Fork of Mulch Browser?

SovereignCopper

GrapheneOS Which is why Vanadium would also benefit from wider availability. This would also eliminate the need for Mulch-like initiatives.

GrapheneOS It was based on forking the DivestOS code but it's not really a continuation of it. It doesn't follow the same approach.

Their SLIM variants do to a large extent.

GrapheneOS Step in the right direction: IronFox has enabled fission by default.

TheGodfather

SovereignCopper Step in the right direction: IronFox has enabled fission by default.

It nevertheless does not use isolatedProcess, so it won't really matter.

GrapheneOS

SovereignCopper

Their SLIM variants do to a large extent.

Not really, and we already posted about our thoughts on whether it would make sense to continue DivestOS as is:

https://grapheneos.social/@GrapheneOS/113772409415058393

ceramics

SovereignCopper Which is why Vanadium would also benefit from wider availability. This would also eliminate the need for Mulch-like initiatives.

I'd invest greatly in Vanadium. Make it as close as possible to solving many browser issues, make it available in play store (if there's no compromise), increasing user base, market it like a gateway drug to GrapheneOS.

steadfasterX

GrapheneOS

What means "not really"?

AXP.OS Slim is based on DivestOS:

using the same build env and setup as DivestOS
using the same build scripts as DivestOS
using the same patches as DivestOS

AXP.OS Slim is also using the same build(!) config as DivestOS with the following exceptions:

it includes AuroraStore
adds different F-Droid repos which are all disabled by default (except the AXP.OS stable one which is used to provide out-of-band updates)
it allows WiFi calls
it uses a more restricted microG implementation
instead of the deprecated Mulch it includes the AOSmium WebView based on the same patch set as DivestOS did

The idea of that Slim flavor is exactly that, continuing the DivestOS spirit and that's why it is almost identical built. Of course AXP.OS uses different automation methods for actually building but all the rest ... I continued even the cve kernel patcher, Mulch, Hypatia, and so on and so forth.

The Pro flavor is a complete different approach and target group obviously.

missing-root

ceramics the GrapheneOS camera already kinda is

Watermelon

steadfasterX I would personally never trust any software you publish to be secure. I don't think you're doing it out of malice, but you seem to have an extreme lack of care for security. Your username (steadfasterX) matches the username of the person on Android File Host and XDA forums who publishes mAid (formerly FWUL which used to be published on AFH, I remembered your username from AFH). Your last version of mAid, version 4.2, which you should've retracted 1 year and 6 months ago, is still publicly downloadable and contains malware (CVE-2024-3094, XZ Utils backdoor). Now that you've been notified of this, please retract this version immediately.

steadfasterX

Watermelon

Oh wow. Thanks for the hate. We discussed about AXP.OS Slim and you.. (Trying to) blame me and that without any proof and then taking this to say I am not taking security any serious. Loving that.

Ok so, first things first: mAid 4.2 is not affected by that CVE. Sorry but you are wrong.

Pls read: https://archlinux.org/news/the-xz-package-has-been-backdoored/ (especially the top part of it (!) and the last topic "Regarding sshd authentication bypass/code execution")
The Manjaro discussion: https://forum.manjaro.org/t/xz-package-contains-a-vulnerability/159028/27

Besides all that, mAid 4.2 was built on 30th of March where the xz pkg in question has been replaced already (version 5.6.0 still though but without that code).
You can even check the virustotal results for the binary in question of mAid 4.2 (https://www.virustotal.com/gui/file/caf351bfe51bb4e0fe822bd4ffab580f50ceb6e82c5706d40f5ef0a5af1b971a/detection)

Watermelon

steadfasterX mAid 4.2 was built on 30th of March

That's not what it says:
The mAid homepage (that I linked to earlier) says:

mAid v4.2
Release date: 2024-03-15
MD5sums:
full: 2b626b46131ba60626e10873c42fe9e9
light: 23aa315de202ca190ac9b00ab66b226e

The changelog linked from the homepage says:

mAid_v4.2_x86-64
Released: 2024-03-15

And the SourceForge download link from the homepage says:

mAid_v4.2-full_x86_64.iso
Modified: 2024-03-15
Size: 2.6 GB
SHA1: a3820ae7450058ffed06f6967399839b03f04448
MD5: 2b626b46131ba60626e10873c42fe9e9

All of them say March 15, not March 30.

steadfasterX Ok so, first things first: mAid 4.2 is not affected by that CVE. Sorry but you are wrong.

