Auditor for dummies

kebab_definite

What can auditor check and what not?
For with use case is it use full?

In with cases will auditor tell me something is wrong?

I read all i can find on gos but don't understand it really.

trashaccount

Hardware and software integrity. It assures you that you're using the official GrapheneOS on safe hardware.

kebab_definite

trashaccount so it can't detect any malware? Or only if the malware has done something with the system?

Xtreix

kebab_definite No, Auditor is not a anti-malware, it check that the identity of the entire system and hardware has not been altered, and that the device is trustworthy.

Anti-malware doesn't really work on an Android system because all applications are strictly sandboxed, especially on GrapheneOS, so it's much more likely to give you false positives with a false sense of security, it's not a real security feature.

Tavis used to offer an scanner app as part of its DivestOS, but the project has been discontinued, it's the only malware scanner I've tried : https://gitlab.com/divested-mobile/hypatia

You are your own first line of defense.

trashaccount

kebab_definite It could detect if the malware managed to modify the system. But rebooting would also tell you that, because of verified boot.

Watermelon

Xtreix Anti-malware doesn't really work on an Android system because all applications are strictly sandboxed

Anti-malware does work, it can scan all the code (both Dalvik and native code) of the installed apps, and can also scan files in the shared storage. What it can't do is scan the private data that apps store in their internal app storage, and it can't scan the memory/processes at all. Also it can scan the OS itself to detect malware, but it's stupid because GrapheneOS itself is trustworthy and if it wasn't trustworthy it could completely hide that from the anti-malware scanner, and GrapheneOS uses extended verified boot to ensure it wouldn't be compromised further much more than stock Android.

Xtreix give you false positives with a false sense of security

It's still useful. Sandboxing isn't the perfect solution against malware. Malware can still abuse the permissions it's given, and it can trick users to give it these permissions. Also the increased sandboxing on GrapheneOS doesn't make it more likely that it'd have false positives. Also even trustworthy apps can contain malicious libraries, and you'd want to have something to try to detect this.

Xtreix Tavis used to offer an scanner app as part of its DivestOS, but the project has been discontinued, it's the only malware scanner I've tried

If you have Google Play Store and haven't turned off Google Play Protect, then you've also used that.

DeletedUser237

Watermelon Anti-malware does work

Watermelon It's still useful

Watermelon Also even trustworthy apps can contain malicious libraries, and you'd want to have something to try to detect this.

What apps exactly you have in mind, when saying there are working, useful anti-malware solutions for Android. Ones that actually not rely on atomic detections.

Carlos-Anso

@Watermelon Ive deleted your post as you make numerous claims that are not true and do so with an authoritative tone, while giving lots of technical details, some which are true and some which are incorrect. In other places you suggested you are guessing as to how things work.

This is not a good way to engage. It will mislead or confuse people that read your posts. It puts an unreasonable burden on our moderation team. We dont always have capacity to give long technical answers to long sprawling posts.

This is not a good way to get attention from the moderation or development team.

I would suggest you spend more time researching your theories before making worrying claims. For example look at a number of the endless write ups of malware that used the 'Display over other apps' permission to see how they can leverage that permission and what its limitations are. While it can be problematic, by itself it doesnt pose nearly as big a threat as your post suggested.

Watermelon

Carlos-Anso Ive deleted your post as you make numerous claims that are not true and do so with an authoritative tone, while giving lots of technical details, some which are true and some which are incorrect. In other places you suggested you are guessing as to how things work.

Hello, I'm fine with your action, but I want to clarify a few things. I put in the beginning of my post that I've previously written stuff about the Auditor app and it got deleted by the mods so the reader would know that there could be inaccuracies and that I'm not part of your team whatsoever, I don't have the lightning icon on my name which indicates users which are moderators on the forum, and I even said that I'll flag my own post for moderation review, so I'm not sure why it came across as me speaking in an authoritative tone. The places where I guessed how it works are very minimal, and as for the rest, I did my research including talking with your project leader and I'm not sure which of my claims are incorrect. I glossed over technical details where I felt it's necessary to explain it to someone clueless that read all the current documentation and descriptions of the app and still doesn't understand it (e.g. the original poster).

Carlos-Anso This is not a good way to get attention from the moderation or development team.

I couldn't flag my own post so I tagged the GrapheneOS account. Is there a better way to get moderation attention?

