System Apps & Pixel Firmware Network Connections

Firesign

Firstly, I have read https://grapheneos.org/faq#default-connections which deals primarily with device connections to Graphene servers.

A number of pixel system apps require full Permissions: 'Device requires this permission to operate' and cannot be modified.

I assume that the Pixel firmware requires the same Permissions, unless informed otherwise. I assume also that the GOS does not prevent these network connections from certain system apps, e,g, Bluetooth, System UI & Shell and the device firmware from sharing data from the Pixel with Google and, or the hardware manufacturer.

I use Next DNS to filter network connections on DoT and DoH.

What method does the above software use to phone home, i.e can it be blocked at DNS server level, or does this software use a different route that the user cannot have any control over?

Thank you for your time in responding.

de0u

Firesign I assume that the Pixel firmware requires the same Permissions, unless informed otherwise.

That's not how it works. Firmware running on its own processors has no knowledge of Android permissions. On the other hand, IOMMU isolation greatly constrains what that code can do.

Firesign I assume also that the GOS does not prevent these network connections from certain system apps, e,g, Bluetooth, System UI & Shell and the device firmware from sharing data from the Pixel with Google and, or the hardware manufacturer.

It would be more accurate overall to assume the opposite.

I expect others will chime in, but meanwhile it might make sense to read the whole web site, maybe twice.

Firesign

Thank you for your response. You clearly know a great deal more about this subject than I do, so please answer these questions:

Does GOS prevent System apps with full default Permissions from sending Pixel phone data to Google, and if not, how is this information sent?

Does GOS prevent the Pixel phone firmware from sending phone data back to the manufacturer of the hardware, and if not, what information is sent and how is this achieved?

If you don't know the answers to these straight forward questions, then please let someone else chime in.

Thank you

de0u

Firesign Does GOS prevent System apps with full default Permissions from sending Pixel phone data to Google, and if not, how is this information sent?

But there is a third option! Everybody has access to the complete source code for all of the system applications. If those applications do not contain code to exfiltrate user data then them having arbitrary privileges won't cause user data to be exfiltrated. If somebody does find data-exfiltration code, submit an issue...

There is a world of difference between audited code having privileges and code of unknown provenance (e.g., random apps from the Internet) having that kind of access. In practice some code needs some privileges, and GrapheneOS is among the leaders in terms of making the code available and auditing it and adding information control tools for users (storage scopes, restricting privileges for Google services) and giving clear directions for users to do their own builds.

If a better deal is available, taking that deal might make sense. If improving GrapheneOS security is of interest, there are open issues on the issue tracker.

Starting by assuming that GrapheneOS system apps must be coded to exfiltrate user data unless they are actively restrained seems like it might be unfounded.

Carlos-Anso

Firesign Does GOS prevent System apps with full default Permissions from sending Pixel phone data to Google, and if not, how is this information sent?

All connections that are made by system apps are detailed in the link you shared. Theres very limited data sent to Google. By default these connections to Google are made through GrapheneOS proxies which helps guard user privacy.

Firesign Does GOS prevent the Pixel phone firmware from sending phone data back to the manufacturer of the hardware

Various hardware components (display, finger print reader, hardware security module, baseband) have their own manufacturer, built in processors and firmware running on these processors. Firmware updates are included in GeapheneOS system updates. Updates are signed and there is anti-rollback protection to guard against malicious installation of vulnerable old firmware.

Most of the components are isolated and have no way to connect to their manufacturer. By default none of them directly connect. Again see the link you posted.

Firesign

de0u

The majority of people that use a Pixel with GOS are 'normies' like me; non-tech people who are unable to read and understand code and other technical jargon. However, that does not stop people like me from asking straight forward questions and receiving straight forward answers.
You are unable to give a straight forward answer to my questions because you do not know and you are assumng that you do know. Please let others with greater knowledge answer my questions please.

Firesign

Carlos-Anso

Thank you for your response. You state:

'There is very limited data sent to google'.

In Settings > App Permissions > Shell, the following are listed as 'device requires this permission to operate':

Allowed:

Body Sensors
Calendar
Call Logs
Camera
Contacts
Location (allowed all the time)
Microphone
Nearby devices
Network
Notifications
Phone
Photos and Videos
Physical Activity
Sensors SMS

'There is very limited data sent to google'. Define 'Limited' because looking at the above list, together with the Network connection, your 'limited' is actually all data from my Pixel phone is sent to Google.