Pls read: https://archlinux.org/news/the-xz-package-has-been-backdoored/ (especially the top part of it (!) and the last topic "Regarding sshd authentication bypass/code execution")

The Manjaro discussion: https://forum.manjaro.org/t/xz-package-contains-a-vulnerability/159028/27

Actually I did look for the Arch Linux news post after sending my post here. I'm not sure what to think. Should I feel safe that it's the compromised version but the attackers supposedly didn't inject malicious code into the Arch Linux build? Besides this, I don't care about the specifics of the behavior of the malware.

steadfasterX You can even check the virustotal results for the binary in question of mAid 4.2

Antivirus scanning is not an authoritative source to determine whether something is safe so I don't particularly care about these scan results.

steadfasterX Oh wow. Thanks for the hate. We discussed about AXP.OS Slim and you.. (Trying to) blame me and that without any proof and then taking this to say I am not taking security any serious. Loving that.

I also saw that the Pro flavor of AXP.OS is “pre-rooted” with support for “re-locking” the bootloader as if that would achieve verified boot. And AXP.OS has the stated purpose of being a balance between security, privacy, and usability, but the Pro flavor throws this balance out of the window by having zero security and privacy. And you still use MD5 in 2025 (not talking about SourceForge).

I probably wouldn't have noticed you if I hadn't used mAid/FWUL, so at least I found it useful, and I know another person who found it useful, so thanks for that at least. And as I said, I don't think you're doing it out of malice. But you don't come across to me as someone who cares about security. Sorry

de0u

Watermelon I would prefer a discussion more focused on technical matters (e.g., MD5 in 2025?!) versus allegations about what people do/don't "care about".

steadfasterX

Watermelon

sorry I was in rush when searching for the release date via my phone. the rest remains true though. keep in mind that the target group and goal for mAid is a complete different one than for AXP.OS. I never said the mAid live ISO is a high security daily driver while I still implement features like Secure Boot etc. yes, sha256 and sha512 are only shown on sourceforge which is the main download page though. but yes, hash sums on the homepage and for the release is something I have to fix though.
I haven't updated mAid since a year as it is really just a "small" personal project and again for a complete different target. speaking of that, the reason for the long release pause is that I publish releases after being completely tested only (which is a lot of effort) and for this I need enough free time doing so. since that time I had put much more time into AXP.OS which increased even more after the EOL of DivestOS. For AXP.OS it is way more important being current, tested and stable as I it is in use by some ppl as their daily driver. and I take that very serious.

supposedly didn't inject

no supposing here, it is 100% clear that the malicious code has no effect in mAid. well as long as you can read code and trust git at all. a new mAid release is in the works btw besides the nightlies which can be used in the meantime regardless.

Antivirus scanning is not an authoritative source to determine whether something is safe so I don't particularly care about these scan results

I didn't say it's an authoritative source for determining whether something is safe, but not including it would be unwise. I am pretty sure you would link that source if they would show "90% infected". It is ofc just one tool in a set of tools and also methods when analyzing stuff like that, so if you want to do that seriously you should care about malware scan results, imho.

[...] support for “re-locking” the bootloader as if that would achieve verified boot.

I have no idea what makes you think that. re-locking the bootloader and verified boot are different things and if there is something not clear on the website let me know. as before with your first post it seems you didn't took the time reading first and instead just throw out what you feel (which is OK if you would explicitly mark it like that).

You can read about the bootloader re-lock and also what it is meant for here: https://axpos.org/docs/guides/installation/bootloaderlock/

the other topic regarding verified boot: many devices for AXP.OS do support verified boot and which ones are clearly mentioned at their info and download page. (e.g. h815 does not while Fairphone4 does). This is regardless if that is the Pro or Slim flavor.

again, my statement you replied on first was explicitly about AXP.OS Slim but anyways.

the Pro flavor throws this balance out of the window by having zero security and privacy

"zero security and privacy". I think (again) it seems you are not happy with my person in particular and then out of this feeling claiming statements like that. AXP.OS Pro and Slim both using DivestOS deblobbing tools (and extending these) to remove a lot of calling-home calls ((I am not aware about another project doing that in this scale since Divest's EOL), it patches all devices with monthly (that changes as we all know) ASB patches, uses GrapheneOS' hardened malloc for most devices, includes a Vanadium based WebView and also applies CVE patches on all kernels (I am also not aware about another project doing that last one in this scale, GrapheneOS aside ofc).

