• General

  • Email security on GrapheneOS vs desktop (eg. Linux)

I am just a N00b and I am no security expert. I am not saying that flatpak is inherently bad, but my understanding is that it could be used in more insidious way to run code or access resources that otherwise wouldn't be allowed.

As much as I use VM, hypervisor can also increase the overall complexity of the system. I would personally not assume that the hypervisor is hardened by default. I personally would not enable features like shared memory or shared clipboard if there is a need for more security; these are likely not the most important but they might be overlooked. Some hypervisor likely do better than others in term of hardening but I would suggest to read the manpages. Some hypervisor may also come with unnecessary packages, or lack features as provided by the package manager. It's on my to-do list so I can't speak too much for it. There are likely 50 other areas to harden first or I might have underestimated its importance.

    tV0gr

    If it is a realistically concern for them that whatever targets them could even exploit an vm, they could live boot (all disks must be encrypted for this ofc), or to be really safe one could get like an raspberry pie and use this for it.

        gk7ncklxlts99w1 I recall the GOS forum account mentioning that GrapheneOS is more secure than any desktop OS right now (which I think is very likely).

        That's not just very likely, that's a fact. Desktop OSes don't even come close.

        gk7ncklxlts99w1 Would I be correct in deducing that I am less likely to be compromised by a malicious email attachment on GrapheneOS, than I am on desktop?

        Generally yes, but this also depends on the programs you use and the settings of the email program, for example it is important to deactivate scripting and dynamic content.

        gk7ncklxlts99w1 If I ever need to use my email on desktop, I would use it in Brave browser installed via flatpak

        Using a browser for this is a good way to view emails and their attached PDFs, due to the browser's additional security measures like sandboxing. But using the browser as a Flatpak is not a good idea, since it weakens the browser's own sandboxing.

                TheGodfather Using a browser for this is a good way to view emails and their attached PDFs, due to the browser's additional security measures like sandboxing. But using the browser as a Flatpak is not a good idea, since it weakens the browser's own sandboxing.

                This, especially chromium based browsers. The following is my own (perhaps flawed) understanding: there are different kinds of sandboxes, and using for example chrome in a flatpak, will cripple chrome it's own robust sandboxing, which i believe is more focused towards site isolation in the browser itself? While flatpak (with bwrap) sandboxes thing more from the OS. So i believe it could depend on your use case on how u would use chrome in this is example. Would u value it more kinda 'separated' from the OS, but have weaker site isolation in browser itself, or the contrary?

                This is my own understanding currently of this pretty complex matter, and i'm mainly posting this as perhaps an expert could shed some light on my perhaps flawed view and clear some things up.

                    dhhdjbd

                    The ill conceived advice to simply not open attachments at all is completely impractical, along with other sagely advice like "don't ever connect to the internet".

                    VM is not really part of my question though, I'm aware they would provide some additional security but for simplicity I'm just asking for hosts. A follow up question could be; could malware installed via email attachment in a VM be more damaging than on Android, and how likely is it the malware will escape the VM? VM escapes are notoriously difficult to perform, so it's beyond the scope of my question.

                    tV0gr compared to not using flatpak, like installing from your default package manager? To my understanding, malware would have a harder time escaping bubblewrap than it would otherwise, but I guess your default package manager is less likely to have malware in the first place.

                    dhhdjbd My question only addresses common garden variety malware, not spearfishing attacks or attacks carried out by nation states.

                    TheGodfather

                    Generally yes, but this also depends on the programs you use and the settings of the email program, for example it is important to deactivate scripting and dynamic content.

                    I would imagine Tuta and Proton take their security more seriously than any other email providers, I'm guessing they address those things.

                    But using the browser as a Flatpak is not a good idea, since it weakens the browser's own sandboxing.

                    Can you elaborate? So it's better to use your distro's package manager instead of flatpak?

                              r134a

                              I think your comment really reflects the complex nature of this subject. Every time I try to learn about browser security and sandboxing, the subject goes in a hundred different directions. It is indeed very complicated.

                              But if it's a fact that GrapheneOS is more secure than any desktop OS, then that should mean you're much better off running an email client on your phone than on desktop. I just want to know if my reasoning is correct, cause a lot of the things I do for security I do based on assumption.

