1. Forum
  2. Newsgroups
  3. comp.mobile.android

  • Auto connect to hotspots? Seems iffy.

    From VanguardLH@V@nguard.LH to comp.mobile.android on Wed Jan 21 13:05:26 2026
    From Newsgroup: comp.mobile.android

    In a new phone (Android 16), there is a setting:

    Hotspot 2.0 (enabled)
    Automatically connect to Hotspot 2.0 Wi-Fi networks.

    I don't think I want this as I wouldn't know anything about the
    operators of the hotspots. I prefer to find what wi-fi networks are
    available when I visit someplace, and choose which one to use that I
    decide is probably trustworthy. Seems I should disable this setting.

    I do want automatic connect to my wifi cable modem, but not to other
    networks that may be available wherever I happen to be.
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Theo@theom+news@chiark.greenend.org.uk to comp.mobile.android on Thu Jan 22 11:59:22 2026
    From Newsgroup: comp.mobile.android

    VanguardLH <V@nguard.lh> wrote:
    In a new phone (Android 16), there is a setting:

    Hotspot 2.0 (enabled)
    Automatically connect to Hotspot 2.0 Wi-Fi networks.

    I don't think I want this as I wouldn't know anything about the
    operators of the hotspots. I prefer to find what wi-fi networks are available when I visit someplace, and choose which one to use that I
    decide is probably trustworthy. Seems I should disable this setting.

    In theory, this is a more seamless and secure way to connect to access
    points than either having them open (and thus unencrypted) or having a publically-shared wifi password you might have to ask someone to obtain.

    I've used Eduroam which is a similar idea and I've had it 'just work' and
    give me connectivity while waiting for a tram in Zagreb, as it got a sniff
    of signal from an Eduroam access point across the street.

    If you're using TLS for everything there's a limit to what they can do. If you're using DoH (Android's 'private DNS' setting) then they can't see or
    forge your DNS which takes out one way to profile you. They can see the IPs you connect to but there's not a lot they can get from that. If you are worried about profiling, connect using a VPN.

    I do want automatic connect to my wifi cable modem, but not to other
    networks that may be available wherever I happen to be.

    I don't think this is as big a risk as you make it out to be.
    I think more of a risk is auto-connecting to networks that are broken, and
    stop your phone falling back to cellular.

    Theo
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From VanguardLH@V@nguard.LH to comp.mobile.android on Thu Jan 22 13:05:52 2026
    From Newsgroup: comp.mobile.android

    Theo <theom+news@chiark.greenend.org.uk> wrote:

    VanguardLH <V@nguard.lh> wrote:

    In a new phone (Android 16), there is a setting:

    Hotspot 2.0 (enabled)
    Automatically connect to Hotspot 2.0 Wi-Fi networks.

    I don't think I want this as I wouldn't know anything about the
    operators of the hotspots. I prefer to find what wi-fi networks are
    available when I visit someplace, and choose which one to use that I
    decide is probably trustworthy. Seems I should disable this setting.

    In theory, this is a more seamless and secure way to connect to access
    points than either having them open (and thus unencrypted) or having
    a publically-shared wifi password you might have to ask someone to
    obtain.

    I've used Eduroam which is a similar idea and I've had it 'just work'
    and give me connectivity while waiting for a tram in Zagreb, as it
    got a sniff of signal from an Eduroam access point across the street.

    If you're using TLS for everything there's a limit to what they can
    do. If you're using DoH (Android's 'private DNS' setting) then they
    can't see or forge your DNS which takes out one way to profile you.
    They can see the IPs you connect to but there's not a lot they can
    get from that. If you are worried about profiling, connect using a
    VPN.

    I did enable Android's private DNS. However, the automatic setting
    means to use DoH via port 443/HTTPS if the nameserver supports it; else, fallback to port 53/DNS for lookups in the clear. So, you can't be sure
    how you're connecting to the DNS server unless you first test, like
    visit 1.1.1.1/help, but who want to keep testing before surfing.
    Instead, for Android's private DNS setting, I specified a secure server (one.one.one.one) to make sure I'm actually using DoH/DoT.