The goal of AXP.OS Slim is identical as it was with DivestOS: taking back (some) control of your device. AXP.OS is meant mainly for devices which are not getting support anymore, i.e. end-of-life devices and even devices not supported by LineageOS or GrapheneOS anymore. AXP.OS is not a second GrapheneOS or CalyxOS, but it brings back life to devices which were otherwise kept in the drawer forever. it is clearly stated that for best security you should use a modern (Pixel) phone and switch to GrapheneOS

And you still use MD5 in 2025 (not talking about SourceForge).

sorry wrong again. AXP.OS has no single MD5 hashsum, for simplicity the unstable ones:

https://leech.binbash.rocks:8008/axp-unstable/
(you can go through https://leech.binbash.rocks:8008/axp as well)

where do you see md5sums? I mean yes the special recovery files for ODIN which is the Samsung flashable format but it does not support other hash algos for these devices. these are convenient files but users can download the regular recovery image + the sha256 file for it and create their own one if they want.

besides that all sha512 sum files are GPG signed (e.g. https://leech.binbash.rocks:8008/axp-unstable/AXP.OS-22.2-20250815-dos-sunfish.zip.sha512sum) which will be added for the sha256 ones soon, too.

besides that build notifications get sent to the notification channel (containing its sha256sum).

Besides that every build can be verified by the OTA signature and its build ids.

as you likely have seen on the linked page, AXP.OS also increases key size + hash (8192 / sha512) for AVB, APK signing and dm-verity (incl. adjustments in recovery and OTA Updater to support higher hash algo).

But you don't come across to me as someone who cares about security

that is OK. you do not trust me because you feel like that and I am not here to change this because my personal feeling here is that it does not matter what I say you will dig around until you find something where you can say again sentences again like: "I would personally never trust any software you publish to be secure" and "you seem to have an extreme lack of care for security" or "having zero security and privacy" ... which is just .. wow.. and I'm really trying not to take it personally. :)

anyways I am always open to suggestions and am aware that neither I nor my projects are perfect!
I cherish my privacy and am passionate about security, but ultimately, I am only human and do my best to be of help to others.

Watermelon

steadfasterX sha256 and sha512 are only shown on sourceforge

SourceForge only calculates MD5 and SHA1, it seems, unless you calculate other hashes and upload there.

steadfasterX no supposing here, it is 100% clear that the malicious code has no effect in mAid

Yes but I didn't know this. I said "supposedly" because that's appropriate to say when I assume something I don't know, not because I thought you were lying.

steadfasterX I didn't say it's an authoritative source for determining whether something is safe, but not including it would be unwise. I am pretty sure you would link that source if they would show "90% infected". It is ofc just one tool in a set of tools and also methods when analyzing stuff like that, so if you want to do that seriously you should care about malware scan results, imho.

It could be nice to rely on antivirus if it detects stuff, but it cannot in any way be relied on to determine if something is clean. Given that we're talking about a compromised version potentially containing malicious code, and that I already thought it was malicious and you were trying to show that it isn't, antivirus is useless to me in this case and I didn't even check the VirusTotal link you gave. And it's why it's noteworthy to mention if many antivirus vendors detect it, but not noteworthy if none detect it.

Fun fact: several years ago I created a file and uploaded it to VirusTotal. The file was completely benign but within a few days 90% of the antivirus vendors detected the file as malicious, and many vendors copied from other vendors. After some time eventually all detections were cleared but it was mind-opening to see a benign file that I myself created being detected by 90% of antivirus vendors.

steadfasterX I have no idea what makes you think that. re-locking the bootloader and verified boot are different things and if there is something not clear on the website let me know. as before with your first post it seems you didn't took the time reading first and instead just throw out what you feel (which is OK if you would explicitly mark it like that).

I followed the link from your first post in this thread:
https://axpos.org/docs/knowledge/features/#flavor-comparison
Quote:

Pre-rooted (Magisk) by EXTENDROM_PREROOT_BOOT - Bootloader re-lock compatible
(must be explicitly enabled and activated first)

Which leads to:
https://github.com/sfX-android/android_vendor_extendrom/wiki/EXTENDROM_PREROOT_BOOT
Quote:

EXTENDROM_PREROOT_BOOT
Pre-rooting with MAGISK seemingless within the AOSP build process while keeping AVB / DM-VERITY intact !

And bootloader locking is primarily meant for enabling verified boot. There's some minor benefit of using encryption based on verified boot to encrypt the Device Encrypted (DE) data in BFU mode, but most user data is Credentials Encrypted (CE).

steadfasterX many devices for AXP.OS do support verified boot and which ones are clearly mentioned at their info and download page. (e.g. h815 does not while Fairphone4 does).