                                  gk7ncklxlts99w1 But if it's a fact that GrapheneOS is more secure than any desktop OS

                                  I believe on the topic of browsers it actually is.
                                  Vanadium is hard to beat from a security perspective, i believe no browser on desktop could even come close. It has full (hardened?) Chromium sanbox, runs in android sandbox, and has userland selinux enforcement. Though this again is based on my current ( perhaps flawed) understanding.

                                      r134a

                                      I use the Tuta and Proton apps. I believe the Tuta app is effectively a browser. Maybe it would be even more secure to use these email clients in Browser instead of the apps?

                                      There's probably no area in my threat model that requires such a high level of security than email. Of all the things I do, email security is my main focus. Which is why I care so much and why I'm so pedantic about it.

                                        I said not open attachments from sources you do not trust.. not to never open any.

                                        Opening attachments is essentialy downloading a file onto your device and opening it/ executing it there.

                                        (Definitly the case for pdfs in proton app and in proton vanadium browser, for example. For some file types a preview is avaible tho)

                                        It does not really matter that it was part of an email.
                                        If you do this, anything can happen, who knows maybe the app which you use to open a specific file type has an possible exploit..

                                        But yes it is not likely that a random malware exploits the grapheneOS pdf viewer (and webview sandbox). It is realistically fine.

                                          I really think some of people advising and/or speaking about potential issues/threats when using XYZ software on anything but GOS have no understanding of how tech works and why would the main account say what they do about the benefits (security wise) when interacting with various technologies.

                                          This also unfortunately makes some people perceive that anything slightly out of the ordinary is a valid proof that they got hacked..

                                          People used email/web etc for years even when GOS was not even in their creators mind and they lived, and usually did not get popped. Same now. It's not like you will get popped by the first exploit available when you'll use Firefox on Linux while browsing your Hotmail emails attachment. If you open any attachment without thinking OR you click any link you get from email/sms/signal I can guarantee you, no protection will be enough to save you. No exploit protection will save you. Recent vuln in chrome sandbox was so severe that even the researchers who discovered it found it hard to believe. And it did not even looked that malicious in nature. All it took was a bug in the software.

                                          I'd like more people to stop worrying and just use the software as it was intended to be used. No matter if it's android, iOS Linux or even windows. You will be fine as long as you will exercise caution and common sense.

                                          If your work/nationality/location call for it, yes you will most likely want to skip certain tools/technologies. But you will know, you won't need some random forum stranger to tell you that.

                                            gk7ncklxlts99w1 compared to not using flatpak, like installing from your default package manager? To my understanding, malware would have a harder time escaping bubblewrap than it would otherwise, but I guess your default package manager is less likely to have malware in the first place.

                                            Tough question. I would expect that they will fail in their own regards for different reasons. I think the problems that flatpak aim to solve is great and my N00b impression is that it's not the right tool for the job if the concern is a specific and near-universal program like a mail client and security. It can certainly be an effective way to obtain a program and solve many problem along the way.

                                            Few of the other options would be to directly get package, use a different repository, compile from source. A bit out of context but using a different email client is also an option.

                                              0xsigsev I'd like more people to stop worrying and just use the software as it was intended to be used. No matter if it's android, iOS Linux or even windows. You will be fine as long as you will exercise caution and common sense.

                                              As much as I agree with the part above I have to disagree with this one. 2024 was bad for cyber security for myself and looking at the news, for a lot of people. 2025 might be even worse. Last year I had to replace both my computer and router, and I experienced firmware issue on both of them. I never had that problem before. And somehow isolating my LAN from my ISP is now a lot harder than it used to be. I certainly have my own ignorance to blame but it is still more difficult than it used to be.

                                              I know it's not what you meant but I have a problem on where "how intended to be" technology is heading. I don't need or want my smart TV to find new ways to link to my computer, or my OS to decide for me that I want to put everything on the cloud. Or my router to find new ways to interconnect my IoT devices to my ISP. Might as well be cancer.

                                                  dhhdjbd

                                                  I said not open attachments from sources you do not trust.. not to never open any.

                                                  The solution would be simple if this was the only logic check. You may trust "Amazon" but "Amazon" may not be Amazon. Hackers are relying on your trust in the companies you're familiar with. It's not enough. You should treat every downloaded attachment as if it were malware, the only way to do this is with a secure OS / VM.

