This is a big list of questions I have about GrapheneOS. Sorry for the size. I recently installed GrapheneOS and it's working well.
Please keep in mind that I have read the entire GrapheneOS documentation in full, carefully, though my memory is not superhuman. I admit I don't understand some technical things but I think I understood the basics. Also, I want to point something out that I feel obligated to point out after asking for technical advice on various different services on the internet over the years, hopefully without sounding too arrogant: people generally underestimate what I know about the service and misinterpret the question. I can re-word the question if needed. Some questions may sound easy to answer but the answer might not be so self evident. As I said, I've read the documentation, and yet I still have questions.
Any answers involving "RTFM" do not apply here and I will completely ignore them. Secondly, I'm intolerant to toxicity and unwelcoming answers - if you have a problem with my question, if you think my questions are dumb, kindly don't answer. I only seek honest, thoughtful and friendly answers, without any of the vindictive, antagonizing, elitist bullshit. Lastly, I'm very aware that privacy and security are not the same thing, but the line between the two can be fuzzy. I'm more security focused but still have a high interest in privacy, and my threat model is higher than average. I left questions that are less specific to GrapheneOS at the end. I'm only asking these questions because I couldn't find the answer anywhere else, so please don't tell me to "Google it". Please take these into account before answering.
Security of Vanadium browser vs Tor Browser. "The Tor Browser's security is weak which makes the privacy protection weak.". This is the first I've heard of Tor Browser being insecure from a security and privacy perspective. On GrapheneOS, is using Vanadium over the Tor network more secure and private than using Tor Browser? As described in the docs, Vanadium is more secure than Tor on GrapheneOS (technical reasons that I don't remember or understand), but I've always heard using Tor Browser is the most secure browser to use over the Tor network (I know this is mostly applicable to desktop but unclear on if it applies to phones too). Why should I use Vanadium (with Orbot) over Tor (with Orbot)? And what makes Tor insecure from a security and privacy perspective?
"Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface" I'd like a technical elaboration. Why is Vanadium so much more secure than other browsers on GrapheneOS, and does Vanadium have the same level of security and privacy on other operating systems? Side note, I'm aware that default desktop Firefox is insecure, but hardened with Arkenfox, it becomes the most robust browser for privacy and security. What's stopping developers from developing an arkenfox based fork of Firefox for Android? Would it be as strong on Android as it is for desktop? And if Vanadium is better than Firefox on GrapheneOS, could it be adapted to desktop and still out-compete other browsers for privacy and security? I assume there's a fundamental difference in the architecture of AOSP over desktop that make this complicated.
"Tor itself makes people into much more of a target (both locally and by the exit nodes)". I'd like more information. Is it talking about the browser, or the network? Using Tor properly, without bridges, in a country that doesn't ban the use of Tor, your ISP might flag you, but other than that they have no idea what you're doing. Using bridges, I don't see how using Tor makes you a target, and even if it did, given how much better Tor is compared to VPNs or the clearnet, there's no better option available that I'm aware of.
"If you're using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users.", does this suggest using other DNS providers like cloudfare, Google and Quad9 make you stand out, or that not using any DNS provider makes you stand out?
https://grapheneos.org/faq#custom-dns, "Private DNS takes precedence over VPN-provided DNS". Some VPNs provide their own DNS, whether you specify that DNS on "Private DNS" or not. Say for example I use Mullvad VPN. I could leave the Private DNS blank, and use the VPN, which will still use its own DNS. However, they also allow you to specify the DNS manually (https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/#using-android). Is there a difference to specifying the DNS manually in Private DNS, to using the default DNS provided by the VPN? Are they the same address, and how do I find out? If Private DNS takes precedence over VPN-provided DNS, is there any use in specifying the VPN-provided DNS in Private DNS? I would assume it would make a difference on what setting the VPN is on; whether "Block All Connections" is on or not. If Private DNS is specified, all DNS requests made would use that DNS, while if I used the VPN only, the VPN would have to be in Always On mode. If I've got this wrong, let me know. Also, does DNS over TLS apply to all DNS addresses you use in Private DNS, or does the DNS address itself have to support DNS over TLS?
