Security and privacy enhancement advice needed

Zormedin

Hey everyone,

This post might be a bit lengthy, but I'm grateful if you take the time to read through it and help me out with some questions.

My Current Setup:

In my Owner profile, I install apps in the following order of preference: GOS Store, Accrescent, Obtainium (GitHub, F-Droid, F-Droid third-party), and Aurora. During installation, I deny network access in the Owner profile, disable the app, and then transfer it to my profile for daily use. Afterward, I disable app installation and updates in the user profile.

Whenever possible, I verify the hash of the app using Appverifier during installation. If that's not feasible, I scan the app on VirusTotal and compare the hash with the one available in the repository (if available).

Privacy Management:

For apps known to compromise privacy (e.g., Amazon, Instagram), which I occasionally need, I use Native Alpha to create "sandboxed" versions of available websites. Sandboxing restricts these web apps from communicating with each other (by separating cookies, etc.). This at least helps limit access to certain device identifiers.

To block some trackers and ads, I rely on NextDNS, which provides DNS filter lists. The device’s traffic goes through a VPN (Mullvad) using the original client. Additionally, I use InviZible in proxy mode (Tor SOCKS proxy) for certain apps like Molly and Telegram.

While I know many on this forum strive to minimize the number of apps on their devices, I can't do the same. However, whenever possible, I opt for known FOSS apps and keep their permissions as minimal as possible.

Questions:

How do you install and verify your apps?
What is your procedure for app updates (are you repeating step 1)?
Any suggestions for improving my workflow?
Is there a way to isolate a group of apps within user profiles similar to using private spaces or work profiles? I recall there are plans to make private space available in user profiles in the future.

I'm curious about exploring RethinkDNS and whether it could be an alternative to some solutions. Using DNS filter lists locally would prevent traffic from reaching an external DNS, potentially improving request speed and enhancing privacy, as blocked requests would not extend to external DNS.

Additionally, RethinkDNS’s VPN and Tor functionalities might allow app usage via Tor even if they lack SOCKS support. However, when I tested RethinkDNS around 8 months ago, I found the UI sometimes challenging to navigate, particularly when chaining settings or configuring it initially and making changes, which was quite time-consuming. This led me to believe that RethinkDNS might not yet be "battle-tested." I'd love to hear your thoughts on this.

Thanks in advance for your feedback!

raccoondad

Zormedin GOS only recommends app installs from Play Store and accresxent. Aurora and f-droid have security issues, just to mention

pxlkng

Zormedin

^ Not only that, Aurora Store also has no privacy benefit over using sandboxed Play Services with an anonymous Google account.

You are compromising your security and privacy by using F-Droid and Aurora Store. You should prioritize in order:

GOS App Store
Accrescent
Google Play Store
Sideloading via Obtainium+AppVerifier (only if absolutely neccessary and not from f-droid repos)

You can just install everything alongside Play Services in owner (or your main profile), you don't need to push apps from Owner to another profile to have good security and privacy.

Profiles are best used based on persona, not app or usage category.

JoeBlogs

Zormedin I'm curious about exploring RethinkDNS and whether it could be an alternative to some solutions

I installed this yesterday as I was looking for a decent application firewall. I found it didn't play very well with Mullvad and had to disable my VPN. It's rather frustrating that many of the app firewalls are also competing to try and become a DNS provider and / or VPN / Proxy. Everyone is competing for our data. I'd rather keep my DNS queries with my VPN provider (Mullvad) and I would love to see them implement Oblivious DNS in the future.

pxlkng Allowing updates is a good thing and not a privacy or security concern.

I kind of agree but I have never seen auto updates as good a good thing. Software updates can be buggy or have some major issue or worse break things or introduce new more dangerous vulnerabilities so personally I find it better to take manual control and allow others to do the beta testing first and verify there are no issues with the update. It's always nice to have the choice and auto software updates should never be enforced.

Thank for explaining the app stores. I never realised there was so much risk with Aurora Store and have resisted the Sandboxed Google Play. You have also changed my mindset towards creating multiple profiles. As for F-Droid I guess the open source nature is where the risk lies, script kiddies being able to upload apps on git. I'm curious as to why Graphene devs don't sandbox Micro-G instead of using the regular Play Store in a sandbox instead so the best of both worlds. I realise I can use fake details / disposable details to register with Google but I really hate the idea of having to create an account with them. One of the big pluses for me is not having to create any accounts especially Google. Isn't this the whole point of a De-Googled phone, moving away from them and giving them as little as possible.