    I do want automatic connect to my wifi cable modem, but not to other
    networks that may be available wherever I happen to be.

    I don't think this is as big a risk as you make it out to be. I think
    more of a risk is auto-connecting to networks that are broken, and
    stop your phone falling back to cellular.

    I'll have to read up on Hotspot 2.0. As for wifi hotspots, I do not automatically connect to any of them except for the SSID for my home
    cable modem, and that's locked with a long strong password.

    Does Hotspot 2.0 somehow prevent wifi spoofing where some joker uses a
    SSID that matches a trusted one, like he sits at a Startbucks
    broadcasting their public (open) SSID, so you don't end up connecting to
    a hacker's wifi hotspot?
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Andy Burns@usenet@andyburns.uk to comp.mobile.android on Thu Jan 22 19:29:10 2026
    From Newsgroup: comp.mobile.android

    Theo wrote:

    I've used Eduroam which is a similar idea and I've had it 'just work'
    and give me connectivity while waiting for a tram in Zagreb, as it
    got a sniff of signal from an Eduroam access point across the street.

    I avoid all wifi, except SSIDs which I know and trust.

    I believe eduroam is like govwifi, you have some personal credentials
    that are stored centrally (ldap?) and can be queried via known radius
    servers with known shared secrets, to allow or block access to wifi,
    without the specific wifi point you're using knowing you from adam?


    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From VanguardLH@V@nguard.LH to comp.mobile.android on Thu Jan 22 14:14:22 2026
    From Newsgroup: comp.mobile.android

    VanguardLH <V@nguard.LH> wrote:

    Theo <theom+news@chiark.greenend.org.uk> wrote:

    VanguardLH <V@nguard.lh> wrote:

    In a new phone (Android 16), there is a setting:

    Hotspot 2.0 (enabled)
    Automatically connect to Hotspot 2.0 Wi-Fi networks.

    I don't think I want this as I wouldn't know anything about the
    operators of the hotspots. I prefer to find what wi-fi networks are
    available when I visit someplace, and choose which one to use that I
    decide is probably trustworthy. Seems I should disable this setting.

    In theory, this is a more seamless and secure way to connect to access
    points than either having them open (and thus unencrypted) or having
    a publically-shared wifi password you might have to ask someone to
    obtain.

    I've used Eduroam which is a similar idea and I've had it 'just work'
    and give me connectivity while waiting for a tram in Zagreb, as it
    got a sniff of signal from an Eduroam access point across the street.

    If you're using TLS for everything there's a limit to what they can
    do. If you're using DoH (Android's 'private DNS' setting) then they
    can't see or forge your DNS which takes out one way to profile you.
    They can see the IPs you connect to but there's not a lot they can
    get from that. If you are worried about profiling, connect using a
    VPN.

    I did enable Android's private DNS. However, the automatic setting
    means to use DoH via port 443/HTTPS if the nameserver supports it; else, fallback to port 53/DNS for lookups in the clear. So, you can't be sure
    how you're connecting to the DNS server unless you first test, like
    visit 1.1.1.1/help, but who want to keep testing before surfing.
    Instead, for Android's private DNS setting, I specified a secure server (one.one.one.one) to make sure I'm actually using DoH/DoT.

    I do want automatic connect to my wifi cable modem, but not to other
    networks that may be available wherever I happen to be.

    I don't think this is as big a risk as you make it out to be. I think
    more of a risk is auto-connecting to networks that are broken, and
    stop your phone falling back to cellular.

    I'll have to read up on Hotspot 2.0. As for wifi hotspots, I do not automatically connect to any of them except for the SSID for my home
    cable modem, and that's locked with a long strong password.

    Does Hotspot 2.0 somehow prevent wifi spoofing where some joker uses a
    SSID that matches a trusted one, like he sits at a Startbucks
    broadcasting their public (open) SSID, so you don't end up connecting to
    a hacker's wifi hotspot?