Is it worth using a root level firewall on GrapheneOS?. Do root firewalls take up a VPN slot? Does this section (https://grapheneos.org/faq#ad-blocking-apps) only apply to non-root based firewalls like NetGuard (an app I have used and enjoy, but I prefer RethinkDNS), or does it also include root firewalls like AFWall (an app I've never used and don't know anything about). I'm not really educated on the differences between root firewalls and non-root firewalls, except that non-root firewalls typically rely on a device-hosted VPN (I'm unclear on the security of this).
RethinkDNS (non-root firewall) has the following options to secure the network.
- Block all apps when device is locked
- Block any app not in use (background apps)
- Block connections when source app is unknown
- Block all UDP traffic except DNS and NTP
- Block connections when DNS is bypassed
- Block newly installed apps by default
- Block connections on metered network
- Block port 80 (insecure HTTP) traffic
- Block individual IP addresses and allow apps and IP addresses on a blacklist/whitelist basis.
- Monitor network traffic and display it in a GUI
- Display a list of all apps and allow convenient toggling of wifi/cellular access for each app on a single page.
- Allow or deny individual domains
- On-device blocklists
- Other features (eg. allows using Orbot, SOCKS5, DNS, etc)
Does the architecture or software of GrapheneOS make any of these security features irrelevant? I want more granular control over the network and only third party firewalls provide that. I'm not looking for a false sense of security, rather, I want to know if these toggles are necessary in GrapheneOS and if so, how they can be implemented. If they are useful but GrapheneOS doesn't mitigate these problems, then GrapheneOS should work toward providing us with these options, and in the meantime, I wonder if RDNS is worth using despite not having root access.
Should I use multiple profiles to increase security and/or privacy? Given app sandboxing within profiles, it seems redundant to separate identities in different profiles. Keep in mind that I'm aware all apps operate in a sandbox (except those few with root permissions?), and that apps can communicate with other apps in the same profile with permission, but can't communicate to apps in other profiles. I've also heard, in not so specific words, that the owner profile is not "special". However, the owner profile does have options that the other profiles do not, options that seem to be security sensitive. That being said, what special privileges does the Owner profile have over other profiles, and what would I NOT want to do in Owner that I should do in other profiles? Since each app is sandboxed, putting all your apps in the Owner profile seems perfectly acceptable. Is running the owner profile as your main profile secure, or is it like using an admin account on linux/windows desktop for daily use (ie. not secure)? The docs do recommend keeping different profiles for different identities, but I'm unclear on how that actually helps if each app is sandboxed. I read that apps can identify what profile they're in, but what are the security implications of this? What I'm really asking is how granular I should be with my profiles/identities (which I know is subjective but I'd like more information). On the extreme ends, I could put every app in its own profile, or put them all in one. Besides convenience, I'm unclear on exactly what the differences would be. It's often said that you should put Google apps in one profile, but is there a security disadvantage to putting apps that you have downloaded from other sources (F-Droid, Aurora, Github) in the same profile as apps downloaded from the Google Play store? Since the apps and Google can't speak to each other without permission, I don't see a problem with that.
Given the VPN slot limitation, what is the most secure service to use that VPN slot with? For maximum network security I would imagine using Orbot with VPN mode enabled is the most secure (side note, I don't know how Orbot works without VPN mode enabled). Since Tor is blocked on many sites and services (in my experience), I still need to use a VPN. On another device, I tended to switch back and forth between my VPN and Orbot, which was inconvenient, it would be nice if there was an app that allowed you to use both (not simultaneously, but to switch between the two easily, or make use of split tunnelling). I came across this article (https://itsignacioportal.github.io/netguard-pdnsf-any-vpn-combo/), I haven't read it but it doesn't say anything about Orbot. Then there are firewalls, which the GrapheneOS docs say are not recommended, though I don't know if it applies to root level firewalls too, and I personally feel like some firewalls (like RethinkDNS, which is non-root) have a lot of granular features that I like and find it hard to square with the simple phrase "they aren't recommended". To be fair, I didn't fully understand the explanation in the docs. However, RethinkDNS has some good features that I'm not sure GrapheneOS has or makes irrelevant (I have a question on this above).
