Hi,
I'm wondering if it's better to disable the "Sensors" permissions in GrapheneOS. Currently, all my apps, including many system apps, have access to this permission.
Thanks for your advice!
Stewart Is it recommended to disable the "Sensors" permissions for [user-installed] apps
This will depend on your threat model. Since GrapheneOS leaves it enabled by default, I would say it is not necessarily recommended to disable them. The reason for leaving them enabled, is that some apps expect to have them, and it can cause those apps to not work. Clearly there is a tradeoff involved. If misuse of sensors is something that concerns you, I'd say there is little risk of disabling the permission and see what happens. Most apps will probably work fine. Just remember you did that if some app stops working!
Stewart including system apps?
Definitely not recommended.
Stewart What are the potential risks of leaving these permissions enabled?
Sensors can collect a lot of data from the environment. That data could potentially be used to identify you, where you are, who is around you, etc. The barometer can apparently even be used as a microphone. I haven't heard of any apps actually doing this for malicious purposes, but it is definitely possible.
Stewart I have always had it disabled for newly installed apps, and have this far not needed to add it back to any app. So it is probably safe to toggle that global option that disables it for newly installed apps.
For GrapheneOS pre-installed apps there are no real need to do this, as they won't be abusing that permission. At least the camera app is known to break if removing sensor permissions. And disabling it for system components is definitely not recommended, it may break things badly. But I have removed sensors permission from Vanadium and WebView without any issues. If they get hacked, better not they have that permission.
Stewart First of all, don't mess with system apps' permissions. The sensor permission is added by GrapheneOS, so system apps just get the permission automatically. It doesn't mean that those system apps are using them.
As for other apps that you install yourself, I'd say it's totally up to you, but most apps don't need the sensors permission even if they do try to access sensors. You may want to grant the sensors permission to apps that use the camera so they know which way is up and navigation apps so they know which direction you're facing.
Alright, I understand better now, thank you for your feedback. Basically, the vast majority of apps don't need access to the "Sensors" permission, except those using the camera (Camera, Signal, etc.) and navigation-based apps (Organic Maps, Magic Earth, etc.).
I will disable this permission by default for newly installed apps. However, I am really surprised by the data that can be collected through the enabled "Sensors" permissions. Why is this option enabled by default in GrapheneOS, given the significant data collection possible?
Stewart Why is this option enabled by default in GrapheneOS, given the significant data collection possible?
To avoid breaking compatibility with Android apps, the added permission is enabled by default.
On a side note about sensors, this an interesting app that can give an idea of how and what data sensors actually can get:
r134a damn, that's awesome.
I haven't needed Sensors for Magic Earth, always used it with sensors off. Maybe it wouldn't be able to rotate the map automatically when just browsing the map, but during navigation it follows the route instead of relying on gyro anyway.
other8026 when I installed GrapheneOS, I made some changes with the permissions for the default/system apps. Is there any way to reset these to the defaults? Thanks
[deleted] or if someone could share me their default permissions for system apps, that'd be great!
[deleted] I think many can be reset in Settings > System > Reset options, but not all. Doing that resets other things too, so if you want to try that, make sure you read the dialogue box that pops up to know exactly what is reset. If you ever run into weird problems or crashes, you may have to just factory reset your phone or remove the profile you're using.
other8026 thanks for the suggestion. You just gave me the idea to make a new profile, and see what the defaults are there, and just adjust on my main profile.
Thanks!
