CodexAG You still need to expose your phone number to meta - and the metadata when using the app.

CodexAG

It is sandboxed in the same way as other apps. That is the same as on Android. GrapheneOS adds some additional permissions that you can revoke such as sensors.

  • Edited

spiral With contact scopes, storage scopes and the ability to revoke sensors and network, you certainly use WhatsApp in a more private way than on the stock OS, where WhatsApp has access to all your contacts and files, unless you revoke all its elements, which makes the application unusable in practice, it will also have permanent access to the network.

    Xtreix

    Yes I understand that. I was replying to the OP who wrote the following sentence in which they seem to conflate privacy and security:

    Does downloading Whatsapp on the grapheneos phone cancel out its privacy in any way or is it still secure because it's sandboxed

      When the co-founder of Whatsapp Brian Acton sold to facebook and said something like "I just sold my users privacy" its all one needs to know really in that regard.

      It is still better than some of the other messengers in my opinion and sms obviously. The fact most people use it makes it hard to avoid.

        • Edited

        spiral Yes I understand that. I was replying to the OP who wrote the following sentence in which they seem to conflate privacy and security

        Ok I see.

        tango It is still better than some of the other messengers in my opinion and sms obviously. The fact most people use it makes it hard to avoid.

        Yes, some of my contacts use WhatsApp whereas I'd like to use Molly only, in fact, still many users have never heard of Signal and I assure you it's not just people who aren't interested in technology, in France, a lot of people still use SMS as a means of mobile communication because French phone operators are among the few in Europe to still offer unlimited SMS packages, so I can't even completely avoid SMS, if someone gets into an SMS discussion with me, I'll try to reply late or with a simple reply of a few uninteresting words.

        Opportunistic E2EE in Google Message certainly improves the situation, but it relies on RCS, which is still a closed garden for phone operators.

          tango The fact most people use it makes it hard to avoid.

          Thats the crux.

          Xtreix still many users have never heard of Signal

          Absolutely agree, out of my Signal contacts only one of them had heard about it. I think in general most people just dont care about privacy so dont go looking for it. Basic things like sharing the odd youtube/newpipe video with a friend/relative are usually a good start to helping them know whats going on. After that its up to them if they care enough to do something about it.

            tango I think someone you'd have a conversation with would probably care about privacy to some extent, but it also probably depends on what that person means by privacy, which is why threat modeling is important and the need to distinguish between what could happen and the probability of it happening, a phone operator is able to access all your data but the risk of them posting your private data online to harm your reputation is weak. Unencrypted messaging pass unreliably over mobile network is enough for me to avoid SMS and because SMS phising is way to easy.

            Without an effective and widespread means of communication, it's pretty hard for developers to get the word out about their products, WhatsApp got a lot of publicity because Meta promoted it on Facebook, which has billions of users, and more people heard about Signal when Elon Musk talked about it on Twitter, not everyone likes to look for novelties on their own.

              Ok thanks all.

              Does the fact Whatsapp is sandboxed make it more difficult for remote intrusions that hitch on normal stock Whatsapp? For instance programs like pegas*s exploit vulnerabilities in WhatsApp to gain remote access to rest of phone system. Is this denied if it's sandboxed? Or at least significantly more protected?

                CodexAG One of the aims of GOS is to offer strong mitigation of remote exploitation, which is why verified booting is so important. All applications are strongly sandboxed and GOS offers much more granular control.

                You are talking about Pegasus, so I suggest you consult this link.

                Privately it is a type of thinking!?
                Example: You can make your device private when you install Ws (depending on how we configure it), but you can't make your data private, it's a completely different thing. There is no absolute privacy for either party and it's a bit analytical.

                  FischS

                  You can make your data "more private" by the apps and services you choose to use. For example, using Signal/Molly will make your data more private than using Telegram or Whatsapp, using Tuta instead of Gmail etc and the list goes on. Obviously there is no such thing as absolute privacy unless one finds a rock large enough to climb underneath.

                  Xtreix

                  I agree, probably didnt word that correctly! Most people i speak to do seem to care but it seems when it comes to putting words into action there is an apathy about them. Obviously some people are very busy with their lives and just dont have the time. I think most care a lot more about security and keeping their money safe (ignoring scam calls/not clicking on email links etc).

                    tango Most people i speak to do seem to care but it seems when it comes to putting words into action there is an apathy about them

                    Yes, my opinion on this subject is you don't see what's going on behind the scenes, unless you know some of the basics of how a network works like what is the TCP/IP model. Authorities offer a list of best practices like the passwords managment but it's not very useful if the person doesn't understand why they're doing it, so I see a number who have given up and are convinced that online privacy doesn't exist.

                    tango I think most care a lot more about security and keeping their money safe (ignoring scam calls/not clicking on email links etc).

                    I've been interested in security and privacy since 7 years and what I've seen is that a non-negligible number I see in the privacy communities overestimate the threat from governments and tech companies, and underestimate the threat from organized crime and malicious hackers, so I'd say worrying about protecting your money, phishing and scam calls is a good start.

                    • mmmm replied to this.

                      Xtreix overestimate the threat from governments and tech companies, and underestimate the threat from organized crime and malicious hackers.

                      I agree that hackers etc are under estimated, but by sayingb that, you yourself are underestimating the power of big tech/data collection and how it can shape the views of the populous primarily politically but really in many disciplines.

                      Look at just how much is collected. Look at scandals such the Cambridge Analytica Facebook link. The writing is on the wall, its already a problem and only going to get more so.

                      Its prudent to be aware, and almost no one seems to be particularly worried. Its frightening, just how much of this stuff is laid bare and still we let them take and manipulate.

                        WhatsApp can still read your phone's imei, unless grapheme has changed this

                          mmmm Better to define the threat as the service provider as a whole rather than "big tech", data leak scandals don't achieve much apart from sensationalist articles and ill-thought-out legislation, defining a clear threat model is the first step.

                          graphy00 WhatsApp can still read your phone's imei

                          This is no longer the case since Android 10 and GrapheneOS enhances it because Google Play is not privileged :

                          https://grapheneos.org/faq#hardware-identifiers
                          https://developer.android.com/about/versions/10/privacy/changes#non-resettable-device-ids
                          https://stackoverflow.com/questions/57993401/no-imei-for-android-developers-in-android-10

                            Xtreix Better to define the threat as the service provider as a whole rather than "big tech", data leak scandals don't achieve much apart from sensationalist articles

                            It wasn't a data leak. It was 'acquired' by seemingly legitimate means. Anyway, thats missing the point. The point is not to brush off what can happen by underestimating seemingly non criminal organisations such as big tech and governments regarding using our data for whatever purpose.