Hi.
I am new to Graphene OS and Android, and have a few questions.
How can I audit the system? How do I capture raw network traffic on the real network interfaces and virtual VPN one? How do I access and examine the raw storage block devices? How do I access the actual root file system tree and all mount points? I am basically asking for something like Qubes OS dom0. I want to do this, or I cannot come to trust the system for privacy sensitive things. I have uncovered really serious bugs in the past in other operating systems, so I am a bit paranoid about this.
Is it possible to disable the baseband/LTE modem partially or completely, without losing Wifi? Would this reduce attack surface in the event that there is a bug in the baseband firmware or driver?
My LUKS2 encrypted USB disk was not recognized by Graphene OS. What is a portable way to transfer files between devices, with strong encryption, no network and where I am still in control of what files the other device gets access to?
It appears apps can see all other apps installed. Is there more things apps can see like this, where they are not totally isolated from the world? Can I prevent this by installing the apps to different user profiles?
When an app opens a file selector, the file selector can see all files. Is this file selector controlled by whatever is Graphene OS' dom0 rather than the app itself? Is it certain apps cannot even list files that exist or test for their presence at all? The app only gets to see the file I selected? Will the file selector always look the same no matter what app uses it? There are absolutely no directory where files in it will be visible to other apps by default?
Are there any kind of IPC between apps? And if there is, will I be asked whether to allow so I can deny that communication?
Is it totally certain all files, apps and data are encrypted with my login PIN always? There are no functionality so that an app can opt to store data unencrypted or unprotected in that sense, like I heard there is on iOS for "things that must work when device is locked"?
Hope someone can shine some light for me, easing my migration.