SMS and Dialer app question

monkey

How secure are the stock dialer and sms applications? i know inherently sms is insecure but theoretically speaking is it possible for the developers of the project themselves to see text messages or listen to calls this way? this is the one thing stopping me from making the switch, id like to trust open source projects and software but im one of those people who has to use SMS and make phone calls regularly so i dont want to risk anything. no disrespect to the project or devs intended im just curious about how alternative/foss sms/dialer application permissions work and what possibilities there are.

Dumdum

monkey
If the stock dialer/SMS apps are not trustworthy, then why would the OS be?

de0u

monkey id like to trust open source projects and software but im one of those people who has to use SMS and make phone calls regularly so i dont want to risk anything.

Is it less risky to use closed-source SMS/MMS/phone apps?

Xtreix

monkey How secure are the stock dialer and sms applications?

Hello and welcome.

The real issue is the insecure protocol and it makes no difference on GraphenOS.

From what I understand of your habit, it maybe be better for you to stick with Android Google Stock and benefit from opportunistic end-to-end encryption by enabling encrypted RCS fully supported by the original operating system, whereas it may not work properly on GrapheneOS, as well as spam protection.

If you're concerned about security, you might want to take a look at the Advanced protection program.

monkey

Dumdum

That doesn't really answer the question (thank you for responding though) , I've noticed the stock apps request network access as well. i was asking generally if a FOSS sms/dialer application's devs could look at your texts/calls including the stock applications on grapheneos. and of course no disrespect at all meant by this question, im just curious as these things are important to me and im by no means a tech guy ( im just annoyed by the default stock pixel OS)

bookreader

monkey i was asking generally if a FOSS sms/dialer application's devs could look at your texts/calls

For SMS, yes. If you install a 3rd party SMS application with network access, it could theoretically share messages with the developers.

For PHONE, NO. A 3rd party dialer could share call logs, but could not share an actual copy of the audio data. This is because of how the audio data is routed on Android. In order for a dialer application to have access to the actual audio data (typically for the purpose of call recording or transcription), it has to be installed as a SYSTEM APPLICATION (i.e., part of the system image). An installed dialer application cannot access this data.

The Dialer and SMS applications included with GrapheneOS are from upstream AOSP, with a few fairly minor modifications (the upstream dialer has no call-recording capability, which was added to GrapheneOS dialer). These applications have had so many eyes on their code that you can feel very assured that there is nothing nefarious added into them. Further, since those applications are part of AOSP, they carry the same level of trustworthyness as the REST of AOSP, and if you don't trust that, then absolutely NO version of Android can be trusted, since EVERY Android is a derivative of AOSP.

Feel free to audit the source code yourself if you're THAT paranoid.

spring-onion

These are all AOSP apps with mostly minor modifications, so assuming you trust the developers of one the biggest software projects of all times I see no reason to be concerned. It's all open source (including the changes by GrapheneOS) so technically you could look at the code yourself. In practice this won't help you directly since I reckon you can't audit code yourself. But now you may at least feel rest assured that many pairs of eyes have glanced over it already.

The network (and also sensors) permission is there because those are not included in stock Android. They are automatically given to ensure no sudden breakage happens because it'd be extensive work to figure out every possible use case and combination, it'd require maintenance too and that's just not worth the effort.

You're focusing on the wrong entity here. Besides the fact that it's illogical to question just these two apps when the whole operating system could be compromised as pointed out already, the whole system of carrier based calls and texts is flawed. The protocols are insecure, it's so much easier to intercept and listen in on your conversations. That doesn't mean you have to drop everything and go airplane mode only, that's not feasible for the majority of people. But just be aware; if you want to have a truly private conversation use Signal instead.

monkey

spring-onion

and grapheneos itself has had proper audits done recently by auditing companies or not? and yes i tend to ask many questions im sorry

de0u

monkey and grapheneos itself has had proper audits done recently by auditing companies or not?

Not exactly. If you search around on this forum you will find some discussions about audits. But the short answer to your question as phrased is that there is not a regular pattern of third-party consultant audits (just as there isn't for iOS or Google's Pixel OS or DivestOS or ...). That said, anybody (or group) who wanted to hire security consultants could do so!

monkey

de0u
it could be, i feel like its more clear that the messages are being exclusively for advertising but with graphene a purpose is unknown

bookreader

de0u No, it is FAR FAR MORE risky to use closed-source software because you really have no idea what is in it. Generally, people working on open source software will be "kept honest" just by the fact that their contributions are visible to ANYONE. It can be quite complicated (although not unheard of) to slip in sneaky code to open source projects. But closed source? Could be anything in there and its incredibly challenging to detect.

de0u

monkey i feel like its more clear that the messages are being exclusively for advertising but with graphene a purpose is unknown

The forum moderators have a distaste for unfounded allegations. If it is possible to cite evidence for the proposition that one or another closed-source SMS/MMS or phone app is used for advertising, that is more likely to be welcome content than a statement along the lines of "it is more clear that ...".

monkey

de0u

my mistake if implied that or it sounded like an allegation. im just trying to make sure im making the right decision by switching over and im uncertain how these things work / am curious

monkey

i probably sound like an idiot who doesnt know how this stuff works and that is true. im just trying to make a confident decision because i see a switch like this as a big decision.