Carrier Wi-Fi

Carrier Wi-Fi is an auto-connection feature (using encrypted IMSI) available in Android 9 and higher that allows devices to automatically connect to carrier-implemented Wi-Fi networks. In areas of high congestion or with minimal cell coverage such as a stadium or an underground train station, carrier Wi-Fi can be used to improve users' connectivity experience and to offload traffic.

Devices with the carrier Wi-Fi feature automatically connect to configured carrier Wi-Fi networks (networks with a public key certificate). When a user manually disconnects from a carrier Wi-Fi network, the network is blacklisted for 24 hours (no auto-connection). Users can manually connect to blacklisted networks at any time.

On devices running Android 9 or higher with carrier Wi-Fi implemented, automatic connection through carrier Wi-Fi is off by default. A notification is sent to the user when the device attempts to connect to a carrier Wi-Fi network for the first time.


Device manufacturers and carriers must do the following to implement carrier Wi-Fi.


In the carrier config manager, configure the following parameters for each carrier:

  • carrier_wifi_string_array: A string array where each string entry is a Base64-encoded Wi-Fi SSID and an EAP type separated by a comma, where the EAP type is an integer (refer to Extensible Authentication Protocol (EAP) Registry). For example, the following configuration is for SOME_SSID_NAME using EAP-AKA and Some_Other_SSID using EAP-SIM:

    config {
      key: "carrier_wifi_string_array"
      text_array {
        item: "U09NRV9TU0lEX05BTUUK,23"
        item: "U29tZV9PdGhlcl9TU0lECg==,18"
  • imsi_key_availability_int: Identifies whether the key used for IMSI encryption is available for WLAN (bit 1 is set), EPDG (bit 0 is set), or both (both bit 0 and bit 1 are set). For example, the following configuration indicates that IMSI encryption is available for WLAN but not for EPDG:

    config {
      key: "imsi_key_availability_int"
      int_value: 2
  • imsi_key_download_url_string: URL from which the proto containing the public key of the carrier used for IMSI encryption is downloaded. For example, the following configuration provides a specific URL:

    config {
      key: "imsi_key_download_url_string"
      text_value: ""
  • allow_metered_network_for_cert_download_bool: A flag indicating whether to allow the downloading of the public key of the carrier over a metered (cellular) network. If this flag isn't set, a new device with no Wi-Fi connectivity won't be able to connect to the Carrier Wi-Fi network because it won't be allowed to download the key.

    config {
      key: "allow_metered_network_for_cert_download_bool"
      bool_value: true


To implement carrier Wi-Fi, the carrier must support encrypted IMSI and provide a public key.

Support for IMSI privacy protection

Implement support for IMSI privacy protection as specified in section 4.1: Encrypting the Identity of the Privacy Protection for EAP-AKA 3GPP specification draft (S3-170116). For more information, download Privacy Protection for EAP-AKA.

Providing the public key

Provide a public URL to a server, preferably using HTTP over TLS, that hosts the certificate of the carrier where:

  1. The public key (and expiration) can be extracted from the certificate.
  2. The information from the server is in JSON format as specified in Server Response in section 4.3: Mechanism to Configure the Public Key of the Privacy Protection or EAP-AKA 3GPP specification draft (S3-170116).

    Additionally, the server response may include the following JSON string property: "key-type" : "type". The value for type must be either WLAN or EPDG. If the key-type property isn't included, then its value defaults to WLAN.

    "carrier-keys" : [ {
      "key-identifier" : "CertificateSerialNumber=5xxe06d4",
    } ]