Email security on GrapheneOS vs desktop (eg. Linux)

Ggk7ncklxlts99w1 · 2025-03-30T01:48:02+00:00

I recall the GOS forum account mentioning that GrapheneOS is more secure than any desktop OS right now (which I think is very likely).

I have been using Tuta and Proton on my phone for about 2 years. Would I be correct in deducing that I am less likely to be compromised by a malicious email attachment on GrapheneOS, than I am on desktop? If I ever need to use my email on desktop, I would use it in Brave browser installed via flatpak, on Fedora Workstation. Flatpak uses bubblewrap as sandboxing, but Android's sandboxing is far superior.

I'm also curious about what systems most email malware target, besides Windows. Is malware sent via email attachment more likely to target Android, iOS, or MacOS? This question might be best answered by GOS or someone with experience in cyber security.

KKlingerman01 · 2025-03-30T02:31:33+00:00

gk7ncklxlts99w1

gk7ncklxlts99w1 The phone will almost always be more secure. It has a different threat model than a desktop. On the desktop I suggest encrypting everything sensitive even the drive. Most Linux installation clients will offer something similar for the entire drive that's a good start.

Ggk7ncklxlts99w1 · 2025-03-30T03:26:27+00:00

Klingerman01

Encryption has nothing to do with my question, and it would not protect you against malware if you're using the very disk you encrypted to install the malware. You need to decrypt the disk for it to be usable, at which point your data becomes vulnerable.

Ddhhdjbd · 2025-03-30T04:24:33+00:00

the number one protection is not opening email attachments at all (if you dont trust the source)

If for some reason you have to do this, you probably should rather setup an vm and open them inside it.

And for pdfs in general, do they explain their features the best themself
https://github.com/GrapheneOS/PdfViewer

Tthmf · 2025-03-30T05:04:03+00:00

gk7ncklxlts99w1 it would not protect you against malware

At least it'll protect the malware itself :)

TtV0gr · 2025-03-30T06:22:33+00:00

I am just a N00b and I am no security expert. I am not saying that flatpak is inherently bad, but my understanding is that it could be used in more insidious way to run code or access resources that otherwise wouldn't be allowed.

As much as I use VM, hypervisor can also increase the overall complexity of the system. I would personally not assume that the hypervisor is hardened by default. I personally would not enable features like shared memory or shared clipboard if there is a need for more security; these are likely not the most important but they might be overlooked. Some hypervisor likely do better than others in term of hardening but I would suggest to read the manpages. Some hypervisor may also come with unnecessary packages, or lack features as provided by the package manager. It's on my to-do list so I can't speak too much for it. There are likely 50 other areas to harden first or I might have underestimated its importance.

Ddhhdjbd · 2025-03-30T07:07:46+00:00

tV0gr

If it is a realistically concern for them that whatever targets them could even exploit an vm, they could live boot (all disks must be encrypted for this ofc), or to be really safe one could get like an raspberry pie and use this for it.

TTheGodfather · 2025-03-30T07:31:21+00:00

gk7ncklxlts99w1 I recall the GOS forum account mentioning that GrapheneOS is more secure than any desktop OS right now (which I think is very likely).

That's not just very likely, that's a fact. Desktop OSes don't even come close.

gk7ncklxlts99w1 Would I be correct in deducing that I am less likely to be compromised by a malicious email attachment on GrapheneOS, than I am on desktop?

Generally yes, but this also depends on the programs you use and the settings of the email program, for example it is important to deactivate scripting and dynamic content.

gk7ncklxlts99w1 If I ever need to use my email on desktop, I would use it in Brave browser installed via flatpak

Using a browser for this is a good way to view emails and their attached PDFs, due to the browser's additional security measures like sandboxing. But using the browser as a Flatpak is not a good idea, since it weakens the browser's own sandboxing.

r134a · 2025-03-30T08:39:41+00:00

TheGodfather Using a browser for this is a good way to view emails and their attached PDFs, due to the browser's additional security measures like sandboxing. But using the browser as a Flatpak is not a good idea, since it weakens the browser's own sandboxing.

