Initial root access to restore backups?

MikeJ

Hey everyone,

I’m currently using a rooted stock Android on my Pixel phone. I would like to move to GrapheneOS with intact security model without root. I’m trying to figure out how to make this happen without losing all my app data.

I’ve been considering the following and I don’t think it will compromise the security model. I’d like to hear your thoughts about this though as I might be missing something.

I currently use SwiftBackup to make backups of my apps and their data.

Make a full backup with SwiftBackup.
Build GrapheneOS myself with some modification to grant me root access.
Flash this modified build.
Lock the bootloader.
Restore apps and app data with SwiftBackup with root access.
Make a regular GrapheneOS build without modifications and without root access.
Flash this build.

I believe this would leave me with a regular GrapheneOS system with all its security benefits but also my app data.

Do you see any problem with this approach?

I’m aware that this way I won’t be able to use regular releases and that I’d have to build all releases myself. At the moment I don’t mind doing this, as I’m also curious about the process and I’d like to learn more. If I feel, at some point, that this becomes a burden, I believe I could always move to the official GrapheneOS build (backing up and restoring with SeedVault).

I’d love to hear your thougths on this. If you can think of any good alternatives, I’d also be interested in hearing about them. I’ve also considered adb backup, but I believe that it won’t work reliably anymore with a lot of apps these days.

Thanks for your input,
Mike

TheGodfather

MikeJ Do you see any problem with this approach?

It does not work. Unlocking bootloader clears encryption keys, which makes all user data inaccessible.

redfoxjumper

That would work although it's probably a lot more effort and time than just resetting up your apps

lcalamar

redfoxjumper Exactly...

Just did several 'migrations; P6P > P9P stock, P9P > P9P GOS, P9P > P9P stock, P9P > P9P GOS
(note: I went back and forth as I was trying to get my PW3 to work correctly... each time you are starting from scratch... so restoring the apps was done each time.

For restoring the apps (note: doesn't 'save' the app data, just re-installs the apps. but the following steps were very helpful and I got better each time I did a flash:

I save critical APKs and restore files on my PC and connect the phone to the PC to copy those files back to the phone for installation or restore, these included saving and copying apk files and saved restore files (e.g.: Jsons, text, etc...):
-- Obtanium APK and restore files
-- Lawnchair APK (more on that later) and saved settings.
-- ffupdater APK (for installing iceraven browser)
-- Don't have to save 'Bitwarden' as it syncs from my other devices when I install it and sign in - but Bitwarden is a huge help to re-login to newly installed apps and browser sessions...
I use Obtanium as my first choice for apps - and I do a couple things there:
-- Save the Obtanium APK file between devices
-- Export my Obtanium settings to PC
-- copy that file back to phone and Import it into Obtanium
-- install those applications in Obtanium
I used google play for tracking and reinstalling many apps... its not as good as it could be as when you open PLAY to manage your apps - it lists every app you have ever installed using google play - for me that is a LOT... so it takes several passes through the list to catch all the current apps I want...
--- reinstalling all these apps takes a bit and as I mentioned - several passes to catch all.
Install the Lawnchair APK (the new version - I really like it as a browser)
-- AFTER all your apps are installed - then import the settings (that you saved from your old device) - and your launcher is back to where it was (albeit NOT the widgets)
login to Bitwarden and setup all the settings so it can work with your browser and apps... let it sync

Note: I use Iceraven as my primary browser as I can use extensions with it - and I have some critical extensions I can't live without... so I install it with FFUpater - and then sign in to my syncing profile... it then gets back to where it was - other than the extensions which have to be re-added
--- there are a couple extensions I save/restore settings for:
---- Chameleon (for changing my spoofing my browser's profile (some banking apps need it to look different!)
---- Cookie auto-delete - so it doesn't remove cookies for tab-close for some sites I don't want to have to constantly re-log into (e.g.: protonmail)

That's the bulk of what I've done....

... besides - sort of nice to start clean...

MikeJ

Thanks for your input!

redfoxjumper That would work although it's probably a lot more effort and time than just resetting up your apps

Yeah, probably. But I also like the idea of being able to get root access by flashing a modified build should I ever need it to access something...

I’ve come across avbroot in the meantime. Looks like this could also be a solution, but without having to do my own builds. It can patch and sign official builds with my own keys. It also allows to optionally add root. So I seem to be able to create both of the images I need from the official images.

aw22 What I do is just run a "userdebug" build that gives me "adb root" for full filesystem backups without allowing apps to gain root permissions. It's easy, just modify one line of the official build instructions.

Also sounds like a viable option. I’ve never done it this way though. Can I easily do full backups this way as well?

I don’t know anything about the Strongbox / software KeyStore thing you’re mentioning. Sounds like I should read up on this before moving ahead.

