Category Archives: Android

Fi on a non-Google phone is like mowing your lawn with a weed eater….

Project Fi LogoI’ve seen the “can you use Project Fi with an XYZ model phone” question over and over. Invariably someone (or several someones) will reply “yeah, it works”. And while this answer is kind of / sort of technically correct (with caveats), it’s misleading!  When I see this I imagine  quotes around the word works… it “works” – unfortunately, a lot of people take it at face value.

Background

Before we go any further, you need to understand a couple of basic issues.  GSM carriers (like T-Mobile and AT&T) use sims to provision service on their network. The sim’s unique id is what is activated by the carrier and ties the service to whatever phone it’s inserted in. On the other hand, CDMA carriers (Sprint) only use the sim to provision the data portion of their service (LTE) – the cell side is provisioned based on a unique id in the PHONE.

You also need to be aware that not all phones have all of the US cell bands that are used by T-Mobile and Sprint. For instance, the International versions of Nexus phones don’t have any CDMA bands.

About the Project Fi Sim and Unsupported Phones (I-Phone)

The Project Fi sim is reportedly different than other sims in that it has up to 10 virtual sims on the card.   This means that any phone you put it in will probably have to have a firmware update (at least) to see any of the virtual sims other than the first one (which is probably T-Mobile as that is how the sim will act when insert it in a non-Fi phone). Unfortunately, this means that Apple would have to make changes to the I-Phone before it would be able to fully support Project Fi (which I honestly don’t see ever happening).

Activating your Project Fi Sim

The first thing that happens when you start the Project Fi activation process is that the Project Fi app verifies that you are using a supported phone. If you aren’t on a supported phone, the app stops the activation process. In short, you can NOT activate a Project Fi sim on an unsupported phone ( to me this means it does NOT work).

If you are on a supported phone, the app activates service on T-Mobile using the sim’s ID and then activates the PHONE’s unique ID on the Sprint Network.

So, I’ll just activate my sim in my friend’s Google Phone

And now we head down the rabbit hole.  Yes, you MAY be able to do that – BUT, you will be activating your friend’s phone on Sprint. This has a couple of possible side effects:

  • Your friends phone may have issues if he tries to activate Sprint service (either Sprint, Project Fi or any Sprint MVNO).
  • When you change out the sim, your phone will not be able to utilize the Sprint network. It will basically be a T-Mobile ONLY sim.

OK, so I’ll use a “Data Only Sim” Instead

Not so quick. The “Data Only Sim” is an ADD ON to a full sim, so if you can’t activate your primary sim, you won’t be able to use the data only one. This sim is intended as a way to get access to a SECOND device (like a tablet), not as your primary service.

Additional Things To Consider

  • Google will NOT support Project Fi on an unsupported phone.
  • Google has stated in the Network Policies section of their TOS that all “supported devices” will be listed on the Project Fi website and that they “reserve the right to suspend any device that we reasonably determine is unsupported”.  So, yes, they have the option of terminating your service for using a non-approved phone.

Conclusion

Basically, it’s like asking a group of guys “can I mow my lawn with a weed eater”?  There will be at least one guy that will says “sure, you can do that”. And while he is technically correct, and may be doing it himself; it is only kind of “working”.

Regardless of what you’ve heard – No, Project Fi sims do not work (note the lack of quotes) on unsupported phones! You probably need to consider a T-Mobile plan (or one of it’s MVNO’s – like Straight Talk).

Have fun and enjoy Project Fi!

 

 

Project Fi – What is a “Key” and why should I care?

What does the “KEY” mean?

I’ve seen several new (and some not so new) Project Fi users asking “what’s a key?”  So I thought I would take a crack at explaining what it is anProject Fi Logod why you should care.

First off, the “key” simply means that Project Fi’s WiFi Assistant is using an open WiFi hotspot to route all of your data through a Google VPN (see diagrams 2 and 4 below).  What this means to you is that your data is encrypted from your phone all the way to Google’s VPN server.

While we don’t know all of the rules for when Google’s WiFi Assistant will automatically connect, we do know that (at current) it only works on open hotspots with no “captive portal”.  What does that mean?  It means that if you have to provide a passphrase (WEP / WPA2 password for the router) or you have to acknowledge a Terms Of Service or click through a “Welcome” page (captive portal), WiFi Assistant won’t automatically connect and the vpn won’t be used.

Beyond that, we’ve been told that hotspot owners can “opt out” of providing this service and that Project Fi uses “a network quality database to help determine which networks are high quality and reliable.”  I’ve also seen the WiFi Assistant connect in a location one day but then not the next day – general consensus is that the location may or may not be “WiFI Assistant” material on a given visit based on connectivity at that time.

Why do you call it a “KEY” and how do I know if I get one?

If you are connected via a VPN, you will see a key (key) on your Project Fi status bar.

I’ve got a “KEY”, why do I care?

Well, the primary reason is that the key means that your data is encrypted from your phone to Google.  In the diagram below, this means that you don’t have to worry about “points of attack” A through E below.

Secure Data Transfer

 

VPN_Diag

 

What are the likely points of attack?