This, especially chromium based browsers. The following is my own (perhaps flawed) understanding: there are different kinds of sandboxes, and using for example chrome in a flatpak, will cripple chrome it's own robust sandboxing, which i believe is more focused towards site isolation in the browser itself? While flatpak (with bwrap) sandboxes thing more from the OS. So i believe it could depend on your use case on how u would use chrome in this is example. Would u value it more kinda 'separated' from the OS, but have weaker site isolation in browser itself, or the contrary?

This is my own understanding currently of this pretty complex matter, and i'm mainly posting this as perhaps an expert could shed some light on my perhaps flawed view and clear some things up.

Ggk7ncklxlts99w1 · 2025-03-30T09:01:49+00:00

dhhdjbd

The ill conceived advice to simply not open attachments at all is completely impractical, along with other sagely advice like "don't ever connect to the internet".

VM is not really part of my question though, I'm aware they would provide some additional security but for simplicity I'm just asking for hosts. A follow up question could be; could malware installed via email attachment in a VM be more damaging than on Android, and how likely is it the malware will escape the VM? VM escapes are notoriously difficult to perform, so it's beyond the scope of my question.

tV0gr compared to not using flatpak, like installing from your default package manager? To my understanding, malware would have a harder time escaping bubblewrap than it would otherwise, but I guess your default package manager is less likely to have malware in the first place.

dhhdjbd My question only addresses common garden variety malware, not spearfishing attacks or attacks carried out by nation states.

TheGodfather

Generally yes, but this also depends on the programs you use and the settings of the email program, for example it is important to deactivate scripting and dynamic content.

I would imagine Tuta and Proton take their security more seriously than any other email providers, I'm guessing they address those things.

But using the browser as a Flatpak is not a good idea, since it weakens the browser's own sandboxing.

Can you elaborate? So it's better to use your distro's package manager instead of flatpak?

Ggk7ncklxlts99w1 · 2025-03-30T09:06:59+00:00

r134a

I think your comment really reflects the complex nature of this subject. Every time I try to learn about browser security and sandboxing, the subject goes in a hundred different directions. It is indeed very complicated.

But if it's a fact that GrapheneOS is more secure than any desktop OS, then that should mean you're much better off running an email client on your phone than on desktop. I just want to know if my reasoning is correct, cause a lot of the things I do for security I do based on assumption.

r134a · 2025-03-30T09:32:02+00:00

gk7ncklxlts99w1 But if it's a fact that GrapheneOS is more secure than any desktop OS

I believe on the topic of browsers it actually is.
Vanadium is hard to beat from a security perspective, i believe no browser on desktop could even come close. It has full (hardened?) Chromium sanbox, runs in android sandbox, and has userland selinux enforcement. Though this again is based on my current ( perhaps flawed) understanding.

Ggk7ncklxlts99w1 · 2025-03-30T09:36:25+00:00

r134a

I use the Tuta and Proton apps. I believe the Tuta app is effectively a browser. Maybe it would be even more secure to use these email clients in Browser instead of the apps?

There's probably no area in my threat model that requires such a high level of security than email. Of all the things I do, email security is my main focus. Which is why I care so much and why I'm so pedantic about it.

Ddhhdjbd · 2025-03-30T10:03:33+00:00

I said not open attachments from sources you do not trust.. not to never open any.

Opening attachments is essentialy downloading a file onto your device and opening it/ executing it there.

(Definitly the case for pdfs in proton app and in proton vanadium browser, for example. For some file types a preview is avaible tho)

It does not really matter that it was part of an email.
If you do this, anything can happen, who knows maybe the app which you use to open a specific file type has an possible exploit..

But yes it is not likely that a random malware exploits the grapheneOS pdf viewer (and webview sandbox). It is realistically fine.

00xsigsev · 2025-03-30T11:23:04+00:00

I really think some of people advising and/or speaking about potential issues/threats when using XYZ software on anything but GOS have no understanding of how tech works and why would the main account say what they do about the benefits (security wise) when interacting with various technologies.

This also unfortunately makes some people perceive that anything slightly out of the ordinary is a valid proof that they got hacked..

