it's true.

even bigger nightmare on iOS where 'always-on VPN' can only be configured on devices 'supervised' by an Apple-approved (documented application and telephone call with current employee required) organization's MDM solution—or you otherwise need a Mac to use the Apple Configurator app to even create a Configuration Profile containing the 'always-on VPN' key.

I _think_ iMazing can do what you want: https://imazing.com/configurator

Disclaimer: I've never used this feature. I only use it for backups and copying files to my iPhone.

never even thought to check if iMazing had any of this functionality. disclaimer noted, great tip regardless. thank you.

Making a simple OSS tool to generate valid configuration profile files seems like a potentially useful way to spend a weekend sometime.

The format cannot be that complex, right?

Looks like it’s just XML .plist format, and (at least partially) publicly documented:

https://developer.apple.com/business/documentation/Configura...

Web page for offline generation of iOS VPN configuration profile: https://mobileconfig.app

Until you get to the bit where I'm guessing you need Apples private keys to sign it or whatever

lol, hit me up with your rate. my only term is that i get to be watching over your shoulder the whole time.

I've done this before for months at a time (the GL.inet E750 with an iPhone with no SIM) but oftentimes US GSM providers throttle the hell out of UDP traffic on weird ports (like to 64-128kbps, a tenth of a megabit), and also notifications are frequently delayed.

Yeah it's the best solution if you use any public wifi or even mobile telephony. Somebody can just run their own base station and then your phone would connect to that. If it's not your network don't directly connect without a mobile router.

Edit: Other commenters report that Android will silently re-enable cell data under various conditions, so this isn't a surefire solution, either.

The Grugq created a tool for this a decade ago (sadly unmaintained): https://github.com/grugq/portal as part of a presentation about operational security for hackers. It's a great watch if you're interested in how various (in)famous hackers thought they were secure and got busted anyway. https://www.youtube.com/watch?v=9XaYdCdwiWU

> Other commenters report that Android will silently re-enable cell data under various conditions

This is terrifying.

It's expected. The people who own the phones aren't in control of the OS and the wireless chipsets are closed/proprietary. Cellphones really shouldn't be trusted by anyone.

Correct, the baseband usually has binary blobs. Although I am curious why Google/Apple decided not to make their own baseband, given their new silicon manufacturing expertise.

IIRC Apple has tried/is trying, but it is ridiculously complex to the point that they had to go back to Qualcomm as there really is no other option. Read: The biggest tech co on the planet stumbles with this, it should be considered a magic box as this point.

Google is sort of trying by using a Samsung modem (instead of Qualcomm) with an IOMMU in between, so at least the modem doesn't have access to the whole address space like on other phones. But they get a lot of flack for it.

Armchair speculation: Patents?

so then whats the other alternative?

solder on some ESPs on an old playstation portable device and connect from starbucks?

Right now we have no alternatives, but it's not technologically impossible to create mobile devices that give us root access to a mobile OS, or to create open wireless chipsets with open firmware.

Both Android and iOS will do that when you receive a MMS.

Even if the MMS is supposedly on an intranet, it wouldn't surprise be that a poor implementation might expose the rest of the system to internet for a brief moment.

i'm almost certain i've had it happen on iOS, too. only reason i can't definitively say—is because i can't rule myself out always having to manually toggle cell data on/off, both radio-level and per-app, when i'm coming/going from my own networks to my mobile VPN.

even in roaming?