                                                  tV0gr Fully agree. Common sense isn't enough, you need to think like a hacker, at least some times. Common sense would not be enough to protect you against the threat of ACR on TV's to record your laptop screen when it is connected to the TV via HDMI. And finding the option to disable these things takes practice, you kinda have to learn how dark patterns are used to prevent you from easily finding a setting (eg. to delete your account or cancel a subscription).

                                                        gk7ncklxlts99w1 Common sense would not be enough to protect you against the threat of ACR on TV's to record your laptop screen when it is connected to the TV via HDMI.

                                                        Please provide a reputable source where such things were discovered, and shown where it was either stored during capture or was exflitrated via network.

                                                            0xsigsev

                                                            If you're looking for scientific/academic evidence for this, you can skip the middleman (me) and look for it yourself. I don't believe I have a handy URL bookmarked for this. Look up how ACR works. If your TV is connected to the internet, and ACR is enabled, and you connect your computer to the TV via HDMI, it will monitor your screen and send the results (whether in the form of screenshots or telemetry or both) back to HQ. ACR captures whatever is on the screen in a likely arbitrary manner, so it doesn't care if you're scrolling through Netflix or doing "research" on your laptop.

                                                            If you find a good article please share it with me.

                                                                gk7ncklxlts99w1 look for it yourself. I don't believe I have a handy URL

                                                                So, trust me bro? No thanks. Not gonna waste time for a FUD/Doomsday crap shared by someone who believes in anything they find on the internet without any real evidence.

                                                                    0xsigsev

                                                                    It's no skin off my back if you don't believe it. If you're genuinely interested in the topic then I trust you'll find it yourself. I have a feeling you're not really interested in learning anything, you're just trying to be annoying and unnecessarily pedantic.

                                                                    If you want to learn things, sometimes you have to do your own research. This is a forum, and I'm not your personal assistant.

                                                                        gk7ncklxlts99w1 You've come to the point of what the discussion sometimes looks like: prove it, if not, it means you are wrong. The problem of knowledge: I would not be surprised if I read: Look around and prove to me that the Earth is not flat. If you do not do this, it means that you are wrong saying that it is not flat. You can answer in the same way: prove to me that I'm wrong, if you can't, it means you're wrong. This approach kills the whole discussion and brings it to a senseless quarrel. However, this is a note outside the topic of discussion.

                                                                        You asked if the email on GOS is more safe than on Linux desktop. Yes, and this is due to the fact that Proton and Tuta use the entire safe environment offered by GOS (Vanadium WebView, hardened malloc, MTE etc.). Even if you use Brave on desktop and you think it is safe, this browser uses huge external libraries that are written in C/C++ and often have limited security so that other poorly written programs work (more) properly.

                                                                        This, however, does not change the fact that you can safely use an email on desktop, but it requires awareness of what you do and what is risky. None of these safeguards will protect against stupidity.

                                                                            argante

                                                                            I believe that when I interact with people on an online forum, I have faith that they will speak in a way that is in accordance with the truth. I do not ask that they prove every claim they make, because that would imply I don't trust people enough to come up with their own conclusions. That attitude does not get you anywhere. If your threshold for determining what constitutes misinformation is so low that you distrust anything that doesn't reference peer reviewed research from a scientific journal, you won't make it very far and you won't learn much, and nobody will like you. As I said, this is a forum, not a research database or a judicial court, and I'm not obligated to do the research for you. If you are interested enough in the subject at hand then I trust you will find it for yourself, and I would love to hear back from you.

                                                                            fid02 set a pretty good example of how to conduct yourself in a different thread. I luckily had a link bookmarked, and he responded to the article and criticised it for being too vague and citing various other articles. He didn't criticise me specifically, he just showed why the referenced article needed more work. And I asked him for his take, cause I also thought it was vague. Neither he nor I am obligated to cite anything, but I expect people will act in good faith, and where I want clarification, I will kindly ask for any sources they have. If not, I'll find it myself if I'm really interested. Here's the discussion: https://discuss.grapheneos.org/d/21322-does-provider-get-unique-id-of-fido2-device/7

                                                                            However I do acknowledge the challenge of what we're discussing but it extends beyond the scope of this post. How verbose should we be? What sources should we trust, and how thoroughly do we examine others' claims without stifling discussion (I'll say that again: without stifling discussion)? And perhaps most importantly, do we trust that others will speak truthfully, especially in the absence of a consensus? It's a complex problem, basically. I appreciate critical thinking but "prove it, if not, it means you are wrong" is silly.