Disabled UnifiedNLP providers are queried anyway (security)

[gdt]

On CalyxOS, UnifiedNLP is present via microg, and the Mozilla and DejaVu backends are preinstalled. I have configured Mozilla off in settings, to prevent location (wifi list) from being sent to Mozilla. (In addition to paranoia, I find that because I usually navigate to places with osmand, DejaVu has learned wifi for most places, and it therefore is sufficient 99% of the time.)

On starting MyLocation (f-droid, up to date today), I see that it reports a location value from DejaVu and one from Mozilla. In most respects this is great and useful detail, but it violates my configured policy not to use Mozilla. I'm really unclear on if Mozilla is operating in the background anyway always, or whether the query from MyLocation causes it to wake up and send wifi info to a server, but I'm assuming for now that this is triggered behavior.

For a fix, I suggest either

• default to turning on providers only if UnifiedNLP has them enabled, if this is possible, which I'm guessing it isn't
  or
• when first finding a provider, enable it if it is known to not send information off-device, which is a short allowlist of DejaVu, Local Wifi Backend, Local GSM Backend, etc. and otherwise disable it
• store enable/disable status so if somebody wants to enable these and does, they aren't bothered every time

[Lee-Carre]

I experience similar.

When I want to temporarily enable providers which I normally leave disabled, no results are returned for them.

It's as if my configuration changes aren't being applied.

Sometimes I've had success with stopping My Location entirely, and relaunching. As if configuration is only read at initialisation.

This discourages experimentation.

[gdt]

My report is from the very first time running MyLocation. So I don't think it's a cached info issue. Maybe the real bug is that providers that are not configured on in ugNLP settings respond to requests to locate.

Perhaps just document; I disabled the Mozilla NLP provider (app disable, not NLP configure off), and then MyLocation didn't show it.

I should say that it's a huge win for MyLocation to point out that this leak is even possible.

[y0va]

I have this strange behaviour:

When Mozilla Backend is disabled in unifiedNLP MyLocation shows location data from Mozilla Backend. But when I try to use it in another app, say OSMAnd, location is not shown.

When Mozilla Backend is enabled in unifiedNLP Mylocation shows "Failed" for Mozilla Backend. But OSMAnd shows location.

Thats weird.

[gdt]

@y0va I think your first case matches this issue, exactly. In both cases, OSMAnd not getting and getting location seems correct (and not about MyLocation but of course it's helpful debugging info).

Your second case is a separate problem, and I don't understand it. But I have observed "Failed".

[gdt]

See also https://gitlab.com/CalyxOS/calyxos/-/issues/903

[Lee-Carre]

A crude workaround might be to disable (background) network access. At least at the time of enabling UnifiedNLP querying in MyLocation.

[gdt]

I have disabled the unifiedNLP providers I don't want to use at the system app level. That works fine. After thinking, I am seeing this as an OS bug, not a MyLocation bug. If an app could query, it's good that MyLocation does, to tell us what's going on.

I'm going to leave this open until the app author comments, even though I more or less think this isn't a MyLocation bug.