    Okay, did a little more research, but not sure I want to waste more time
    with in-depth research. I'd rather have the Hotspot 2.0 feature find
    those supposedly secure wifi hotspots, but prompt me about finding them
    to let me choose instead of auto-connect to them.

    https://www.purple.ai/blogs/hotspot-2-0

    I see mention of end-to-end encryption, but in-transit encryption is not
    the same as in-situ encryption. You might use HTTPS to connect to a
    site, but not always as some sites still don't get the certs for HTTPS,
    and don't consider the need to prove they are the intended site a user
    wants to visit, but it's possible some sensitive info could be exposed
    in the network traffic after connecting to a spoofed wifi hotspot.

    Other than encrypting the in-transit traffic between endpoint to a
    Hotspot 2.0 hotspot, how does a Hotspot 2.0 guarantee you connect to a
    legit wifi hotspot?

    The above article mentions authentication, but not what it is. Not sure authentication is even mandatory for Hotspot 2.0, or if it means the
    client authenticating to the hotspot, or the server authenticating its
    identity to the client.

    https://www.wwt.com/blog/demystifying-hotspot-20-passpoint-and-openroaming-the-pros-and-cons
    "This can be achieved using several highly secure enterprise-grade authentication methods, with a focus on certificate-based authentication
    on both the server and client sides."

    A Hotspot 2.0 wifi hotspot cannot be setup and active without the use of certificates?

    https://source.android.com/docs/core/connect/wifi-passpoint

    The presumption is the phone trying to use Hotspot 2.0 will fail,
    reject, or ignore a connection to a Hotspot 2.0 wifi hotspot that is
    missing a certificate, or is invalid, or has expired.

    I've also read that part of the authentication process uses the SIM card
    in the phone. That's akin to using the SIM card to authenticate you to
    a cell tower that carries your cellular provider. That's on the client
    end. Seems the auth at the wifi hotspot is a certificate. The use of
    the SIM card hints that Hotspot 2.0 wifi hotspots are negotiated with
    the mobile carriers with hotspot providers to allow roaming wifi
    hotspots. There could be a cost with the mobile provider for roaming
    access.

    https://www.howtogeek.com/284292/what-are-hotspot-2.0-networks/
    Network Providers Can Band Together

    Considering all the setup, expenses, and expertise involved in
    establishing Hotspot 2.0 wifi hotspots, just how pervasive are these
    types of wifi hotspots? For example, I'm a Comcast customer, and they
    have all those "xfinitywifi" wifi hotspots. Do they use Hotspot 2.0 to
    allow auto-connect to them? Long ago, I used their app to define a
    secure profile that allowed me to use their secured hotspots. The app
    defined a secure profile that was used with their authentication server
    to grant me access to their hotspot. That was the means to authenticate
    you to them, and they to you. But you needed their app, not a phone
    supporting some protocol (Hotspot 2.0) for free-range wifi hotspots.

    I can find websites with maps of wifi hotspots, but they don't identify
    which are Hotspot 2.0 types. When planning a trip, how do you know
    where the Hotspot 2.0 wifi hotspots will be? Just accidentally when
    you're within reach of one?

    Doesn't seem to be the simplified choice you purport it to be.
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Theo@theom+news@chiark.greenend.org.uk to comp.mobile.android on Sun Jan 25 14:01:11 2026
    From Newsgroup: comp.mobile.android

    Andy Burns <usenet@andyburns.uk> wrote:
    Theo wrote:

    I've used Eduroam which is a similar idea and I've had it 'just work'
    and give me connectivity while waiting for a tram in Zagreb, as it
    got a sniff of signal from an Eduroam access point across the street.

    I avoid all wifi, except SSIDs which I know and trust.

    I believe eduroam is like govwifi, you have some personal credentials
    that are stored centrally (ldap?) and can be queried via known radius servers with known shared secrets, to allow or block access to wifi,
    without the specific wifi point you're using knowing you from adam?

    Yes, I believe govwifi is a clone of Eduroam, I think everything works the
    same except a different database of radius servers.

    Theo
    --- Synchronet 3.21b-Linux NewsLink 1.2