked) - if you remove the checkmark of voip App in the app-list offered by the Tor function, it will not get routed via Tor → no increased network-hops or latency for a voip App. (A small “but”: if the App is using firebase-cloud-messaging to notify of incoming calls, there can be a delay in notification / initiation as those messages are routed on Tor - but not influence the actual call itself)

Thank you for clearing this up! Much appreciated.

@tcecyk @MaMaTT88 So I was struggling to make a phone call this morning, but then once I checked off Advanced Privacy, the call DID go though. I then tried a call with just the “Hide my real IP address” option checked off for the “Phone” app and the call went through again. So it seems pretty important for users to check off the Phone app in order to have basic phone call functionality. Are others having a similar experience?

Was it a VoLTE or VoWifi phone call, or a regular one?

@MaMaTT88 @tcecyk The network said H+. When that comes up I know the call is very likely to go through and sound good. But I’ve been having mixed results. Later a phone call with the phone app removed from hide-my-ip behaved poorly. Then I made another call with the same setting and I wouldn’t even here the phone dialing. It couldn’t even get connected. So I then had to turn off all of Advanced Privacy to be able to make the call, which then went smoothly through the H+ network.

So what’s the deal? Am I just not going to be able to use the Advanced Privacy feature? I want to be able to use as much of the feature as possible without it negatively impacting my phone calls. I need to better understand how Advanced Privacy works in order to be able to set it up appropriately. I’ve read through this whole thread, but I’m still not clear enough on how everything works.

Okay, so my guess is that the hide-my-ip function is responsible for my phone call issues, since that’s the part of Advanced Privacy that goes through the /e/OS’ version or orbot. Apparently excluding the phone app from hide-my-ip isn’t enough to have good phone call functionality, so I’m wondering if I will also need to exclude “System” from hide-my-ip. Would that then be enough to bring back normal phone functionality?