Zormedin This could indeed be the case here. I attempted to proceed with Installs and Updates disabled for the profile, which resulted in being unable to update or install sources/plugins for Grayjay.

This is interesting and depending on your threat model I see this as one of the better reasons for creating another profile, so an admin account and a user account kind of thing. And as mentioned the ability of being able to delete and easily create a new account.

ignoramous

rdns dev here

Zormedin However, when I tested RethinkDNS around 8 months ago, I found the UI sometimes challenging to navigate, particularly when chaining settings or configuring it initially and making changes, which was quite time-consuming. This led me to believe that RethinkDNS might not yet be "battle-tested." I'd love to hear your thoughts on this.

I have physical and mental scars from developing Rethink since Aug 2020. It's been a brutal half-a-decade battle, thus far (:

Zormedin

pxlkng Not only that, Aurora Store also has no privacy benefit over using sandboxed Play Services with an anonymous Google account.

The difference I see is that I don't have to rely on Play Services in the same profile. In the end I would need the Play Store and Play Services inside a profile with full privileges over the device. Or do I miss something?

You are compromising your security and privacy by using F-Droid and Aurora Store. You should prioritize in order:
GOS App Store
Accrescent
Google Play Store
Sideloading via Obtainium+AppVerifier (only if absolutely neccessary and not from f-droid repos)

There have been a bunch of topics about security concerns regarding fdroid but unfortunately it's the only source for some apps. The reason I put this source in front of Aurora or the Play Store is that many apps out of the fdroid repo aren't boundled with certain things. So maybe it's rather a pro privacy minus security.

You can just install everything alongside Play Services in owner (or your main profile), you don't need to push apps from Owner to another profile to have good security and privacy.

That's interesting. Can you explain why my approach wouldn't gain me much? The approach I take has been discussed here and on some channels (like Side of burritos) and it sounded reasonable.

pxlkng

Zormedin In the end I would need the Play Store and Play Services inside a profile with full privileges over the device

No, you would not. Sandboxed Play Services runs completely unprivileged and without any elevated access or privileges, it runs as a normal regular app. GrapheneOS confines Play Services to the standard ordinary app sandbox like any other app is.
Read more here: https://grapheneos.org/features#sandboxed-google-play

Zormedin Can you explain why my approach wouldn't gain me much?

From my understanding, what you are doing is basically the same as just installing everything directly to owner. Its just more complicated and more susceptible to issues or errors imo. User profiles aren't confining apps more and are not adding any security to the app sandbox. Apps are always sandboxed and confined the same. The notable thing that user profiles do in regards to the app sandbox is that they restrict IPC and package discovery between profiles.
Also as a side note, the owner profile doesn't give apps any more access than a user profile, so there is no reason to avoid using the owner profile.

User profiles definitely are nice and useful, but best used for seperating personas like having a personal and a work profile, for example. (Or if you want to leverage their other features, like having separate encryption keys and the ability to independently put them at rest)

The question is rather, why should you do it like this? Are there any specific reasons that speak against just daily-driving one profile? If not, you are probably only making life more complicated on yourself.

Pixelpioneer88

pxlkng this is what I needed to hear lol. I needlessly make things complicated

Zormedin

pxlkng No, you would not. Sandboxed Play Services runs completely unprivileged and without any elevated access or privileges, it runs as a normal regular app. GrapheneOS confines Play Services to the standard ordinary app sandbox like any other app is.
Read more here: https://grapheneos.org/features#sandboxed-google-play

My point here was in regard of the profile as the Owner profile is allowed to update and install apps which my user profiles are not allowed.

pxlkng No, you would not. Sandboxed Play Services runs completely unprivileged and without any elevated access or privileges, it runs as a normal regular app. GrapheneOS confines Play Services to the standard ordinary app sandbox like any other app is.
Read more here: https://grapheneos.org/features#sandboxed-google-play

My point here was in regard of the profile as the Owner profile is allowed to update and install apps which my user profiles are not allowed.

pxlkng From my understanding, what you are doing is basically the same as just installing everything directly to owner. Its just more complicated and more susceptible to issues or errors imo. User profiles aren't confining apps more and are not adding any security to the app sandbox. Apps are always sandboxed and confined the same. The notable thing that user profiles do in regards to the app sandbox is that they restrict IPC and package discovery between profiles.
Also as a side note, the owner profile doesn't give apps any more access than a user profile, so there is no reason to avoid using the owner profile.