Carlos-Anso I would suggest you spend more time researching your theories before making worrying claims.

I wasn't making theories, I was saying what I know, and I did my research. Also to better improve my knowledge I'd be happy to know which of the claims I made were incorrect.

Carlos-Anso For example look at a number of the endless write ups of malware that used the 'Display over other apps' permission to see how they can leverage that permission and what its limitations are. While it can be problematic, by itself it doesnt pose nearly as big a threat as your post suggested.

I actually didn't think this permission is too dangerous, so I researched it and then discovered that it is incredibly dangerous because it has nontrivial security implications that aren't immediately clear when users think of an app displaying over other apps. So I didn't say this permission is dangerous without researching, I researched and that's what I concluded about it. For what I know, it gives apps the permission to draw over the entire screen whatever they want and intercept touches. That means they can fake/spoof any screen and not forward user's touches to the apps displaying underneath its overlay. Is that not true??

Watermelon

DeletedUser237 I don't know what you mean by "atomic detections" and I wouldn't call them "solutions" as they don't solve anything, they're just an added defence that shouldn't be given up because of misconceptions. With that said you can try to find a lightweight scanning app that doesn't insist on getting any permissions from you other than basic permissions like Network and Notifications.

DeletedUser237

Watermelon Atomic detections rely on static stuff like hashes, for example of said 'bad' libraries. Solutions in this context refer to products/apps that are a working anti-malware one that is tested and proven to be reliable. Afaik there's none. Most are a marketing bullshit bingo..

I'd like to hear about the ones you can recommend.

Watermelon

Watermelon The places where I guessed how it works are very minimal

Correction: I didn't guess anything. The places where I was unsure of how things work are very minimal, there's only two of those that I can see and I made sure to be explicit that I'm unsure about them. They were:

I was unsure how exactly the verified OS chains verification to the Auditor app on the auditee's device.
I was unsure if adding the serial number, or any other identifiers unique to any specific device if they exist, to the attestation information in the hardware-verified section of the output can help a user know that the attesting (auditee) device is their genuine untampered device.

In both cases I made sure to say that I'm unsure, and as far as I can see this is limited to only these two things.

Watermelon

DeletedUser237 Atomic detections rely on static stuff like hashes, for example of said 'bad' libraries.

I've never heard them being called "atomic". I've always heard the term "atomic" in the meaning of an operation that if it fails in the middle it's as if it hadn't started to happen, i.e. it doesn't ever leave a broken middle state but always either doesn't happen at all or happens completely.

DeletedUser237 Solutions in this context refer to products/apps that are a working anti-malware one that is tested and proven to be reliable. Afaik there's none.

I understand what you mean but it's a bit of a bad word to call them solutions because they'll never be perfect. GrapheneOS with its improved sandboxing is closer to what I'd call a solution and yet it doesn't prevent malware, it only helps to contain it, which can still be insufficient in certain cases. And there are tested products actually, look up AV-Test, AV-Comparatives, and the such.

DeletedUser237 I'd like to hear about the ones you can recommend.

First of all I recommend having Google Play Protect and enabling it to scan all apps rather than only Google Play apps, but I'm not recommending it because it has a good detection rate, I'm recommending it because it comes by default inside Google Play Store and it's very lightweight and stays out of the way, so I think it'd be a shame to give up on it. As for other recommendations, I recommend checking AV-Test, AV-Comparatives, etc., I don't want to recommend something myself. I also recommend getting a scanner that stays out of your way and focuses on scanning apps and files rather than trying to scan links/SMS/etc. or seeing which apps you open and warning you on opening them by using the "Usage access" and "Display over other apps" permissions, for example. And don't give any anti-malware scanner the device admin permission, they don't need it and you could find all of your data wiped if you grant that to an untrustworthy app. They could also ask for accessibility permission, I think all of these permissions are just excessive and not truly needed. If you grant a scanner the Notifications permission, I think it suffices to inform you if you installed something it detects as malware, just make sure you don't silence these notifications and act upon them rather than ignoring them, and I think that'd be fine. And always keep in mind that no scanner is perfect, and there could always be false positives. If it detects an app as malicious, try to compare the benefits versus the downsides and choose whether you really need that app. You can still use the app and just not give it permission to access or overwrite your data, for example.