I wonder how practical it would be to add something like a limeSDR/USRP/HackRF to a tinycheck to be able to at least detect this. I doubt it would be affordable for most individuals but I could see cost justification for orgs.
If you don’t want to change SIM cards, you cold go to 2G and easily create a fake base station and disable 3G/4G on the phone. For 4G, it‘s a bit more tricky as you need to do a relay attack (https://alter-attack.net/) and even then only do some DNS redirection if you know what host is being looked up, or some fingerprinting based on the size of the traffic.
Of course, you can also just check if the phone sends something by looking at the RF energy or even build an uplink decoder, but I doubt that this is very useful information by itself for this use case.
Finally, what I propose instead, is to use a private LTE network, which you can create using a SDR and srsLTE and some programmable SIM cards, which you need to insert into the phone. This way, it‘s easily possible to view any traffic leaving the phone on any connection. Plus, srsLTE has been shown to work on Raspberry Pi as well (I think).
This one will buffer (to a certain extent) and only flush when cellular is on and cellular traffic is already occurring. When cellular is on but cellular data is disabled there is still cellular data traffic at OS level, I expect more advanced spyware will travel with that data-stream. Also that indicator and a switch is just software, if you have full control over the OS, you can change that.
When cellular data is disabled (assuming it really is, not just faked to the user), then the corresponding radio bearers for user plane data habe not been established, thus no data-stream can travel with it. You can only communicate with the eNb and MME in this stage, and even this isn’t exposed directly to the OS but embedded in the Chipset.
My assumption has always been that a clean phone in airplane mode but with WiFi enabled would not use the cellular radios at all. In that mode would a cell tower still be in communication with the phone at some level?
Not directly, as the flight mode really prevents any radio communication (it takes a bit to shut down as it sends a NAS Detach Request first and waits for a reply for a few seconds).
However, there is also WiFi Calling - in that sense, your phone establishes some connection with the cell network. However, I don‘t think any user data may travel on this bearer, but there might be some edge case where this is possible.
Certain BYOD email suites use https encapsulation of another protocol (also using TLS) to ensure that the data can go through firewalls that do MITM attacks on clients for security reasons. Bluecoat do this for example.
I believe they also certificate pin the tunneled protocol.
Well not easily, because once the outer TLS has been set up, you can‘t see the contents of the second TLS handshake. You could maybe deduce it via packet sizes and timings, but certainly not pretty easily.
Some info only goes cellular, the only way to capture that is using a hotspot which simulates the normal network.
The real sneaky spyware I found only goes over cellular and hides itself by using double encrypted SSL traffic to AWS endpoints.