Fairphone 4 doesn't support verified boot:
https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private/36
https://www.reddit.com/r/GrapheneOS/comments/10b5x4n/comment/j67pbny/

steadfasterX "zero security and privacy". I think (again) it seems you are not happy with my person in particular and then out of this feeling claiming statements like that. AXP.OS Pro and Slim both using DivestOS deblobbing tools (and extending these) to remove a lot of calling-home calls ((I am not aware about another project doing that in this scale since Divest's EOL), it patches all devices with monthly (that changes as we all know) ASB patches, uses GrapheneOS' hardened malloc for most devices, includes a Vanadium based WebView and also applies CVE patches on all kernels (I am also not aware about another project doing that last one in this scale, GrapheneOS aside ofc).

What are these patches and exploit mitigations supposed to defend against? If the OS is pre-rooted and an app is granted root access, what is there to defend against? The app is granted complete permanent access to the device, there's nothing further left for it to exploit, it can access anything it wants. You could argue that the implementation of the root access is not exploitable (let's assume that for a moment) and the user should only grant it to trustworthy apps. How does the user know which app developers are trustworthy enough to grant them root access? There's no way to know really. And even if they're trustworthy, their apps can contain malicious embedded libraries, be compromised during development, or contain vulnerabilities.

steadfasterX it is clearly stated that for best security you should use a modern (Pixel) phone and switch to GrapheneOS

That doesn't mean that AXP.OS Pro with the stated purpose of being a balance between security, privacy, and usability should throw out all security and privacy by being pre-rooted.

steadfasterX sorry wrong again. AXP.OS has no single MD5 hashsum, for simplicity the unstable ones:

I was referring to mAid, not AXP.OS. You could read this as “MD5 in 2024”, if you like, as that was the last year you released a mAid version. It was just as obsolete then as it is today.

Even a secure hash algorithm might not provide security, depending on the website configuration and HTTPS/TLS support. So arguably it's still good for detecting accidental corruption and possibly not malicious corruption even with a secure algorithm. I just don't understand why would someone use an obsolete hash algorithm and it's not something I imagine a security professional would do. That's all.

steadfasterX I cherish my privacy and am passionate about security, but ultimately, I am only human and do my best to be of help to others.

I appreciate that. As I said, I don't think you're doing it out of malice. And I and another person I know have used mAid and liked it.

steadfasterX I never said the mAid live ISO is a high security daily driver

Fun fact: the other person I mentioned wanted, if I didn't misunderstand them or misremember details, to install mAid and use it as a primary desktop OS. I remember warning them about mAid being compromised after the XZ Utils backdoor was discovered. I warned them much before that that it's not a good idea anyway but the XZ Utils backdoor was a practical example to prove my point to them, and warn them to keep them safe.

steadfasterX

Watermelon And it's why it's noteworthy to mention if many antivirus vendors detect it, but not noteworthy if none detect it.

not my POV. yes, it is true that this is not something you should rely on alone, that's what I said already but when analyzing such issues one has to consider every aspect because every detail counts. it was not meant to be a single proof for it just one part of the research. putting things all together is the key when doing researches like that. if you do not include malware detection in your research you miss an indicator. as said before, everything must be taken into account not just a single thing, at least that is how I do it. sorry if that sounded like the only proof for being "free of malware".

Watermelon Pre-rooting with MAGISK seemingless within the AOSP build process while keeping AVB / DM-VERITY intact !

ah well, then I know where the misunderstanding might come from. ppl might interpret that as it would ENABLE it but that is not the case. it "just" means that it won't get unusable with that (if the device/OS supports it). it does not disable verified boot and it still allows to lock the bootloader keeping the whole chain intact (as long as the device/OS supports it).

Watermelon And bootloader locking is primarily meant for enabling verified boot.

every barrier helps imho. and locking the bootloader helps if someone has physical access to the device in any case. no fastboot cmds possible etc. I do not say it replaces essentials like verified boot or encryption but for me security also includes the physical part. if I can close a window (even if it is that small) I do so.

Watermelon Fairphone 4 doesn't support verified boot

it does - but well.. the thing is the Fairphone allows to boot images signed by test keys (turning that feature into a joke). I found that out when bringing up the FP3 first and now as shown in your link it turns out they still did the same for the FP4. wow.. I have added that one to the projects FP4 known issues, too. Thanks! and what a mess..