I literally have no idea what any of this means.
"since all known hidden SSIDs end up being broadcast as part of scanning for networks to find them again." I think what this sentence is saying is that APs broadcast the BSSID/MAC address even if the SSID is hidden, and that the AP can still be mapped as part of Google's network mapping and visible on sites like wigle.net. I think it's also saying that you will still automatically reconnect to hidden networks using the list of saved networks on the device, and I remember hearing that the list itself can be broadcasted when scanning for new networks (I heard this from Naomi Brockwell on youtube). Ultimately, I don't understand how this is a reason not to connect to hidden networks since non-hidden APs work the same way.
"SSIDs are not broadcast for standard non-hidden APs". This sentence does not compute.
"Hidden APs are only hidden when no devices are connected." If it's suggesting the SSID is only hidden if no devices are connected, then that is simply false. If it's suggesting the BSSID is only hidden if no devices are connected, then that's news to me but doesn't explain why you shouldn't connect to hidden networks.
"It makes little sense as a privacy feature" and "The feature reduces your privacy rather than increasing it". What does, connecting to a hidden network, or hiding your own SSID? Hiding your own SSID might not hide the BSSID but it's better than keeping it visible. How does hiding the SSID decrease privacy? Regardless of whether the BSSID is still being broadcast, hiding your SSID means there's one less piece of information that your neighbors, hackers, and sites like wigle.net will have access to.
"especially for a non-mobile AP where knowing the AP exists can't be used for tracking it since it doesn't move". I don't know what this means.
"If you need to use a hidden AP, make sure to delete the saved network afterwards.". This is true for all public networks regardless of whether it's hidden or not.
- What's the security benefit of sideloading updates?
The following questions are not specific to GrapheneOS. If they don't belong in this section I can just edit them out at request.
If you haven't seen Side of Burritos' videos on app repositories and the security problems they have, you may not understand this question (and I recommend watching them). According to Side of Burritos, the most secure (albeit not most private) way to download apps is through the official Google play store (not Aurora). I can understand why Google Play Store is more secure than F-Droid but I can't imagine that the security advantages would outweigh the privacy disadvantages. The way I see it, this is the order that I would prioritize downloads in: Direct from Github/Gitlab, Droidify, F-Droid, Aurora, Google. I know getting apps directly from github can be risky, but there are risks associated with all other methods too but without the tracking that comes along with it. Also, devs push updates directly to Github, so I'm getting the latest updates via an RSS reader, while other sources have a delay before being updated. Should I really prioritize installing apps through Google over the others given that apps are sandboxed and I have granular control over their permissions?
Is there any security advantage of using MAC randomization while connected to your home network?
How does Wifi calling work if you still need a SIM card inserted? You can't make WiFi calls unless you have a SIM card. It's still using the phone carrier's unencrypted network, right?
How does Orbot work without VPN mode enabled? Doesn't VPN mode need to be enabled for all traffic to be routed through the network?
This question is more broad and probably more theoretical than practical (I will probably ask the same question on Reddit). Can a device with Airplane mode on still communicate to/from external devices? Are there any known vulnerabilities, like side-channel attacks? I'm asking this out of curiousity.
What are your thoughts on the apps Duress and Wasted? I think GrapheneOS is planning on implementing Duress passwords, I'm keen on that update.
Why do some sites (eg. com.google.android.gsf) start with com? Usually the TLD is at the end. Is this because they are CDNs? If so, why do CDNs have the TLD at the beginning of the URL?
Not really a question but an observation. I'm highly excited for FIDO2 support. I'd like to be able to unlock my phone using a hardware key, either through NFC or inserting the key directly into the phone and tapping it. I'd also like to be able to use WebAuthn on the phone, which is what most people will use, although I'm personally more excited for device decryption with a hardware key. The more services and devices that support hardware keys the better. I think hardware keys should be mainstream at this point, but I understand this will take a long time and a lot of resources to implement on a global scale.