Tweaks to offline experience

[snouup]

🚀 feature request

Description

In light of the Pegasus project revelations, people are starting to realise there is almost no defense against cyber attacks short of disconnecting your handset from the outside world. I imagine offline tools like osmand will soon be a go-to choice for journalists and dissidents seeking protection from intrusions.

So, as part of an experiment, I set out to configure a modern smartphone with osmand in the securest way possible. I bought a used pixel 3a on Craigslist, flashed a custom ROM (calyxos and grapheneos) to degoogle the phone, attempted to set up osmand fully offline.

The experiment was generally a success with a couple rough edges to improve.

0. Osmand (from fdroid) doesn't require google play services - awesome!

1. First startup - net request without user interaction

On my first try, I used calyxos with a firewall app to forbid osmand from accessing the internet.

To my surprise, the moment I started up osmand, I was shown a dialog prompting me to download the map for my region.

The location services on the phone were off. How did Osmand figure out my location?

Turns out I'd made a mistake setting up the firewall. Osmand sent out a request to its server and deduced my location based on the IP address.

This function is of course useful, but for a marketed offline app it's concerning to see this request without any interaction from the user. Now, of course whoever's listening on your net provider can deduce you just started using osmand, and prepare some new malwares. Uh oh.

Besides the startup request, when you tap on a location on the map, osmand sends a request for the available map downloads. Again, quite useful, but may want to prompt some confirmation from the user if the request includes the precise location that was tapped on. (I couldn't verify if it does)

2. Firewall issues

Failing to fix the firewall, I decided calyxos is an amateur product, I flashed grapheneos and started over. The grapheneos firewall worked brilliantly. It worked so brilliantly that osmand refuses to start with the firewall active (the subject of another report just submitted). Luckily there is a workaround: turning off WiFi allowed me to start the app.

3. Map downloading

The osmand map repository wasn't difficult to find and allowed me to download without a hassle from the PC, then copy the maps onto the handset.

What I didn't realise at first was that I had downloaded too many maps. I downloaded the maps in the form of country_state_municipality as well as the map country_state. I had assumed the latter was some overview map containing landscape features or a higher zoom level, and that both were necessary. But in the end, either country_state or country_state_municipality would have been enough. country_state is just a merged version of all municipality maps, it seems.

I understand osmand makes money from map downloads and subscriptions from within the app - not really in your interest to guide people towards manual downloads. Regardless adding a quick note about the redundant maps to the download page (or removing them?) would likely save you some server resources.

4. Minor UI quibbles

Osmand was now fully usable. The only quirk I noticed compared to my online installation was a label in the middle of every POI descriptions informing me to check my internet connection. Most likely this label could be removed to save valuable screen real estate.

Thanks for reading my adventures :)

[sonora]

There is likely a (rather small) number of further auxiliary features where OsmAnd accesses the Internet if available, which may be worth revisiting in light of this user story if we decide it's worth it.

At least one of these I have implemented myself many years ago: If you do not have a GPX location fix yet, and you tap the (then gray) MyPosition button on the map, OsmAnd will use an Android method checking if there is an Internet connection, and if the answer is positive, OsmAnd will download A-GPS data to accelerate the position fix.

This is welcome behavior for 99% of use cases, but may also fall in your list of debatable features.

Overall I guess we could try to not fix every single item separately, but maybe introduce some sort of switch (sort of like a permission) which could block ANY internet interaction for OsmAnd unconditionally while set.

The good news is that OsmAnd does perfectly work in complete offline situations like wildernesses, or if you simply put the device in airplane mode. I can attest to that from countless expeditions. But our code takes less care whether or when to access the internet for some auxiliary feature if it finds a connection is available. I guess those are the situations you are asking to review.

In our code they will mostly be bracketed by internet availability checks to avoid errors if offline, so they should be easiliy identifiable. And those very checks may be fooled when your device is online in principle, but connectovity is heavily impeded by forewall rules, which accounts for some of the behavior you describe.

[snouup]

At least one of these I have implemented myself many years ago: If you do not have a GPX location fix yet, and you tap the (then gray) MyPosition button on the map, OsmAnd will use an Android method checking if there is an Internet connection, and if the answer is positive, OsmAnd will download A-GPS data to accelerate the position fix.

Interesting! I had no idea.

From my novice understanding, A-GPS is usually provided in the background by the OS, which some folks disable it because the A-GPS provided by Google by default is terrible for privacy (I believe it reports your IMEI and location to Google.)

If not for the benefit of privacy-conscious users, getting such features listed in some options menu may just be a good idea for awareness sake. Because I had no idea that leaving data on would have provided faster GPS-resolving, I had usually kept on airplane.

On the other hand, some people may desire to leave a-gps enabled, while conserving as much data as possible on a costly mobile plan.

Overall it could be a good idea to introduce a menu with toggles and explainers for most or all of the internet connections osmand might use!

[snouup]

Overall it could be a good idea to introduce a menu with toggles and explainers for most or all of the internet connections osmand might use!

Or instead of a toggle, a choice of:

• Always
• WiFi only
• Never

F-Droid for example gives you this choice for auto-updates.

[snouup]

Overall it could be a good idea to introduce a menu with toggles and explainers for most or all of the internet connections osmand might use!

Existing analytics toggle can be put there.

I noticed the dialog asking for analytics permission pops up randomly sometimes when app starts. Also the dialog asking to rate the app. Are these supposed to show in spite of no connection? Can't rate app without internet after all.

