This may be a dumb question, but it's been on the back of mind while working through getting comfortable with GrapheneOS and some hardened Firefox changes.

Is there a way to quantify or confirm your security changes as it relates to GrapheneOS? Say you delete Facebook app from your phone completely, how do you quantify that this change has done anything? How do you audit and continually improve your security posture?

I would assume that a lot of this comes from understanding the trackers and other data collected by specific apps. Is there a definitive list that describes what each app does or doesn't do?

Appreciate the community!

    If you want to see your personal progress, you could set up something like NextDNS and make screenshots or exports of all the connections you phone does over time. You'll see that with removing apps, restricting permissions and using the many features of GrapheneOS, less and less information will get out.

    It's not a perfect metric as there are more ways to improve privacy (e.g. instead of not sharing data, you could share false data to improve your privacy). But it's a good start.

      • Edited

      Forgot to mention 3 things:

      • Your question is not dumb at all :)
      • Firefox is not really secure on Android, people will recommend you to use Vanadium or Brave instead
      • There are lists and apps for exposing trackers (exodus is the most famous one to my knowledge). But they are no reliable source and a first impression at best. Nobody can tell you what kind of tracking is embedded in proprietary apps except the developers themselves. Third party trackers are more easily identified, but rarely tell the whole story.

        N1b fyi, PCAP is a much more advanced network monitor that can tell you which apps are making which connections, and even has a companion app that lets you perform packet inspection. Gives you a lot more data about what sort of connections your apps are making

          hemlockiv I'm testing this app out right now. This is a really neat app

          N1b Yeah I stick to Vanadium on mobile and Arkenfox's user.js for Firefox on the desktop. Thanks for your insight!

          smash0573
          Security should always be measured against a given adversary/threat.

          For a very obvious example, let's say that you use Mullvad VPN. In doing so you have increased your security against many adversaries but have decreased your security against Mullvad.

          Deleting Facebook reduces your exposure to Meta and all of its associates. How much it has done so depends on what other Meta products you use, how you set up and used Facebook, what (if anything) you have replaced Facebook with, what threat actors you want security against, etc.

          • N1b likes this.