40

Is this possible on any modern day phone or tablet? Selfhosting as made me very privacy-consciouss and am concerned about my iphone.

all 35 comments
sorted by: hot top controversial new old
[-] NeoNachtwaechter@lemmy.world 43 points 5 days ago* (last edited 5 days ago)

Yes. Firewalls.

With an iPhone, however, you are screwed. Apple won't let you do what you are looking for.

[-] seang96@spgrn.com 6 points 5 days ago

VPN would still work for iPhone I imagine. Small whitelist of DNS would do 90%+ of the job.

[-] NateSwift@lemmy.dbzer0.com 25 points 5 days ago

Apple bypasses VPNs for certain system services, or at least has in the past

[-] iii@mander.xyz 14 points 5 days ago

Also falls back to hardcoded IPs when DNS fails

[-] undefined@lemmy.hogru.ch 3 points 5 days ago* (last edited 5 days ago)

I killed off ads in the News app by blocking doh.apple.com. I find it kind of funny that it looks up its DoH server IP using the existing DNS server and that simply returning NXDOMAIN cuts it off.

Not sure if they use it for much more than that though (doesn’t seem like it).

[-] NeoNachtwaechter@lemmy.world 6 points 5 days ago* (last edited 5 days ago)

True, somewhat... but on the iPhone, many functions that seem like basic things are tied to Apple's services and cannot easily replaced by selfhosted services. This phone would not work properly anymore.

[-] ComradeMiao@lemmy.world 1 points 5 days ago

other than texting and calling idk what else I would use that isnt selfhosted :)

[-] NeoNachtwaechter@lemmy.world 3 points 5 days ago

In the other reply, you said something about GPS.

Well, location services aren't really GPS anymore.

The phone looks at all of it's radio environment (cell and WiFi and whatnot) and from that it calculates it's location. GPS may help a little, too, but it's not important.

It needs Apple's own databases to do that: collections of all antennas in the world, and their known locations.

[-] zingo@sh.itjust.works 1 points 5 days ago* (last edited 5 days ago)

Hmmm. That could be what's slowing down the GPS locking on my old android phone I use for my fitness app.

No SIM card or WiFi access. Takes a good 20 min just to get a GPS lock.

That means it fucks up my distance monitoring and time intervals, if I don't have patience to wait, which I honesty don't!

The app is basically a fancy timer at this point.

;)

[-] NeoNachtwaechter@lemmy.world 1 points 5 days ago

In that case, your phone needs to "see" at least 4 satellites at the same time (more is even better) to get the first GPS lock, and that's probably why you need to wait for so long.

It could help to walk to a spot with no buildings, trees etc.

Once there was an app called "GPS essentials" to help with that.

[-] BearOfaTime@lemm.ee 1 points 5 days ago

Texting uses http over the data channel for MMS.

[-] farcaller@fstab.sh 2 points 5 days ago

You can enforce an always-on VPN (for at least ipsec) via an MDM profile. This kind of features isn’t found in the casual user setup options, but there's plenty of knobs to tune in the enterprise profile configurator.

And yes, you can easily install that profile on your phone after.

[-] iii@mander.xyz 15 points 5 days ago

On all networks, or just when on your home network?

[-] 1024_Kibibytes@lemm.ee 14 points 5 days ago

This is a good question. On your home network, that's pretty easy. On other networks, setting up a VPN that tunnels to your network seems like it should work.

[-] ComradeMiao@lemmy.world 5 points 5 days ago

Oh true! What an obvious answer. I could run it to my home adguard via tailscale. What about gps though...

[-] bobs_monkey@lemm.ee 9 points 5 days ago

GPS is kind of a tossup since your cellular provider can just as easily triangulate your position with their towers, and there is no escaping that outside of putting your phone in a faraday cage.

[-] sxan@midwest.social 4 points 5 days ago

They can't, tho. There are two reasons for this.

Geolocating with cell towers requires trilateration, and needs special hardware on the cell towers. Companies used to install this hardware for emergency services, but stopped doing so as soon as they legally could as it's very expensive. Cell towers can't do triangulation by themselves as it requires even more expensive hardware to measure angles; trilateration doesn't work without special equipment because wave propegation delays between the cellular antenna and the computers recording the signal are big enough to utterly throw off any estimate.

An additional factor in making trilateration (or even triangulation, in rural cases where they did sometimes install triangulation antenna arrays on the towers) is that, since the UMTS standard, cell chips work really hard to minimize their radio signal strength. They find the closest antenna and then reduce their power until they can just barely talk to the tower; and except in certain cases they only talk to one tower at a time. This means that, at any given point, only one tower is responsible for handling traffic for the phone, and for triangulation you need 3. In addition to saving battery power, it saves the cell companies money, because of traffic congestion: a single tower can only handle so much traffic, and they have to put in more antennas and computers if the mobile density gets too high.

The reason phones can use cellular signal to improve accuracy is because each phone can do its own triangulation, although it's still not great and can be impossible because of power attenuation (being able to see only one tower - or maybe two - at a time); this is why Google and Apple use WiFi signals to improve accuracy, and why in-phone triangulation isn't good enough: in any sufficiently dense urban or suburban environment, the combined informal of all the WiFi routers the phone can see, and the cell towers it can hear, can be enough to give a good, accurate position without having to turn on the GPS chip, obtain a satellite fix (which may be impossible indoors) and suck down power. But this is all done inside and from the phone - this isn't something cell carriers can do themselves most of the time. Your phone has to send its location out somewhere.