[sonora]

Please understand that A-GPS in the sense I am talking has nothing to do with all the different Location service enhancement aervices like using WiFi, BT, cell tower reception etc. and deducting from some google, Samsung, Mozilla, mobile carrier etc. database. The OS may indeed offer all sorts of different services to aid location determination, either as (battery saving) primary or auxiliary method.

But I am strictly talking about a simple download of the geopositining satellite orbit data from the public sources, valid for up to about 7 days, so your device can a lot faster determine whereabouts it must be from the fact which satellites are visible.

To my knowledge no device data is explicitly shared in such a download, (but the A-GPS servers will of course e.g see things like your IP). Thinking about this, I believe it is probably the least of your concerns.

Setting (on OS level) your device to reliably use sattelite based positioning only as your Android location provider service, without any proprietary auxiliary services, should be a lot higher on your list of priorities.

[snouup]

Setting (on OS level) your device to reliably use sattelite based positioning only as your Android location provider service, without any proprietary auxiliary services, should be a lot higher on your list of priorities.

Yeah that's the first step definitely.

I'm not trying to advocate for or against A-GPS. Just trying to figure out on what setups is it necessary. If a-gps was added to osmand years ago, I'm wondering if modern OS are maybe doing it internally now? If they do, osmand's implementation would only be wasting data, but if they don't, it's still useful. If there was an on/off switch, we could run some tests. In android there seems to be an a-gps feature called SUPL. Couldn't find much about it. microG and GrapheneOS also have efforts underway for GPS resolve to be improved with a completely offline database. Basically, if the OS can provide the feature, there is no need for the app to, plus, whatever configuration was set up in the OS can ideally propagate forth into the app.

[sonora]

The OsmAnd feature is only manually triggered in any xase: Only if you hit the Position button while not yet blue, and only if online at the time. That also facilitates any testing (e.g. between devices), if you wish.

But I suggest let's not further dilute your original intend by a fringe topic here. A-GPS is clearly not at the heart of this issue. Investgating how to isolate OsmAnd reliably even on a device being online should be, unless I misunderstand.

[snouup]

Great to know. I wondered for so long what that button does.

But I suggest let's not further dilute your original intend by a fringe topic here. A-GPS is clearly not at the heart of this issue. Investgating how to isolate OsmAnd reliably even on a device being online should be, unless I misunderstand.

Indeed. Some global toggle cutting all connections attempts, like you suggested, would be great. Wish I knew how to code, so I could do it :-)

Unlike a firewall, an app side toggle can communicate that a connection isn't just unavailable or failing, it's simply not needed nor wanted. Thus removing any labels or nag-screens that would ordinarily complain.

[Lee-Carre]

conserving as much data as possible on a costly mobile [tariff].

&

instead of a toggle, a choice of:

• Always
• WiFi only
• Never

For comparison, Organic Maps has a global option for controlling mobile data usage, with values of

• Always Ask [the default, I think]
• Use Always
• Never Use

I'm unsure of its behaviour when 802.11 is connected (I'll try to test it, at my next opportunity).

[xandro0777]

Regarding AGPS, many other apps can trigger it and if some app doesn't trigger it explicitly the OS will very likely do it implicitly from time to time unless it is disabled.

One strategy to reduce the privacy implications while keeping the advantages might be to trigger a AGPS pre-fetch at fixed times and locations, for example every midnight at home when it is on charger.

[Lee-Carre]

[…] reduce the privacy implications [of downloading / using A-GPS data]

Other than one's device generally ‘phoning-home’, what other privacy concerns are applicable?

To my awareness, the data downloaded is the ephemeris (orbital) info for the satellites (instead of waiting for a visible satellite to broadcast it, which may take 15 minutes). I would think that it's the same for all users. The data is quite small (a set of Two-Line Elements; a text-file, basically).

Is there some new devilry that device-makers do which has escaped me?

---

trigger a AGPS pre-fetch at fixed times and locations

This is a side-benefit of another strategy I employ (for a variety of other reasons); before preparing to head out, activate an app (I can make recommendations if people are curious) which has a feature to toggle GNSS on, and keep it on. I want GNSS reception perma-active (again, for a few reasons, which are beyond the scope of this ticket) while I'm out. Disabled upon returning (or my device is going to remain stationary (in the same building) for several hours).

As it will have been a while since my last use of GNSS, a download of the Augmentation data is performed at the time I toggle-on the receiver (which is always in the same place).

A more holistic solution would be to use an OS which restricts the fetching of the ephemeris data, to permitted circumstances (e.g. unmetered 802.11, no more than once per 24 hours, and whatever else you wish). Else, simply disable / forego any pre-fetch, and give your receiver time to receive a broadcast from the satellites (which works anywhere, any time, without privacy concerns).

[xandro0777]

[…] reduce the privacy implications [of downloading / using A-GPS data]

Other than one's device generally ‘phoning-home’, what other privacy concerns are applicable?

the phone company and possibly others will know that you have deployed GPS in the area. In some evil places that could cause trouble.

A more holistic solution would be to use an OS which restricts the fetching of the ephemeris data, to permitted circumstances (e.g. unmetered 802.11, no more than once per 24 hours, and whatever else you wish).

I think Netguard on Android allows that although it may be device specific and require some trial and error. I have accidentally done that by mistake.