None of these Permissions can be revoked, it is not an option.

Firmware:

It is my understanding that Pixel Firmware is closed source proprietary software and therefore (assumption) no one actually knows what is contained therein and what information can be sent back to the hardware manufacturer, e.g telemetry and possibly other user data.

You state:
'Most of the components are isolated and have no way to connect to their manufacturer'. Then one can assume some components are not isolated and can communicate with the hardware manufacturer.

Carlos-Anso

We strongly advise against changing permissions for system apps. Its very easy to end up with a phone broken in unexpected ways. If you do not trust the operating system, which includes system apps, it is probably best to not use it at all.

de0u

Carlos-Anso We strongly advise against changing permissions for system apps. Its very easy to end up with a phone broken in unexpected ways.

This happens with some frequency. And there can be a long delay (weeks or months) between removing some permission (or disabling a CA certificate) and noticing that the device is doing something weird.

Carlos-Anso If you do not trust the operating system, which includes system apps, it is probably best to not use it at all.

This is not the same "trust us or leave" deal that Google or Apple offer. Lots of Google's code is closed source (as is their right), and a large majority of Apple's code is closed source (again, as is their right). The only code on a GrapheneOS phone which isn't open source is the firmware, and the ability of the hardware to access arbitrary parts of system memory (read or write) is limited. Somebody concerned about what the window system does with its privileges can read the window system code. Open source does not automatically mean carefully-read source or free-of-bugs source, but it does mean that users aren't in a "trust us or leave" situation.

It would be great to have a phone platform with strong hardware security and open-source firmware and an open-source OS with strong security, and maybe someday there will be one. GrapheneOS offers a platform with strong hardware security, limited-access firmware, and an open-source OS with enhanced security. It's not the best deal that is theoretically imaginable, but it's a pretty good deal. Nobody is forced to accept that exact deal (and some community members have contributed code to improve the deal for everybody).

Firesign

Carlos-Anso

'We strongly advise against changing permissions for system apps. Its very easy to end up with a phone broken in unexpected ways. If you do not trust the operating system, which includes system apps, it is probably best to not use it at all'.

It is not possible to change the Permission setting on certain System Apps, for example:
Shell
Bluetooth
Settings
System UI

So even if I wanted to GOS prevents me from doing so.

other8026

Firesign You are unable to give a straight forward answer to my questions because you do not know and you are assumng that you do know. Please let others with greater knowledge answer my questions please.

I'm going to have to ask you to please be respectful toward other community members. de0u is a regular here and is, in fact, very knowledgeable.

Carlos-Anso

Firesign Define 'Limited' because looking at the above list, together with the Network connection, your 'limited' is actually all data from my Pixel phone is sent to Google.

You appear to be getting confused. The fact that 'Shell' has all these permissions does not mean that all data gated by these permissions is getting sent to Google. It is an open source system app that is part of GrapheneOS, not a proprietary Google black box.

Let me state again that all the connections that GrapheneOS makes and their purpose are carefully documented at https://grapheneos.org/faq#default-connections

Looking at system app permissions is not actually very useful and easily causes confusion. While some parts of the OS are system apps where you can view their permissions other parts are not - like the parts that create and enforce this permission model. It is pretty much an inherent property of any operating system that it has to have access to any data it handles and any network connections that it makes.

The GrapheneOS team have been discussing how we should deal with system apps and their permissions as it is a regular cause of confusion. Especially when people start denying permissions from system apps and later find some seemingly unconnected functionality on their device is broken. Its common for users to blame any breakage on OS updates, rather than considering that their own actions may have caused it. Over the years we have spent a lot of time diagnosing issues that have turned out to be caused by things like this.

Firesign Then one can assume some components are not isolated and can communicate with the hardware manufacturer.

By their very nature the cellular and wifi basebands are not isolated from the network and while technically they could connect directly to their manufacturers, whether that is considered Google, Samsung or Qualcomm, I am not aware of any indication that this is happening.

A modern smartphone is a very complex device. As a property of this complexity there are many potential ways that you could imagine that it could be technically possible for something to be malicious and be somehow exfiltrating your data.