TL;DR: Cell carriers usually can't locate you with any real accuracy, without the help of your phone actively reporting its calculated location. This is largely because it's very expensive for carriers to install the necessary hardware to get any accuracy of more than hundreds of meters; they are loath to spend that money, and legislation requiring them to do so no longer exists, or is no longer enforced.

Source: me. I worked for several years in a company that made all of the expensive equipment - hardware and software - and sold it to The Big Three carriers in the US. We also paid lobbyists to ensure that there were laws requiring cell providers to be able to locate phones for emergency services. We sent a bunch of our people and equipment to NYC on 9/11 and helped locate phones. I have no doubt law enforcement also used the capability, but that was between the cops and the cell providers. I know companies stopped doing this because we owned all of the patents on the technology and ruthlessly and successfully prosecuted the only one or two competitors in the market, and yet we still were going out of business at the end as, one by one, cell companies found ways to argue out of buying, installing, and maintaining all of this equipment. In the end, the competitors we couldn't beat were Google and Apple, and the cell phones themselves.

[-] AMillionMonkeys@lemmy.world 1 points 4 days ago

That's good to know. I leave location services off on Android when I'm not using them and the possibility of a triangulation leak always nagged me a little. Not a lot, because I've never heard of any actual harm coming from it. But a little.

[-] ComradeMiao@lemmy.world 1 points 5 days ago

Good point. Wish there was a way to have a device that could only access my selfhosted applications then totally block all other tracking. I did the vpn route just now. Thanks for that tip!

[-] Petter1@lemm.ee 2 points 5 days ago

If route all data through VPN and drop the unwanted packages in the firewall at home, you achieve this. But apple is a bitch and ignore VPN (and even DNS) for own domains.

[-] BearOfaTime@lemm.ee 1 points 5 days ago

Cell tracking is external to the phone. It's done by the towers - they know signal strength, and by using known tables of that data, cell providers know pretty accurately where your phone is.

To block this you'd need a device that lacks any cellular technology whatsoever. Wifi only.

And that has the same issues, especially with companies like Comcast/Xfiniti using their cable modems to track all the devices around them, even if you don't connect to them.

[-] ComradeMiao@lemmy.world 2 points 5 days ago

I guess foreign wifi or data. I have a router with adguard at home and work.

[-] iii@mander.xyz 4 points 5 days ago

Take a look at "Rethink: DNS + firewall + VPN". It is available through FDroid

[-] henfredemars@infosec.pub 10 points 5 days ago

Maybe I’m being stupid but a trivial way to ensure this is just don’t connect it to the Internet in any way. No SIM card. Cut it off from the Internet after setup, and only connect to a LAN with your chosen services all physically isolated from any internet machines.

[-] catloaf@lemm.ee 10 points 5 days ago

Guarantee? You'd have to open it up and disable the cellular radio. The OS can override any settings you make.

More than just the cellular radio.

https://www.theregister.com/2023/04/27/qualcomm_covert_operating_system_claim/

I think this was built into the SOC itself, or the GPS module, but it runs 100% independently of your OS, even on custom firmware.

[-] Celestus@lemm.ee 4 points 5 days ago

Remove the SIM card to ensure it doesn’t communicate with a cellular carrier. Then go into the settings for your specific WiFi network, configure IP address manually, and remove the entry for “Router” to prevent it from talking to the Internet

[-] undefined@lemmy.hogru.ch 3 points 5 days ago* (last edited 5 days ago)

One thing I want to bring up just so you’re conscious of it is WiFi calling.

I currently use Tailscale and a sophisticated setup to route traffic via commercial VPNs. I also do a ton of DNS ad/tracking blocking which Tailscale wasn’t really designed for (and requires a rat’s nest of routing, iptables and the like).

I’ve noticed I never receive incoming calls now even while attempting to send traffic to my carrier’s WiFi calling server (it’s just another traditional VPN server at a technical level) through the nearest Tailscale exit node.

All this is to say, if you want WiFi calling to work you should consider this. I believe it’s the same for Android and iPhone.

As for the traditional VPN bit I kind of discovered this a few years ago when using one of those mobile cellular gateways you can plug into your LAN (I lived in a dead zone). When looking up my current carrier’s WiFi calling server (a different carrier) I realized the port matches the same VPN thing they were doing on the cellular gateway, so I think it’s fairly common for wireless carriers to just use a VPN to get you into their backend.

[-] mspencer712@programming.dev 2 points 5 days ago

I have an iPhone and a gl.inet gl-e750 portable cell router, and my SIM card stays in the router. I don’t actually restrict my phone the way you’re talking about, but this gives me vpn to my home network without needing the vpn running on each client device. And if I wanted to block connections to big tech company services, I could do that.

[-] kalr@meinreddit.com 1 points 5 days ago

Can never guarantee anything but you got some options for decent security. I've used Tailscale and also Cloudflare with blocking all ips except for my known devices.

this post was submitted on 11 Nov 2024
40 points (93.5% liked)

Selfhosted

40183 readers
476 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS