How likely would it be for GOS to get a malicious OS update?

theydontwantyoutohaveprivacy

Say in a theoretic scenario the governments want to target all Graphene OS users like they did with SKY ECC under the false flag of combatting crime, would they be able to push a malicious update to the users? Or compromise the developer and through there? I'm not very strong on the subject of reading open source code so how would you know this? Also would they be able to see through the carriers which devices are using GOS and then individually try to hack those devices? A lot of scenarios please share with me your thoughts.

de0u

theydontwantyoutohaveprivacy Say in a theoretic scenario the governments want to target all Graphene OS users like they did with SKY ECC under the false flag of combatting crime, would they be able to push a malicious update to the users?

If somebody other than the GrapheneOS developers put an update onto the GrapheneOS update servers, the System Updater on GrapheneOS client devices would reject it due to it having an invalid signature.

theydontwantyoutohaveprivacy Or compromise the developer and through there?

If a government (or a non-government entity) hypothetically compromised Apple, perhaps Apple would ship malicious code. If a government (or a non-government entity) hypothetically compromised Google, perhaps Google would ship malicious code. So, yes, if a government (or a non-government entity) hypothetically compromised the GrapheneOS developers, perhaps GrapheneOS would ship malicious code.

My impression is that most code shipped by Apple, Google, and the GrapheneOS team is reviewed by somebody other than the author before it's shipped.

theydontwantyoutohaveprivacy Also would they be able to see through the carriers which devices are using GOS and then individually try to hack those devices?

Depending on how a GrapheneOS device is configured, it can be easy or hard for outsiders to tell whether it's running GrapheneOS. But it's not clear who might decide to take on the mission of breaking into all GrapheneOS devices. I have seen estimates that there are 200,000 of them, so that would be a big mission.

theydontwantyoutohaveprivacy A lot of scenarios please share with me your thoughts.

I think I would encourage that scenarios be posed with respect to GrapheneOS and Apple, or GrapheneOS and Google, etc. Could somebody detect which devices are running iOS? Sure. Could somebody decide to try to break into each iOS device individually? Sure, but who, and why? The answers for GrapheneOS and iOS / Google's Pixel OS might not be the same, but the questions might be more productive if they were asked about multiple equivalent systems.

DeletedUser43

theydontwantyoutohaveprivacy would they be able to push a malicious update to the users?

No. Graphene developers sign all the updates, you phone is able to reliably verify that.

theydontwantyoutohaveprivacy Or compromise the developer and through there?

Yes. If they somehow get their hands on the signing keys, or coerce the devs.

theydontwantyoutohaveprivacy I'm not very strong on the subject of reading open source code so how would you know this?

No. You're installing a blob, there can be anything in there.

There are no magical solutions here. You have to trust someone. It can be yourself, but you'd have to start reviewing the code, build GrapheneOS releases on your own, and manage your own signing keys.

horde

https://discuss.grapheneos.org/d/13522-protection-against-grapheneos-infrastructure-compromise

theydontwantyoutohaveprivacy

horde this covers a lot of my questions thank you!

horde

de0u Could somebody decide to try to break into each iOS device individually? Sure, but who, and why?

NSO, because $ and corrupted

de0u

de0u Could somebody decide to try to break into each iOS device individually? Sure, but who, and why?

horde NSO, because $ and corrupted

But NSO didn't try to break into each/every iOS device. They broke into a small number of targeted devices. Actually, NSO's customers broke into a medium-sized number of devices, and that's how they were discovered. If only a truly small number of devices had been broken into, maybe we still wouldn't know. There is an inherent tradeoff: breaking into more devices dramatically raises the likelihood of the campaign, and the vulnerabilities, being discovered.

Personally, part of my thinking is that if a sufficiently-resourced entity decides to focus on getting the data from my particular device there is a fair chance it will eventually happen. In my mind, that is very different from the situation with many other phones, which have enough vulnerabilities that lots of people can readily break in.

Anyway, "mass one-by-one targeting" is arguably off-topic, since the topic was whether GrapheneOS devices are vulnerable to central (developer) compromise. They are, but under assumptions that apply also to iOS devices or Google's stock OS: if somebody with commit access to the source tree is compromised, and nobody notices, then the OS can be compromised. As DeletedUser43 indicated.