Each profile has a different Android ID or? So even if apps are not running inside the same profile they can determine if they are in the same profile. And if there are proprietary closed source apps, especially those from known tech companies incl. network permission I'm seeing it as a privacy concern.

pxlkng

Zormedin What's with the ability of certain apps to load and install plugins?

Unsure what you mean by "plugins" here.

Zormedin which are both closed source

The licensing does absolutely not matter in this context. This makes no difference. Proprietary is not automatically a bad thing and FOSS is not automatically a good thing. Those also don't necessarily correlate with any security or privacy implications. This is merely licensing and source availability. (Closed source is still not a black box.)

Zormedin require network permission which would be a problem as you mentioned IPC yourself

Denying an app the network permission is not a silver bullet and does not guarantee that the app wont be able to still exfiltrate data, if that is your concern.

Zormedin Beside that many apps from the PlayStore are bundled with frameworks, trackers etc. that their counterparts from fdroid and other sources don't have

This is not an argument for F-Droid. You can get apps that don't contain those without using F-Droid.
And to be frank, you are worse off using F-Droid, due to its security implications, than just using apps from the Play Store, even with their trackers and whatnot. Or if you absolutely want to avoid the Play Store at all costs, sideload them with Obtainium+AppVerifier.

Zormedin As the Owner profile is always running that means every app which hasn't been stopped is running all the time.
Zormedin And one last thing: A wipe of a user profile can easily be done. Create a new one, push apps and good to go again.

Sure, those are valid arguments for using profiles. I mentioned this earlier:

pxlkng Or if you want to leverage their other features [...]

Pixelpioneer88

pxlkng so currently I have an owner profile with FOSS apps through obtanium and a private space with gps and gp store. I need to now download work apps for my job. Should I just move everything to owner with gps and gp store and then put my works apps in the private space? Or should I utilize the work profile with shelter?

Thank you for your knowledge!

pxlkng

Zormedin My point here was in regard of the profile as the Owner profile is allowed to update and install apps which my user profiles are not allowed.

Allowing updates is a good thing and not a privacy or security concern. Auto-updates should always be enabled. Hence I don't really see the point of restricting installs and updates for the profile you use and offloading that into Owner.

Zormedin

EDIT: What I meant was, that even if a certain app is stopped and started again at a later time, they can determine the AndroidID, transmit it for whatever reason.
And with regard of IPC I see it as an even bigger problem with privacy invasive apps (with network permission with at least one of them), so why not keep Google Apps seperate or don't even use them in the first place?

Regarding possible problems with using a seperate profile: Can you give an example of possible problems? I'm using this setup for quite some time and have none so far.

SgtSurehand

https://discuss.grapheneos.org/d/17118-identifiers-across-private-space-and-profiles/4

Zormedin

pxlkng Hence I don't really see the point of restricting installs and updates for the profile you use and offloading that into Owner.

The toggle allows updates AND the installation of new apps and that's the point here.
Updates can be done easily after the device rebooted as the Owner profile is the first I have to unlock. So far I only see disadvantages putting everything in the Owner profile and it would help if you can explain the things you mentioned which you have not done so far.

pxlkng

Zormedin The toggle allows updates AND the installation of new apps and that's the point here.

Installation of new apps requires the installing app to have the install permission and always requires active user confirmation as well. Hence I still see no reason to offload that into owner and disable it for your daily-drive profile. Allowing app updates and installs for a profile isn't a security or privacy issue.

Zormedin So far I only see disadvantages putting everything in the Owner profile

What are those?

Zormedin would help if you can explain the things you mentioned

Unsure what else you want me to explain.

Zormedin

Just to be clear on some things:
I totally agree that there are many other identifiers apps can use to determine the device they are running on.
Beside that I HAVE to use certain apps which are tied to my real Identity. A VPN and Tor won't change that.

Currently I have to rely on three apps which are only available via the Playstore which I would like to avoid for the reasons named above.
My approach is just to, at least limit the data a single big entity can gather but I don't want to sacrifice security much which was the point of my initial post.

Zormedin

pxlkng Installation of new apps requires the installing app to have the install permission and always requires active user confirmation as well. Hence I still see no reason to offload that into owner and disable it for your daily-drive profile. Allowing app updates and installs for a profile isn't a security or privacy issue.