It is however possible to examine the design, construction and functionality of software and hardware and to observe them during operation. This is constantly being done by many security and privacy researchers all around the world. The GrapheneOS team does this, as do many of our users and people we work with.

The fact that it it is open source, and in widespread global use, means that there are very many eyes upon the Android Open Source Project (AOSP). It is used as the base for far more devices than any other equivalent operating system code. The hugely diverse range of actors that somehow use the AOSP codebase acts to provide a collective guarantee that it behaves as expected.

We can not make 100% guarantees against every possible imagined security or privacy weakness. That is currently something of an unsolved problem and not really possible for any device, especially something as complex as a modern smart phone or personal computer. There is however a reason that GrapheneOS was built upon AOSP. It offers an unrivaled base when considering usability, security and privacy properties.

Firesign

Let me make this more simple. Can people only answer if they know the truth/facts and not opinions regarding the following questions:

System Apps:
1) Does a GOS Pixel phone send user data to Google? Yes/No
2) If Yes, then what actual user data is sent to Google? (see the above System App Permission list)
3) If Yes, can this user data be prevented from being received by Google using a DNS filter or other method?

Hardware Firmware
4) Does any proprietary software/driver for Pixel hardware components send data to the manufacturer? Yes/No.
(because Firmware is closed source software, I will assume that no one apart from the hardware manufacturer/firmware/driver creator would actually know the scope of the data collection and transfer)

5) If Yes, can this data be prevented from being received by the hardware manufacturer using a DNS filter or other method?

Appreciate your time in responding. Thank you.

Firesign

Carlos-Anso

Thank you for your response. There is no confusion on my part I can assure you. You are not prepared to directly answer my questions. Example: You: 'The fact that 'Shell' has all these permissions does not mean that all data gated by these permissions is getting sent to Google'. Also You: 'Theres very limited data sent to Google'. Therefore based on your answer: Not all user data or limited user data is sent to Google. In this case, what user data is sent to Google? If you don't know, then don't attempt to answer the question, or you do know and you are refusing to answer the question. See me Q2 below.

I do not understand why I cannot receive straight forward answers to my straight forward questions below. There appears to be a reluctance. Can someone please answer these questions in the format and order that I have presented them:

Hardware Firmware
4) Does any proprietary software/driver for Pixel hardware components send data to the manufacturer? Yes/No.
(because Firmware is closed source software, I will assume that no one apart from the hardware manufacturer/firmware/driver creator would actually know the scope of the data collection and transfer)

5) If Yes, can this data be prevented from being received by the hardware manufacturer using a DNS filter or other method?

I understand that some Graphene users see any questioning of the software as a direct attack against the orthodoxy - attack the heretic, the unbeliever!. There is nothing wrong with the questions that I am asking, just the way that the questions are being answered.

Thank you for your time in an answering my questions. Thank you.

fdohtgrf

Firesign

1) Out-of-the-box, no, as GrapheneOS does not bundle apps like Google Play services with it and uses private proxies for things like connectivity checks and attestation key provisioning. This has already been answered to you by multiple people and you should take a minute to read at least the first sentence in the link provided to you by previous users: https://grapheneos.org/faq#default-connections. Should you choose to install apps like Google Play services and grant them the Network permission, then yes, they can send some data to Google.

2) If by "user data" you mean things like photos and not empty requests to Google connectivity check servers, then you would need to give the Google apps storage permissions to your photos and do something like have Google Photos back them up to the cloud. The system apps you have mentioned in your previous comments are open source AOSP system apps and this was also (specifically for Shell) pointed out to you by Carlos-Anso. You are free to inspect the code, compile it and compare the outputs to GrapheneOS releases with reproducible builds. There is absolutely no evidence that these send any of your data to Google. As already stated by others, please do not revoke permissions for system apps to avoid unexpected behavior and breakage.

3) You absolutely can try to block Google addresses with DNS-based filtering or firewall rules or by putting your phone in a faraday cage, but I don't see why you wouldn't simply not give them the Network permission, or avoid installing them in the first place.

4) If you mean something like a backdoor, no. There is no evidence of this. Also see this thread: https://discuss.grapheneos.org/d/10150-not-your-average-why-pixel-thread/7

5) Answer nr. 4 was a no, but if we assume that they're somehow sending some data that way and airplane mode or shutdown isn't sufficient, then you could for example put the phone in a faraday cage or cut any power by removing the battery.