Watermelon What are these patches and exploit mitigations supposed to defend against?
If the OS is pre-rooted and an app is granted root access, what is there to defend against?

first of all: being pre-rooted in AXP.OS Pro means not it is activated by default. it must be explicitly enabled first and before that it cannot be used at all (no su, no apps can request root etc). Enabling root in the Pro variant is meant for ppl using their device with extra care and ofc following the known precautions (not clicking dubious links, installing APKs from random sites, etc), rooted or not.
patches and exploit mitigation are useful to make things harder even on a rooted device. I do not say that this is like an ultra extra protection but script kiddies with pre-made exploits won't be able to use these when the OS is patched unless they really know what to do (assuming the attacker has access, has root). even then it might help in getting detected at least (if exploits fail due to OS patches) and making custom exploits harder etc.
as said this is not meant to be a real protection for serious attackers but whatever is possible should be done, imho.
the demand for root is there, for example because there is still no reliable way backing up all apps (+ their data) on a Android device. Yes I am aware of SeedVault (and all its disadvantages and buggy behavior, at least on A13 and lower) but that is just one example why one might want to have it.

AXP.OS Pro reduces risks as much as possible, which differs drastically between root access and no root access – but it is certainly not useless. In any case it is a "better-than-doing-nothing" - approach, even when root is enabled. AXP.OS Slim reduces the risks much more while even there it is the same approach at the end. if a device does not provide firmware fixes AXP.OS cannot protect against that either but it does everything possible to reduce the risks.

Watermelon How does the user know which app developers are trustworthy enough to grant them root access?

how does a user know which app is trustworthy - at all? is Google trustworthy enough? or Graphene? they all can potentially contain such things you mentioned, root or not, wanted or not. Of course with a rooted device the risks are dramatically higher, I don't deny that.
if a user activates root this is the risk he/she has to take. I love freedom of choice. and this includes the possibility to do with a device as I would really own it actually. which includes root. and due to that (freedom of choice) also the Slim flavor exists as users can choose if they want to follow that route or use the pure DivestOS approach (aka AXP.OS Slim).

Look at Apple, they know what is the best for their users and so take the decisions for them what you can do, what not and how they are allowed to do things. same with GNOME when they removed almost all configuration options (to mention just 2).

I don't like decisions being forced upon me (even more if I have a choice). That is why I would like to give people the freedom to choose, naturally taking into account all the advantages and disadvantages associated with that choice.

steadfasterX it is clearly stated that for best security you should use a modern (Pixel) phone and switch to GrapheneOS
Watermelon That doesn't mean that AXP.OS Pro with the stated purpose of being a balance between security, privacy, and usability should throw out all security and privacy by being pre-rooted.

The GrapheneOS hint is meant for ppl wanting a real secure device and that was no ref for AXP.OS Pro being a balance between security, privacy and usability. Balance means the system is de-googled* (privacy), deblobbed (privacy), the OS patched (security), verified boot enabled (security), encryption enforced (security), the bootloader can be locked (security), selinux enforced (security), while still be able to make the most out of it (usability), like even using Google apps - if wanted and explicitly enabled. Of course not all devices support locking the bootloader and/or verified boot as mentioned. Nevertheless, it should be up to users to decide which path to take, i.e., freedom of choice, as I said.

*in terms of calling home on Pro and completely on Slim. Pro comes with MicroG+Play pre-installed while Slim not but both have standard calls to e.g. Google and others like QualComm removed, mainly handled by the deblobber and several patches.

btw: many people think that infections of malware happen out of nowhere but that is rare. Most infections are possible just because of user actions, so the human is the main gateway here. You can buy and enable a lot of technical prevention, malware scan, behavior & bot detection, doing all these in hard and software, scan SSL traffic etc. but at the end the human is the key for a successful infection. This is my experience but also by many others. What I want to say is even if you use e.g. GrapheneOS and do all things technically possible, there is always a way which can catch a human at a bad day, extreme personalized mail and it's done.
No, I don't compare GrapheneOS with AXP.OS, as said. It is just not everyone can effort a modern device or want to make use of legacy devices instead of throwing it in the trash. AXP.OS enables the reuse of such devices. It is the users choice if he/she wants to take the risk using Pro or Slim as a daily driver or not like it is with any custom OS.

Watermelon Even a secure hash algorithm might not provide security, depending on the website configuration and HTTPS/TLS support.

hash algorithms for files are not meant to be for security (imho, and yes I am aware that many think different which is only partly true). for me they are just for file integrity which can be kind of security of course (but no, not if taken it seriously*). so mainly meant for detecting if a file gets corrupted during the download (bad transfer, disk etc).

the only reliable way for security in that regard (regardless of the transport method) is securely signing the file itself or its hash sum file (which is the ideal mix), imo. that way (in the hope the signer protects his/her signing keys and using them offline) we still cannot be 100% safe but at least that's the most practical barrier possible. As always and as you know, the aim is to reduce risks, as there is no such thing as 100% security.

