Our Thoughts on Google's Project Fi WiFi Assistant
You may have seen Google’s recent press release announcing that all Nexus users in the US, UK, Canada, Mexico and Nordic countries will receive an OTA update in the coming weeks with the payload of Project Fi's Wireless Assistant. This was previously exclusive to Google Project Fi subscribers in the US.
The Google announcement says of the service: “Keep your connection speed high and your data bill low with WiFi Assistant, a feature that allows you to automatically and securely connect to more than a million, free open Wi-Fi hotspots. Originally a Project Fi exclusive feature, we are now expanding WiFi Assistant to all Nexus users in the United States, Canada, Mexico, UK and Nordic countries. This will roll out to users over the next few weeks.
I was lucky enough to be asked to participate in an early trial and wanted to share my thoughts about the service, how it works and what you need to consider to use it.
How does WiFi Assistant Connect to Open Access Points?
Google’s own statement around this is a little vague, but the process I used in the build to connect to an 'Open' SSID went like this:
When in range of a strong signal, open SSID and not already connected to a Wi-Fi network, WiFi Assistant attempts to connect to the SSID.
It will attempt to receive an IP address. If it does not receive one it will discard that SSID for a period of time.
Once the device has an IP it will attempt to open a background connection to what Google calls its 'Canary URL.'
Google says:
“When WiFi Assistant connects to a network, the client synchronously issues an ‘in-the-clear’ HTTP request to the canary URL prior to establishing a VPN connection.”
There are two possible outcomes of the canary URL request:
If the response status code is 200 and the response body is “OK,” WiFi Assistant establishes a VPN connection and enables network use.
If the response status code is anything other than 200 (or the response body is anything other than ‘OK’), WiFi Assistant disconnects from the network.
Did that just say VPN?
That’s right. Google WiFi Assistant connects to hotspots when they are faster than the current cellular connection, but routes traffic through Google’s own virtual private network (VPN) as a security measure. This means no eavesdropping from the Wi-Fi access point owner, or from other users connected to the same hotspot.
One thing to note however. At no point did my phone appear to check with Google to see if the AP is on an approved list. Google appears to assume that if the AP is open and not secured, then it's publicly accessible.
How do I remove myself from Google's Access Point List?
There are four ways to keep random WiFi Assistant users from using your AP:
Secure your AP or network: You should be doing this anyway. Have you heard of WPA2?
Install a captive portal: You should really be doing this anyway for your organisational security, even a simple register your email click to accept terms and conditions of use, will mean you at least get some RADIUS tracking and a captive portal network will not allow access to the canary URL.
Block the WiFi Assistant canary URL: If WiFi Assistant can't connect to the canary URL, then it will automatically disconnect from the open AP. Currently, the URL to block is http://check.g-tun.com/connect
Change the name of your AP to exclude it from indexing: This is a bit excessive, but by appending your SSID with _nomap, Google will not index your AP location information for use with Google Maps, and will also not automatically connect to your access point with WiFi Assistant.
Some issues noted while using Wi-Fi Assistant
When connected successfully via Wi-Fi Assistant and with the VPN is active, you’ll see a small key icon in the top menu bar indicating that your connection is secure to Google’s own VPN infrastructure. Some apps and websites may not like this and will not allow the connection. They see this as trying to get over territorial boundaries.
An example of this is Netflix, because it’s region-locked (Netflix has only negotiated the rights for some digital content in certain regions). Netflix (or actually the digital copyright owners of the content) do not like the use of VPNs for this reason and will not let you play content via the Google VPN.
Isn’t this what Apple did last year?
Last year, Apple introduced a 'Wi-Fi' assist function in its iOS 9 update. But there are some differences:
Apple's Wi-Fi Assist will activate and automatically switch to data when a Wi-Fi connection is not working.
In contrast with this, Google's WiFi Assistant automatically connects to free Wi-Fi when a safe connection is possible by its own virtual private network (VPN).
What does this mean for carriers?
In trials, Project Fi users reported a significant drop in pay-as-you-go data costs, so carriers may see some users with Nexus phones data chargers drop. Great for the consumer but not so good for the carrier who may have subsidised the phone on contract or is assuming a certain billable data usage.
What does this mean for GlobalReach users?
Absolutely nothing, none of our captive portal or enterprise networks will be directly affected. It may cause the odd network using GlobalReach to see a number of sessions drop if there is a totally open network operating in the vicinity of its own network, but this should be very marginal because:
There are not really than many open networks in most mature markets
The Nexus phone ownership is not on a similar scale to Apple, Samsung.
As always, I’d be happy to talk more about what carriers need to consider when it comes to Wi-Fi authentication. Get in touch here.







