Sandboxing as added web browser security?

anarchosax

As a new user of GrapheneOS, I have started setting up multiple user accounts for app groups such as banking apps, as well as for news and social media apps, as a jumping off point. However, I have been speculating about the advantage of setting up a dedicated user account for web browsing to sandbox away from contacts and messages, as well as providing an extra layer of protection from potential malware and/or to quickly delete the user profile to prevent access to my browsing history. Firefox Focus or DuckDuckGo have quick access to deleting browser history as a first step in such a special user group.

Will this help or am I just kidding myself?

TheGodfather

anarchosax I have been speculating about the advantage of setting up a dedicated user account for web browsing to sandbox away from contacts and messages,

Your browser doesn't have access to them anyway, no matter in which user profile

anarchosax as well as providing an extra layer of protection from potential malware

Don't think it will bring extra protection. All user installed apps are sandboxed on Android. While user profiles are a valid way to restrict IPC in general, I don't see a benefit in case of browsers. Chromium-based browsers have even stronger sandboxing. Their renderer processes runs confined in the isolatedProcess domain without any permissions, reduced kernel attack surface with a fine-grained seccomp-filter and access to only two binder services. You can read more about Android's security model in this excellent paper: https://www.mayrhofer.eu.org/publication/acm-tops-2021-android-platform-security-model/

anarchosax or to quickly delete the user profile to prevent access to my browsing history

That's a valid use case to be certain that it is unrecoverable. It's a drastic way, but for some threat models it can make sense.

anarchosax Firefox Focus or DuckDuckGo have quick access to deleting browser history as a first step in such a special user group

Since you care about sandboxing and malware, these are not good choices. DuckDuckGo is a WebView-based browser which does not provide site isolation and has a few other downsides. Firefox browsers lack proper sandboxing on Android. Stick to Chromium browsers which keep up with upstream updates, for example Vanadium and Brave are good. Recommend reading https://grapheneos.org/usage#web-browsing

Hmm

Afaik user profiles do not provide extra sandboxing beyond the regular Android sandbox, they are less like putting a box inside of another box and more like making sure some specific holes in your box are sealed, extra profiles don't put extra walls in front of malware but if you trust the sandbox and just want to make sure you don't accidentally give an untrusted app or site access to your contacts or photos that could be useful.

Also, nuking a profile just to delete your browsing history seems a bit... well, excessive xD, arent incognito mode (which you can lock behind your password) or DuckDuckGo's history deleting feature enough?

anarchosax

Hmm Thanks for the reply. Taking your analogy to heart, then perhaps the question should be - is it possible to sandbox web browsers in the way that I describe?

Regarding your comment about nuking a profile - I guess that it would depend on your personal threat assessment. I have however noted that CalyxOS apparently (according to an interview with the founder on YouTube) has a similar feature for journalists under threat, for users wanting to avoid invasive border officials copying of social media posts and contacts, etc.

mmmm

Hmm I’m not sure if profiles are as superfluous as you seem to make out here. I was under the impression that a user profile offered more protection than a regular app sandbox under certain situations and if you needed it. They’re more akin to a whole new phone for your phone. The biggest added benefits are the ability to just delete them in one go (if that’s what you want) and to completely eliminate inter app communication between apps in other profiles. They’re both pretty big things over what an app sandbox is capable of should your threat model need it.

Relaks

Vanadium by default does not have access to your contacts or phone history, and therefore cannot hand it over to any website. I have also never heard of Vanadium being able to do this even if you hand it the contacts and phone permission.

Separate user profiles do not protect you against malware.

Unclear from what or whom you want to protect your browsing history against. Other apps do not have access to your browsing history in Vanadium. It makes sense to use a "disposable" profile in case you are worried that someone will steal or force you to give up the unlock code for that profile.

anarchosax

TheGodfather Don't think it will bring extra protection.

So what do people do to protect themselves from malware on Android in general and GOS in particular?

I first started becoming aware of these issues, as my iPad Air no longer gets system updates and I would like to move to Android. The GrapheneOS developers made an excellent decision creating a safe place for the community to ask questions and educate themselves on the workings of GOS. While I was doing my due diligence regarding Android devices and the OS in general, I came across information that I am unfamiliar with and have no idea if the sites and/or information are bogus. To be honest, it was a bit of a disconcerting experience, that had me questioning my current strategy of migrating to an Android device.

TheGodfather

anarchosax So what do people do to protect themselves from malware on Android in general and GOS in particular?

Nothing particularly special. Don't fall for phishing apps and don't give apps unnecessary permissions, especially not dangerous ones like accessibility service and select apps which need permissions or render web content wisely.These are basically the main steps the average user on Android should do. The security posture of Android is already quite good and much better than desktop OS's like Linux distros, Windows or MacOS. So the main problems arise from the above mentioned problems which could be considered user errors, are prevalent on any OS and are difficult to protect against aside from user education.

Malware with sandbox escapes are not widespread and usually only used in sophisticated attacks, for example through state level actors.

If you use GrapheneOS, you did everything you can to have the best OS security posture out there, so you already did a big step in the right direction. GrapheneOS significantly improves the already solid AOSP baseline.

TheGodfather

anarchosax To be honest, it was a bit of a disconcerting experience, that had me questioning my current strategy of migrating to an Android device.

The Apple ecosystem is quite good in terms of security, especially if you use lockdown mode (and keep everything up-to-date, of course). For most people this is better than using Windows on desktop + random Android device. Using GrapheneOS is better than an iPhone in terms of security and privacy, but iPhone is not a bad choice either.

anarchosax I came across information that I am unfamiliar with and have no idea if the sites and/or information are bogus

Unfortunately there is a lot of misinformation about privacy and security out there. GrapheneOS devs (especially Daniel Micay) are one of the best sources of information.

anarchosax

Well, my goal is to get a Pixel Tablet running with GOS, however I don't have the money for it at this time. I guess that I will just have to muddle through for now with a cheap Samsung Galaxy Tab A7 that I picked up on eBay. Unfortunately, it appears that it is possibly also an end of life device as the newest OS software is Android 12.

I have installed Shelter and the Chromite browser and am only using the browser in the "work" profile and only loading incognito tabs, which is something. I guess I will have to drool over my Pixel 6a, if I want to get the whole, immersive GrapheneOS experience for now...