*the server could have been compromised and providing a valid (compromised) sha512 as download / on the website. for me hash sums (if unsigned) are not a real security measure at all (and likely the reason why I still provided md5 sums for my fun project "mAid" at that time). as said I will do better with the next release though.

Watermelon As I said, I don't think you're doing it out of malice

true, you just said that I am incompetent, a fool and have zero security knowledge ;)
Yes, not exactly like that, but that is the essence that I (and probably others) derive from the sometimes overly explicit statements.

Yes, I provided MD5 hashes for my (not AXP.OS related) fun project mAid and I have to admit that I should have changed that earlier as we all know why. That's on me for sure. As mentioned earlier even sha512 sums are not something you can rely on alone. That is why AXP.OS hash files are sha512 + signed and the reason why that will happen with mAid soon, too.

Watermelon And I and another person I know have used mAid and liked it.

I'm really glad to hear that, because that's exactly what it was intended for - to be useful, hopefully.

Watermelon [...] to install mAid and use it as a primary desktop OS [..]

btw (not that you will care but still want to mention it at least): installing mAid should be done from a nightly anyways (which were available at that time as well and included any later XZ package).
I might remove the installer completely from the stable ones because a nightly is always more recent (and so require much less download volume during the installation) and also usually fixes upstream (installation-related) issues.

Watermelon

(@steadfasterX After having partially written a comprehensive reply to you, the page refreshed and the draft was lost. I had to write everything again. Extremely frustrating!!!!!!!!!!!!!)

steadfasterX sorry if that sounded like the only proof for being "free of malware".

It didn't sound like this. I just don't see how it can disprove that something has malware, so I didn't check it.

steadfasterX ah well, then I know where the misunderstanding might come from. ppl might interpret that as it would ENABLE it but that is not the case. it "just" means that it won't get unusable with that (if the device/OS supports it). it does not disable verified boot and it still allows to lock the bootloader keeping the whole chain intact (as long as the device/OS supports it).

It doesn't matter that it has to be enabled. Assuming the user already enabled it and granted root access to something: the user reboots their device, the OS gets checked, and then an app gets complete access to the device. This happens at every boot. It nullifies the security benefit of checking the OS at boot. Verified boot doesn't make sense if unchecked apps can get OS-level privileges, or the checked OS isn't enforcing security restrictions on apps. Even if the user hasn't enabled root access, the user can't rely on verified boot as a security feature because of this loophole. And it's made even less reliable with the potential for vulnerabilities in the root implementation.

steadfasterX I have added that one to the projects FP4 known issues, too. Thanks!

I appreciate this!

steadfasterX the demand for root is there

I absolutely agree that it can be useful.

steadfasterX patches and exploit mitigation are useful to make things harder even on a rooted device.

Root largely (at best case) makes exploit mitigations and security patches irrelevant. From the POV of the user, it's always a great risk (risk–reward) to grant root access due to how invasive and permanent it is. And once malicious code (in a malicious app, or injected into a legitimate app granted root access) has obtained root access, no exploits are necessary. But of course, there could still be benefits to having exploit mitigations and security patches if nothing bad happens with the root access.

steadfasterX how does a user know which app is trustworthy - at all?

The thing is, I don't have to completely trust apps, because they're sandboxed. And GrapheneOS even extends the sandbox with user-facing behavior changes like being able to grant more fine-grained permissions like Storage Scopes. Surely malware could always try to exploit the OS to escape the sandbox, so it would be irresponsible to run any app carelessly. But with root granted, no exploits are needed.

steadfasterX Look at Apple, they know what is the best for their users and so take the decisions for them what you can do, what not and how they are allowed to do things.

Apple's excuses for not allowing sideloading are bad excuses. Yes, it reduces security risks, just as not using a smartphone or computer at all would make you secure — that doesn't mean it's a correct approach because people need usable phones and we have a right for autonomy to decide for ourselves which software we would like to run on our personal phones, which are general computing devices rather than limited in purpose like e.g. game consoles (and there's still people who'd like to run arbitrary software on them too). It's especially bad given that the authority that decides which apps are permitted on iPhones is a huge company that's corrupted by money as all huge companies are.