  • A – between your phone and the WiFi hotspot.  This is the easiest point of attack because the attacker doesn’t need physical access to any of the network hardware.  He can simply “listen to” (sniff) your WiFi radio connection.  Also keep in mind that some WiFi encryption protocols have been successfully hacked – for instance WEP is basically useless.  Just because the hotspot you are connected to uses WEP or WPA2 doesn’t mean it can’t be sniffed.
  • B – at the “hotspot”.  Hotspots are basically computers. It’s quite possible to embed malicious code in a hotspot to compromise data. This is reportedly common at some “cyber cafes” and other “public” hotspots.
  • C – between the hotspot and the ISP.  This isn’t very likely because it would require physically tapping the connection (think Police / NSA).
  • D – at the hotspot’s ISP.  Remember that while you trust your ISP, not all hotspot owners are using trustworthy upstream providers. A small provider with a rogue employee has access to 100% of the the unencrypted traffic going through their servers.
  • E – between the ISP and the “internet”.  Ok, this is kind of the same thing as G below, but I mention it specifically because it is one of the hack points the NSA has used to log traffic going into / out of the backbone.
  • F – the internet.  When you connect to a web site,  you don’t connect “directly” to that site.  Your data bounces from server to server (sometimes 10-20 “hops”) before getting to the other end. If your data isn’t encrypted, it can be compromised at any of these hops.
  • G – between the internet and the web server.  This would usually be used to see who is using a specific web server.  Police would use this to log users connecting to illicit servers and hackers would target this to get “high value” data going to a specific server.

Possible Connection Scenarios 

I’m going to arbitrarily assign weights to each of the 7 points of attack above (based on my opinion how likely each is).

A=4, B=2, C=0.5, D=1.5, E=0.5, F=1, G=0.5

So, if you are still with me (I’m surprised I haven’t bored you to death), let’s look at the 6 scenarios above and security rating (based on the scale above 0-10 with higher being better):

  1. Using an open WiFi Hotspot with HTTP protocol.  In this case, your data can be captured at any point (A-G).   Rating:  0
  2. Using an open WiFi Hotspot with HTTP protocol and a “KEY” (Google VPN).  In this case, you are protected from your phone to Google.  This will defeat the vast majority of sniffing attempts. Rating:  7
  3. Using open WiFi + HTTPS (SSL).  This is as good as SSL is (which pretty good).  There has been some talk that SSL may be compromised by the government, but I’ve not seen any definitive documented examples (but I’m going to knock off a point just in case). Rating: 9
  4. Using open WiFi + HTTPS (SSL) and VPN. This is about as good as it gets.  Your data is double encrypted through steps A-E). Rating: 10
  5. Using WEP / WPA2 encrypted hotspot with HTTP.  This is very similar to option 1 except you get 3 out of 4 on the first step (it looses a point for possible compromise.  Rating: 3 (EDIT: I was reminded that it’s not actually fair to group WEP with WPA2 or WPA3  since WEP it seriously flawed, so I’m going to change my rating).  Rating WEP: 0, Rating WPA2/3: 3
  6. Using WEP / WPA2 encrypted hotspot with HTTPS (SSL).  Pretty darned good.  Rating: 9.5

Are there any other ways the VPN could protect me?

Yes, there is (at least) one way.  When you directly connect to a remote host, the host (and every hop in between) sees your public facing IP address (your Comcast / AT&T provided router address).  If you use a VPN, the remote server will see a Google provided IP address.  What this means is that it would be quite a bit harder for the remote server to identify who you are.  Anonymity can be a good thing. 🙂

Ok, so where do I go to find a key?

There is a crowdsourced map of locations where keys have been seen.  Keep in mind that locations where keys have been seen may still not show a key for you if the connectivity at the hotspot isn’t “good enough”  Edit: it’s been brought to my attention that this map is no longer available.  Sorry.

Project Fi WiFi Spots

I don’t want Google knowing that much about me

I know many people are concerned about how much Google “knows” about them.  While I haven’t been able to locate the specific privacy policy related to the Google VPN, I’m pretty sure you are safer using Google than any of the “free VPN” services.  Google is a big corporation with a reputation to uphold, “Johnny’s Free VPN” service is only as good (and reputable) as Johnny is.

Summary

Project Fi’s “Key” or VPN is a cool free feature that you should be happy to see.

I hope you found something in here useful.

Android WebKit Car Analogy

The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.Google throws nearly a billion Android users under the bus” and “Why Google won’t fix a security bug in almost a billion Android phones” but what I haven’t seen is an article that explains the situation in a way that people who WANT to blame Google seem to be able to understand so I’m going to try to explain this using an automobile analogy.

Imagine that Google makes automobile motors that many auto manufacturers use in the cars they sell. Some manufacturers want higher performance motors, so they replace the standard intake and cam with “improved” versions.  Other manufactures want more creature comforts in their cars, so they strap on AC units and other accessories.

Now it turns out that there was a problem with the motors that Google provided to manufacturers 18 months ago. To make things more interesting, the manufacturers didn’t actually have to pay ANYTHING to Google for the motors Google provided. Additionally, Google has offered to replace all of  their previous models at no additional charge twice since the faulty motors were shipped.

The manufacturers have chosen to not replace the faulty motors because they thought they were “good enough” and they would have to apply their chosen modifications to the replacement motors before sending them out. Besides, if people really want a new motor, they need to buy a new car. Right?

Keep in mind that this analogy is flawed.  For instance it implies that Google is actually providing hardware. They aren’t.  A more accurate analogy (but one less likely to be understood) is that Google is providing the software for the car’s computer.  All of the mechanical parts (including the electronics for the computer) are produced by the car manufacturer, but there is a bug in the code that Google made available to the manufacturer. Google doesn’t even know what kind of computer the manufacturer has chosen to install in their car.

My question to you is:  when you buy a car and it has problems with the motor (or computer), who do you go to for service?  I expect the vast majority of people would say the manufacturer (or it’s dealers) but many of these same people seem to want to put 100% (or more) of the blame on Google for the webkit issue. Logic seems to elude some people….

Is Google responsible for the bug? Sure, it was in their code. Is Google responsible for the bug not being fixed in your phone? Nope! They fixed the bug in later releases and your phone manufacturer choose not to release that fix.