Am I too naive/confident?

Disregard2717

Hi all,
I'm new to GOS - I bought a Pixel 8a two weeks ago and I'm desperately waiting to return from my vacations to set it all up :-D
A question that came to my mind in the meantime - since GOS does sandboxing of individual apps and I can even setup different profiles on Graphene, do I no longer have to worry about using the browser version instead of the actual app (say for example reddit), since the app cannot access any more information anyway? (Sorry if my English sounds weird, I'm not a native speaker...) Or is this too confident & I should stick with browser versions where possible?

Open_Source_Enjoyer

Disregard2717 do I no longer have to worry about using the browser version instead of the actual app (say for example reddit), since the app cannot access any more information anyway?

I would stick with the browser version or put the closed source apps in private space.

secrec

ANDROID does sandboxing. There's nothing special that GrapheneOS does for user-installed applications in this regard that isn't present in the upstream source code.

When you hear about sandboxing with respect to GrapheneOS, the only special thing is that it forces GOOGLE SERVICES into the same sandbox that other applications are already stuck into. In a "normal" Android installation, gservices effectively have root access to the phone, so there is nothing keeping them from doing bad things. Now however, you can trust that the permissions you grant and deny for gservices will actually be respected.

Watermelon

secrec When you hear about sandboxing with respect to GrapheneOS, the only special thing is that it forces GOOGLE SERVICES into the same sandbox that other applications are already stuck into.

This isn't true. GrapheneOS adds the Network and Sensors permissions. Apps on Android that don't claim network access should have freer network access than when on GrapheneOS because GOS would treat it as if the Network permission is not allowed to it rather than how Android does it which lacks a Network permission at all. (This isn't relevant to the Sensors permission though, because GOS adds the Sensors permission to practically all apps, besides only "apps" that lack any executable code, I think.)

Beyond that, GOS reinforces the existing sandbox.

Additionally, GOS doesn't actually put Google Play into a sandbox, it can be installed as a normal sandboxed app on Android. But it just wouldn't work that way. What GrapheneOS does special is provide the compatibility layer that makes Google Play work within the normal app sandbox. There's nothing special about sandboxed Google Play aside from the fact that it normally abuses invasive access into the OS that normal apps don't have.

area51

GrapheneOS is a great choice, and installing it you will have taken a huge step towards privacy and security. GrapheneOS is not magic, its how you use it that makes a difference.
I would advise you install it and play about with it for a few days, install/ delete apps, create a private space and or profiles, check out what they can do for you and you can do with them. Then factory reset and start again, but for real...

secrec

Watermelon This isn't true. GrapheneOS adds the Network and Sensors permissions.

See the word you used? PERMISSIONS. You didn't even use the word "sandbox". And for that matter, upstream includes network and sensors permissions. Now you just have a UI to disable them, the permission was there to begin with.

AtavisticPuma

Apps are somewhat worse overall for privacy, and can be worse or better for security depending on how they are created. Many apps have much worse security engineering than the Vanadium browser.

Apps have access to the full list of the other apps in the user profile. When installing an app, the user will be tempted or required to give it permissions, and those permissions can provide a lot of personal information that wouldn't be available from just interacting with a website.

On the other hand there is an argument that it's better to use securely-written apps for your more sensitive activities, so different parts of your life don't only exist together in the one browser sandbox. We are lucky to have well audited secure messaging apps like Signal/Molly, its just too bad so many banking apps seem to be badly made.

SgtSurehand

AtavisticPuma they are generally not badly made, they're just made to suit the bank first and somewhere along the way to a certain degree you, the customer. But yeah, I would go with the web app, that operates in browser sandbox on top of Android app sandboxing.

locked

AtavisticPuma Banking apps are badly made. I have a special banking profile for them, so they can only see themselves.

Disregard2717

AtavisticPuma thank you for your explanation!

Watermelon

secrec See the word you used? PERMISSIONS. You didn't even use the word "sandbox". And for that matter, upstream includes network and sensors permissions. Now you just have a UI to disable them, the permission was there to begin with.

False. GrapheneOS provides toggles for the Network and Sensors permissions that it adds because these break compatibility with Android. The rest of the tightenings to the app sandbox don't break compatibility so that's what I meant by it not being "special".

To sandbox an app means that it's confined and can't access data that would be available to it otherwise. Since this is very restrictive and most apps need to access things outside their sandbox, the permissions exist as a way for apps to request and for users to allow requests to access things outside of the sandbox in a controlled way. Essentially, the permissions define the "interface" that apps have inside their sandbox to access sensitive stuff outside of it. Without sandboxing there would've been no need for the permissions system.

Quotes from the website (with my emphasis added):
"The standard INTERNET permission used as the basis for the Network permission toggle is enhanced with a second layer of enforcement and proper support for granting/revoking it on a per-profile basis."
"Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (Camera, Microphone, Body Sensors, Activity Recognition) including an accelerometer, gyroscope, compass, barometer, thermometer and any other sensors present on a given device."
"GrapheneOS tries to avoid impacting the user experience with the privacy and security features. Ideally, the features can be designed so that they're always enabled with no impact on the user experience and no additional complexity like configuration options. It's not always feasible, and GrapheneOS does add various toggles for features like the Network permission, Sensors permission, restrictions when the device is locked (USB-C / pogo pins, camera, quick tiles), etc. along with more complex user-facing privacy and security features with their own UX."
Source:
https://grapheneos.org/features#network-permission-toggle
https://grapheneos.org/features#sensors-permission-toggle
https://grapheneos.org/

other8026

secrec please don't be rude. There's no reason to respond this way. Watermelon responded to something you said, quoting a good source to correct what you had said. I'd suggest you read the links that were shared so you have a better idea of how the permissions work.

INTERNET is a permission on AOSP, but GrapheneOS made it into a special runtime permission. As for the sensors permission, it is true that there are other sensors permissions that are already part of AOSP, but GrapheneOS added a whole new permission instead of using the ones already on Android so access to sensors not guarded by permissions can be blocked.