Compare that to GrapheneOS, a nonprofit vendor-neutral OS that uses security features like verified boot and sandboxing to the benefit of the user. Sure, it could be limited sometimes, but the user-oriented approach, the immense security from them and all the extra hardenings and features, and the nonprofit model make it feel liberating, much more than I would've felt with root access, which was my other consideration before I decided to go with GrapheneOS.

steadfasterX selinux enforced (security)

SELinux is a confinement feature, but root apps can't be confined to have true root access, so either this is misleading or there's no true root access.

steadfasterX *the server could have been compromised and providing a valid (compromised) sha512 as download / on the website.

I mentioned that when I said it depends on the website setup.

steadfasterX I have updated the mAid website accordingly, added sha512 for all recent mAid ISO's and signed all these hashes via the mAid gpg key. a short guide how to make use of all this has been added as well ofc.

Appreciate this too

steadfasterX

jfi and even though that is (still) totally off-topic: I have updated the mAid website accordingly, added sha512 for all recent mAid ISO's and signed all these hashes via the mAid gpg key. a short guide how to make use of all this has been added as well ofc.

steadfasterX

Watermelon

Watermelon page refreshed and the draft was lost. I had to write everything again. Extremely frustrating!!!

I feel you ! :) I can't tell how much I hate when things like that happen..

Watermelon Assuming the user already enabled it and granted root access to something

actually this is the key point. this is where malware can easily step in and the reason why it has to be enabled first. this is also one reason why patching the system totally makes sense also on Pro, to avoid known exploits can be used to bypass the user decision not enabling root on Pro. as said: if you want to avoid that risk totally, use the Slim flavor but if you want to take the risk go with Pro. No one forces users using the Pro flavor at all. It is up to the user which he/she wants. I offer both and never said that the Pro is as secure as Slim even though the Pro flavor comes with the same set of security features (which, as said, are massively reduced when enabling root).

If the user decides enabling root it IS a high risk but verified boot even then makes still a (little) sense as said (malware must take another barrier, which means some work, and as also said there is no limit if an attacker is serious). It does not nullify but reduce the benefits of verified boot from 100% to 1%, that is what I tried to say. there is still more to do on the attacker site and avoids script kiddies attacks which are brainless trying to change / modify things/the OS, apps etc. Most attackers are not high level code experts or anything, they use pre-configured kits which allow them to do what they want to do. if they have full access to 1000 systems with such a kit and 1 is requiring manual work (even it is 2 or 3 clicks away) they will likely skip it and proceed with the 999 others. I can just repeat myself again and again but I never declined that the barriers of verified boot on a rooted system are high or something which cannot be easily bypassed I just say it adds another tiny barrier, regardless how low it is, every millimeter counts. if ... yes if.. the user decides to use Pro and enables root instead of choosing Slim.

Basically, it's like this: either you restrict users as much as possible so that they have no opportunity to compromise security, or you give them (total) freedom of choose. I prefer the latter.

I never said that using AXP.OS Pro + enabling root + having verified boot enabled + having the bootloader locked will give you a secure device but should I stop patching it so the device can be attacked more likely even remotely / without user interactions? should I stop enabling as much barriers as possible even though they can by bypassed with manual work on attackers site? Well not my POV even though it sounds like it is yours.

it all starts and ends with the user. the user decides if he/she chooses Slim or Pro and if he/she enables root, what apps he/she installs and from where. as said, most malware infections coming from user actions, regardless how much you lock down a device or your network. if the user wants to click the link, open the attachment, etc. he will do so. Ofc there are infections possible if a "trusted" app or app store has been compromised. Ofc if you use a system which is more restricted, have no full access, have no root access, etc the attack surface is automatically way lower, no matter what. If you prefer that choose the Slim flavor. If you want to take the risks use Pro. it is a personal decision and depends on the user requirements.

the attack surface is incredible higher when having root enabled and yes not having root offered at all will reduce it dramatically. still.. it is something users still request and the Pro flavor satisfies this requirement. the user is free to choose the Slim flavor instead for a safer experience (whereby “safer” does not necessarily mean safe for the mentioned reasons about legacy devices).

Watermelon Even if the user hasn't enabled root access, the user can't rely on verified boot as a security feature because of this loophole. And it's made even less reliable with the potential for vulnerabilities in the root implementation.

If the user does not enable it, it is not accessible at all. regardless how and regardless of exploits within Magisk. and another reason why patching the Pro flavor totally makes sense to keep it like that.

Watermelon there could still be benefits to having exploit mitigations and security patches if nothing bad happens with the root access.

exactly what I was referring to.

Watermelon SELinux is a confinement feature, but root apps can't be confined to have true root access, so either this is misleading or there's no true root access.

even though there is root access selinux is still in place and it cannot be disabled in AXP.OS Slim (and in Pro starting with the October builds, too). Yes, even not with root (disabled on kernel level).