People used email/web etc for years even when GOS was not even in their creators mind and they lived, and usually did not get popped. Same now. It's not like you will get popped by the first exploit available when you'll use Firefox on Linux while browsing your Hotmail emails attachment. If you open any attachment without thinking OR you click any link you get from email/sms/signal I can guarantee you, no protection will be enough to save you. No exploit protection will save you. Recent vuln in chrome sandbox was so severe that even the researchers who discovered it found it hard to believe. And it did not even looked that malicious in nature. All it took was a bug in the software.

I'd like more people to stop worrying and just use the software as it was intended to be used. No matter if it's android, iOS Linux or even windows. You will be fine as long as you will exercise caution and common sense.

If your work/nationality/location call for it, yes you will most likely want to skip certain tools/technologies. But you will know, you won't need some random forum stranger to tell you that.

TtV0gr · 2025-03-30T14:41:50+00:00

gk7ncklxlts99w1 compared to not using flatpak, like installing from your default package manager? To my understanding, malware would have a harder time escaping bubblewrap than it would otherwise, but I guess your default package manager is less likely to have malware in the first place.

Tough question. I would expect that they will fail in their own regards for different reasons. I think the problems that flatpak aim to solve is great and my N00b impression is that it's not the right tool for the job if the concern is a specific and near-universal program like a mail client and security. It can certainly be an effective way to obtain a program and solve many problem along the way.

Few of the other options would be to directly get package, use a different repository, compile from source. A bit out of context but using a different email client is also an option.

TtV0gr · 2025-03-30T15:10:32+00:00

0xsigsev I'd like more people to stop worrying and just use the software as it was intended to be used. No matter if it's android, iOS Linux or even windows. You will be fine as long as you will exercise caution and common sense.

As much as I agree with the part above I have to disagree with this one. 2024 was bad for cyber security for myself and looking at the news, for a lot of people. 2025 might be even worse. Last year I had to replace both my computer and router, and I experienced firmware issue on both of them. I never had that problem before. And somehow isolating my LAN from my ISP is now a lot harder than it used to be. I certainly have my own ignorance to blame but it is still more difficult than it used to be.

I know it's not what you meant but I have a problem on where "how intended to be" technology is heading. I don't need or want my smart TV to find new ways to link to my computer, or my OS to decide for me that I want to put everything on the cloud. Or my router to find new ways to interconnect my IoT devices to my ISP. Might as well be cancer.

Ggk7ncklxlts99w1 · 2025-03-31T07:15:30+00:00

dhhdjbd

I said not open attachments from sources you do not trust.. not to never open any.

The solution would be simple if this was the only logic check. You may trust "Amazon" but "Amazon" may not be Amazon. Hackers are relying on your trust in the companies you're familiar with. It's not enough. You should treat every downloaded attachment as if it were malware, the only way to do this is with a secure OS / VM.

tV0gr Fully agree. Common sense isn't enough, you need to think like a hacker, at least some times. Common sense would not be enough to protect you against the threat of ACR on TV's to record your laptop screen when it is connected to the TV via HDMI. And finding the option to disable these things takes practice, you kinda have to learn how dark patterns are used to prevent you from easily finding a setting (eg. to delete your account or cancel a subscription).

00xsigsev · 2025-03-31T08:37:07+00:00

gk7ncklxlts99w1 Common sense would not be enough to protect you against the threat of ACR on TV's to record your laptop screen when it is connected to the TV via HDMI.

Please provide a reputable source where such things were discovered, and shown where it was either stored during capture or was exflitrated via network.

Ggk7ncklxlts99w1 · 2025-03-31T22:50:34+00:00

0xsigsev

If you're looking for scientific/academic evidence for this, you can skip the middleman (me) and look for it yourself. I don't believe I have a handy URL bookmarked for this. Look up how ACR works. If your TV is connected to the internet, and ACR is enabled, and you connect your computer to the TV via HDMI, it will monitor your screen and send the results (whether in the form of screenshots or telemetry or both) back to HQ. ACR captures whatever is on the screen in a likely arbitrary manner, so it doesn't care if you're scrolling through Netflix or doing "research" on your laptop.

If you find a good article please share it with me.