The most severe threat to a user's security and privacy when using a mobile network is 2G connections. While legitimate 2G cellular networks are being phased out across the world, devices are still susceptible to attacks from false base stations (FBS). An adversary with a FBS can trick a device into connecting to it instead of a legitimate cellular network. This is most often accomplished by downgrading a device's connection to 2G, and it allows the operator of the FBS to intercept or inject traffic to a device.
Android allows users to disable 2G at the radio hardware level on any device that implements the capability constant, "CAPABILITY_USES_ALLOWED_NETWORK_TYPES_BITMASK". This stops a device from scanning or connecting to 2G networks.
Starting in Android 14, you must have MODIFY_PRIVILEGED_PHONE_STATE to disable 2G with reason ALLOWED_NETWORK_TYPES_REASON_ENABLE_2G. Carrier privileges don't suffice.
TelephonyManager tm = getSystemService(TelephonyManager.class);
if (tm != null && tm.isRadioInterfaceCapabilitySupported("CAPABILITY_USES_ALLOWED_NETWORK_TYPES_BITMASK")) {
long disable2gBitMask = 0xFFFF &~ TelephonyManager.NETWORK_CLASS_BITMASK_2G;
tm.setAllowedNetworkTypesForReason(TelephonyManager.ALLOWED_NETWORK_TYPES_REASON_ENABLE_2G, disable2gBitMask);
}
FAQs
Are users still vulnerable if their carriers no longer support 2G?
Disabling 2G is an important security measure even if the user's carrier no longer maintains 2G infrastructure. The user's device still supports scanning and connecting to 2G base stations, so they are still vulnerable to a 2G downgrade attack if they do not disable 2G on their device.
How does disabling 2G impact roaming?
When 2G is disabled for security purposes it will not be re-enabled, even if the device is roaming. Certain areas in the world depend on 2G coverage and some roaming agreements assume devices will be able to connect to 2G. In these situations, the user will not have connectivity unless they re-enable 2G. It's not possible to reliably detect 2G roaming because of the lack of mutual authentication in 2G. Leaving 2G off despite roaming signals, prevents a FBS from spoofing its network identifiers to convince a device to re-enable 2G.