Watermelon I mentioned that when I said it depends on the website setup.

and I say that it does not matter how secure your website setup is as it can be still not fully trusted. regardless if using TLS, providing sha512sums etc. at the end you need a (secure) hash sum which you need to trust regardless how it was transmitted / offered. that is why having it signed on top of that is mandatory and that is not related to the website setup at all.

TL;DR
AXP.OS - Pro is for those having the need and accepting the risks while Slim for those normally choose a "classic" setup. The Pro flavor is not meant to be as secure as Slim and due to the risks many enabled security features are dramatically reduced in the Pro flavor, especially when the user decides to enable root.

Watermelon

steadfasterX I never said that using AXP.OS Pro + enabling root + having verified boot enabled + having the bootloader locked will give you a secure device but should I stop patching it so the device can be attacked more likely even remotely / without user interactions? should I stop enabling as much barriers as possible even though they can by bypassed with manual work on attackers site? Well not my POV even though it sounds like it is yours.

My POV is that either you shouldn't advertise security as a feature/security features in a pre-rooted OS that you added the feature of being pre-rooted to it where it's not a standard expected thing in the ecosystem, or not make it pre-rooted. My criticism is that it's pre-rooted while presenting itself as having a balance including security. Security is an active effort, and my criticism is also that this effort goes to waste if you add a feature that severely diminishes the security benefit of the security features. I don't think it's a good thing to degrade security (e.g. by adding root, or by removing/ceasing to add more security patches/features), and I don't think it's a good thing to make an effort just to trash the effort later.

steadfasterX If the user does not enable it, it is not accessible at all. regardless how and regardless of exploits within Magisk. and another reason why patching the Pro flavor totally makes sense to keep it like that.

This doesn't refute my point that you wrote this as a reply to. With GrapheneOS, when I reboot my device I know that the entire OS and preinstalled apps are either cleansed of malicious modifications or prevented from starting. Also relevant is that there's mandatory sandboxing on all apps, with no loophole[1] designed into the OS to allow one app to mess with the permissions or security settings of stuff other than itself, or granting itself more access than I permitted it. So when I boot my GrapheneOS phone, I know I'm starting a clean OS and I know[1] the clean OS enforces security on my apps. Verified boot as a feature is a powerful guarantee. It's a guarantee because it doesn't have any exemptions designed into it[1]. Having root implemented in the OS is a loophole that breaks this guarantee, even if you never enable root access and even if it's perfectly secure from being maliciously enabled somehow. It becomes a broken feature. And the whole point of verifying the OS is because the OS enforces overall security. If an app is granted root access, it overrides all security on the device, and then what's the point of verifying the OS? And if the root implementation is not to be used, what's the point of having it installed?

([1] On GrapheneOS/Android there's some dangerous permissions, like accessibility permission. This is still more limited than root access, can be revoked through Safe Mode (directly, or by disabling the app and then revoking in normal boot mode), can be blocked by other apps if they wish, I never grant such dangerous permissions to any app, and I wish they were removed (except specifically the accessibility permission which has a legitimate usecase of helping people with disabilities), rather than saying that I want these dangerous permissions to stay available because they're “good” features. There's also developer mode and ADB, which are also a problem.)

steadfasterX even though there is root access selinux is still in place and it cannot be disabled in AXP.OS Slim (and in Pro starting with the October builds, too). Yes, even not with root (disabled on kernel level).

This also doesn't refute my point. SELinux is a confinement feature. Saying that SELinux is enabled and can't be disabled, while also saying the OS is pre-rooted which allows an app to completely override SELinux, is misleading. Either apps granted root are still confined, therefore they don't really have root access, or they're not confined anymore, which means that they (and everything they may wish to execute, or anything injected into them) completely bypass confinement.

steadfasterX and I say that it does not matter how secure your website setup is as it can be still not fully trusted. regardless if using TLS, providing sha512sums etc. at the end you need a (secure) hash sum which you need to trust regardless how it was transmitted / offered. that is why having it signed on top of that is mandatory

This is fallacious thinking. It's not mandatory. The signing key would still have to be presented to users, through a website. The difference is that with checksums that differ for each version/update the user has to trust the website and the connection to the website to not have been compromised each time they access the checksums, whereas with a signing key the user can get the public key once, and use the same unchanging public key to verify all future signed checksums/release files and future public keys.

steadfasterX and that is not related to the website setup at all.

Again, both methods (relying on only checksums/relying on a signing key and signed checksums) rely on the website setup being secure because both are provided through a website(s).

« Previous Page