Story: thank you for all these great protections!

missing-root · 12 Jan

I just installed a proprietary App via Aurorastore to do something where there is no alternative yet.

Apps have gotten crazy invasive.

The app starts and crashes immediately. Wants to use native code debugging, and if it wants that, it is like always a hard requirement. So I enabled it, poorly, and started it again.

2 more popups. The app wants to access the sensors and load code dynamically from memory.

Works fine without that though? What the hell was that code then? I set both popups to "ignore", thanks for the great UX here!

I want to load a file, and even though this uses the filechooser portal, for some reason the app wants access to ALL my files.

Well, no. I create an empty folder and allow it storage scopes to that.

The app does things and when exporting, it doesnt even use that directory! This was pure surveillance!

It saves the file in /Music which is an Android thing and likely irrelevant. All apps can write there, but only read the files they wrote themselves, afaik. Same with /Pictures

In the end I was able to use an app very uninvasively, which would otherwise spy the hell out of me and load random code.

Thank you so much for fixing Android!

IIamZorro · 12 Jan

Wow, what a bad app ! :O
Long live GrapheneOS

GrapheneOS · 12 Jan

missing-root

Well, no. I create an empty folder and allow it storage scopes to that.

The app can store files and access the files it stored without giving it a scope. Only need to add scopes for where it can see and access files from other apps. This is what was possible to implement in an uninvasive way and is very usable since you only need to enable Storage Scopes and apps should work without adding any scopes.

It saves the file in /Music which is an Android thing and likely irrelevant. All apps can write there, but only read the files they wrote themselves, afaik. Same with /Pictures

Any app can save files to the special media directories but they can't access files from other apps there without a bulk access permission granted.

Storage Scopes expands where they can save files based on their requested permissions while still not allowing them to access files from other apps. It makes them think they have all the permissions they request and extends the existing way Android handles this to everything they request.

https://grapheneos.org/usage#storage-access covers how the standard Android storage access works and how storage scopes fits into it.

TGOS · 12 Jan

GrapheneOS
You guys are amazing lets just be clear.
I hopped over a month ago and wasn't really clear about my journey. Was just sure it is worth getting tested.
And wow I heard here and there that GOS works "like a charm".
And yes that is the point. Beautifully created with passion ;) like this forum.
Saying this while my 2024 Notebooks fan ranting after MXLinux installation so I'm really really happy I could trust on my phone.
If spending is worth it then to the GOS Team, kudos.
Stay ahead please

missing-root · 12 Jan

GrapheneOS apps should work without adding any scopes.

Yes of course. Just in this case this bs app requested music and pictures access, without even needing it. These apps then simply block to work, as they bundle the request for this permission together with the filepicker portal opening action.

So storage scopes were used to trick the app into working anyways, without actually granting anything.

And yes, this "per app access" is really cool!

N1b · 12 Jan

Just here to also say "thank you"! GOS is an amazing project and gives me back control of my data and peace of mind.

Ddokmaistr · 12 Jan

I have been reading for quite some time about GOS and I am very glad I finally switched. No bloatware, much more control gained back - with enhanced security. Many thanks for the hard work and dedication!
PS: I will also thank you via a donation