Hirudin

redfoxjumper Some people have apps called "games". These "game" apps sometimes have progress or stats that span years and cannot just be 'reset' like seem to suggest can be assumed of all apps. It's not just games, many apps are essentially portals to data accumulated over long stretches of time and, despite what you and I would prefer, some of them do not offer an easy or convenient manual backup option.

redfoxjumper

TheGodfather that's irrelevant in the scenario presented

Ammako

redfoxjumper you're not going to flash official GOS over a custom build without unlocking the bootloader first.

TheGodfather

redfoxjumper that's irrelevant in the scenario presented

It is. He needs to unlock the bootloader again to flash the official GrapheneOS image at the end.

aw22

What I do is just run a "userdebug" build that gives me "adb root" for full filesystem backups without allowing apps to gain root permissions. It's easy, just modify one line of the official build instructions.

I've also been experimenting with patching the device config to use a software KeyStore, rather than Strongbox, to allow full backups of apps like Signal, but that obviously has additional security trade-offs.

aw22

MikeJ Also sounds like a viable option. I’ve never done it this way though. Can I easily do full backups this way as well?

Yes, after running "adb root", I use restic (or rsync) to copy the entire filesystem to my laptop via ssh.

With that, you'll be able to fully restore the state of apps that don't use anything from the Keystore.

MikeJ

Ammako you're not going to flash official GOS over a custom build without unlocking the bootloader first.

The bootloader is alread unlocked in my case. I also have root, and I will do a full system backup before switching ROMs, so I expect to start from a clean state. And I would not flash the official GOS image but a modified one.

Or are you referring to my comment in the end where I mentioned that I might go from my modified build to official GOS in the future? It is clear to me that in this case I’d again lose everything. That’s why I mentioned restoring SeedVault backups.

redfoxjumper

Ammako the op was planning to use seedvault if they get to that, so that's still irrelevant

bobbed859

It would be great to have an official build with userdebug activated, so users can choose to install the build with or whithout it activated.
This would solve the current impossibility of making a full backup, (unless enabling userdebug is a major security weakness).

AlphaElwedritsch

bobbed859 It would be great to have an official build with userdebug activated

That would be in direct contrast to the philosophy of GOS.

Think about what consequences and effects that could have and then ask yourself again whether that would be a good decision or not

de0u

bobbed859 It would be great to have an official build with userdebug activated, so users can choose to install the build with or whithout it activated.

Unfortunately, if there were a signed userdebug build available, anybody who captured your device could sideload that build and use it to extract your data.

bobbed859

de0u Unfortunately, if there were a signed userdebug build available, anybody who captured your device could sideload that build and use it to extract your data.

Even if USB debugging is disabled?

de0u

de0u Unfortunately, if there were a signed userdebug build available, anybody who captured your device could sideload that build and use it to extract your data.

bobbed859 Even if USB debugging is disabled?

I think that formulation assumes that attackers don't know a way to enable it. For sure I haven't even skimmed any of the relevant code. That said, there are some people with their own private builds of GrapheneOS who make all sorts of modifications, including running userdebug builds (perhaps after having done their own code audits, or perhaps not). The web site has extensive build directions.

I don't speak for the GrapheneOS project, but I am very doubtful that they will issue signed userdebug builds.

Hirudin

I would be very interested in a tutorial for non-haxors that explains/shows how to make it so I can have GrapheneOS and app backups. I mean REAL app backups, not this SeedVault garbage that seems to be the only officially-supported option. "Yeah, it doesn't work very well, but what do you expect US to do? Fix it‽" - Thanks, GrapheneOS, you're the best!

As a rooted Android user since the HTC G2, I DON'T think it's too much to ask to have a phone that offers a tiny bit of privacy AND app backups. I appreciate that rooting could pose a security threat, but my security concerns are temporal. I'm probably putting myself in much more danger using a phone that refuses to update than one that the KGB could hack into if they could only manage to gain physical access to it for a couple hours without me noticing. (I better watch out! They might replace my vitimins with knockout pills.)

Dumdum

Hirudin "Yeah, it doesn't work very well, but what do you expect US to do? Fix it‽" - Thanks, GrapheneOS, you're the best!

https://grapheneos.org/features#encrypted-backups

Seedvault was created by a GrapheneOS community member for inclusion in our operating system. We plan on replacing it with a new implementation since the project has been taken over by another group of people not sharing our goals or approach.

Rizzler

Wait for the new backup system to drop. Rooting is anti-security. Run LineageOS if you don't care about security.

MikeJ

Rizzler Wait for the new backup system to drop.

Any idea when this will be?

Rizzler Rooting is anti-security.

Not sure if this was directed at me. But my intention is to use GrapheneOS without root. I now have restored my backups and I’ve just flashed a new build without root. I believe this should not compromise security. But please let me know if I’m missing something.

Rizzler

MikeJ So if i got your post right at the end you're still using your unofficial build?