Practical differences: GOS and "aggressively managed" Android device

discover2887

I've been using and enjoying GrapheneOS for about a year now and continue to be impressed with the dedication of the team and the quality of the project. It really is a bright spot in a bleak landscape in a lot of ways.

I've also been trying to generally educate myself more on specifics of mobile privacy and security against a backdrop of real-world use cases, and fewer extreme theoretical situations. The reason I say it that way is because as I bring family and friends along on this journey, I know there will be limits to what everyone is able to do, and I want to be able to advise and assist in the best capacity I can for each situation.

I've come around to thinking more about compartmentalization as a concept, relegating certain activities to certain devices. High value activities would need to exist on a secure device like a Pixel running GOS. But what about things an individual may not be as sensitive to, like streaming a video? Could a handful of activities live on a device in a private enough and secure enough way so as to make the segmentation a viable option? Of course it is a multi-layered question (where are you streaming from? have you created an account with PII? are you using a VPN? etc.) so this is only meant to be a thought exercise.

I want to present a sample scenario to compare some of the differences between how GOS may handle certain things vs a common Android build that is heavily "managed". I know there are often similar questions about the differences between GOS and other operating systems, and I have read the documentation extensively and am familiar with what GOS can do. I am hoping that by providing a concrete comparison in a different way I can learn a little more about some of the underpinnings of Android and that perhaps it helps someone else in the process.

Take it as given that nothing will approach GOS in terms of what it offers. Again, this is only a thought exercise to understand differences in an actual (limited) use case, if that makes sense.

With that, the example.

Device configuration: Samsung tablet. a few years old, not receiving major Android updates anymore, but still getting quarterly security updates via Samsung. ADB to remove nearly everything preinstalled in main profile. NextDNS profile applied, and aggressively managed, with an extreme blocklist and a long list of TLDs also blacklisted within the profile - pretty much anything it calls out to that isn't that update server from Samsung. Google account, newly created only for this device, only for installing apps on this device, not used for a single other purpose. Essentially as gutted as I assume it can be without root access.

Use case: tablet never leaves the house. Used for media (local to device and streamed - e.g. Hulu), and self-hosted apps on LAN only, Light web browsing, using Brave or Fennec with uBlock. No activity of any sensitive nature, no email, no messaging. Consumption device.

Now what I'm curious about is the following.

In a scenario like this where the use cases are highly defined and the device stays in one location, and personal data largely not present on the device, what are the actual risks? If DNS logs are examined and nothing seems to be "escaping" that isn't expected, is it fair to presume based on this description that it remains a low(er)-risk scenario? Is stringent DNS examination a reasonable way to monitor "leakage"? In my mind, in this example, if traffic I'm not comfortable with isn't leaving the device, then what else could there be to think about? Have I missed something? Yes, Google knows the apps you're downloading and using in the example and Play Services definitely has more access, but on a device that is otherwise very limited in its usage.

Bonus question: let's say all Google services are ADB'd out too. No Play Store, account, or Play Services, and Google domains are blacklisted. FOSS/trusted apps only. How does that change things? Does it matter much given the other constraints?

I realize if we change the tablet to a phone that leaves the house, the risk profile changes too. I wanted to start with something very constrained and work outward in my thinking if that makes sense and I've been mulling this kind of thing over a while and figured it was time to ask. Happy to hear any thoughts.

[deleted]

discover2887 As has been said tons of times, look at your threat model, which will tell you what you actually need to accomplish. That will answer your question regarding you asking about the risks. Risk is relevant to the circumstance.

Though I think DNS filtering is a good thing, I don't know if it is all encompassing regarding data restriction, i've had this question myself. Truthfully if you want to really analyze telemetry you would want to use something like wireshark, which i've never looked into for mobile (it's mainly used on computers). That will show you the exact outbound and inbound data packets. If you don't know what you're looking at it's going to be very confusing though there are some good videos on youtube about its usage.

I think that not having a google account is always better than having a google account. You can circumvent having an account by using something like aurora store if you need apps from the google play store. There are also other FOSS apps as you said.

Realistically, the idea of not having data aggregated to a centralized point is kind of the name of the game. As in, all of your data is tied to a google account that is tied to you. If you have to use it, try and create it anonymously/privately as you can, but understand that you can't hide every data point from everyone, it's just not possible (or rather feasible) imo.

If you want a real world example that you can demonstrate to your friends and family about how data aggregation/brokerage/leaks/breaches/etc works, then put some of their info into these OSINT tools https://inteltechniques.com/tools/index.html and let them see it theirselves.