If the user profile does not have the ability to install and update apps it's another "barrier" preventing those actions. So you suggest to rely solely on the confirmation request to appear? What's with the ability of certain apps to load and install plugins? Without the permission even this is not possible.

Zormedin So far I only see disadvantages putting everything in the Owner profile

What are those?

You suggested PlayServices and the PlayStore which are both closed source and require network permission which would be a problem as you mentioned IPC yourself. Beside that many apps from the PlayStore are bundled with frameworks, trackers etc. that their counterparts from fdroid and other sources don't have. That's my issue.

Zormedin would help if you can explain the things you mentioned

Unsure what else you want me to explain.

You talked about the possibility of errors and issues and I wanted to know what problems you are talking about?

As the Owner profile is always running that means every app which hasn't been stopped is running all the time. So even if I create a new profile for whatever purpose the things inside the Owner profile keep running (for a certain time). Apps inside secondary profile are stopped when the profile is not active (has to be set).

And one last thing: A wipe of a user profile can easily be done. Create a new one, push apps and good to go again.

Zormedin

pxlkng Unsure what you mean by "plugins" here.

Apps which have special plugins like e.g. Grayjay. And no, you don't get the standard system dialog.

Zormedin which are both closed source

The licensing does absolutely not matter in this context. This makes no difference. Proprietary is not automatically a bad thing and FOSS is not automatically a good thing. Those also don't necessarily correlate with any security or privacy implications. This is merely licensing and source availability. (Closed source is still not a black box.)

I never even said it's a blackbox nor did I say that FOSS apps are generally the better choice. But without source it's much harder to determine the full functionality.
But again, we are talking about apps from Google here. If you believe those apps to be private, feel free to use them. I don't.

Zormedin require network permission which would be a problem as you mentioned IPC yourself

Denying an app the network permission is not a silver bullet and does not guarantee that the app wont be able to still exfiltrate data, if that is your concern.

I NEVER said that denying network permission would solve possible IPC communication when one app is left WITH network permission. Where did I say anything different? And again: EXACTLY this is my concern here, especially with closed source apps like the ones named above.

Zormedin Beside that many apps from the PlayStore are bundled with frameworks, trackers etc. that their counterparts from fdroid and other sources don't have

This is not an argument for F-Droid. You can get apps that don't contain those without using F-Droid.
And to be frank, you are worse off using F-Droid, due to its security implications, than just using apps from the Play Store, even with their trackers and whatnot. Or if you absolutely want to avoid the Play Store at all costs, sideload them with Obtainium+AppVerifier.

And now we are back at my initial post... I am using Obtainium and only use fdroid as a source there if they aren't available from the other sources named in my initial post. I named them from left (most favorable) to least favorable and that's it.

You haven't answered my question regarding the problems you had with user profiles? What error and issues did you talk about?

pxlkng

Zormedin Apps which have special plugins like e.g. Grayjay. And no, you don't get the standard system dialog.

You seem to be confusing something here.
All new app installs always need user confirmation. If what you are talking about does not, this is something different, not a system package install and will not be prohibited by turning off installs and updates for this profile. There is no concept of "plugins" on Android as far as I'm aware. There are "library" packages, they are basically the same as apps, just that they provide libraries to other apps and not execute code themselves, as well as being hidden from the app view (and generally not being user-facing). But even those cannot be installed without user confirmation.
This is a security feature.
If there is any way to install app packages bypassing user confirmation, consider this a security vulnerability and report it accordingly.

Zormedin You haven't answered my question regarding the problems you had with user profiles? What error and issues did you talk about?

I wasn't so much talking about specifics as rather about "over-complicated" setups in general.
Right now I see no apparent issues with your setup, as you explained that you do it this way to benefit from the profiles features, like putting them at rest.

Zormedin

pxlkng If there is any way to install app packages bypassing user confirmation, consider this a security vulnerability and report it accordingly.

This could indeed be the case here. I attempted to proceed with Installs and Updates disabled for the profile, which resulted in being unable to update or install sources/plugins for Grayjay. Upon enabling them, the dialog that appears to confirm the update is not the standard Android dialog.
Install unknown apps was not enabled for Grayjay during both tests.
-> I will reach out to the devs to confirm this

pxlkng

JoeBlogs I kind of agree but I have never seen auto updates as good a good thing.

It is a good thing and always has been, that's a fact and nothing that has to be agreed on.
Vulnerabilities are way more common to be discovered in old software, than bleeding edge.
Bleeding edge isn't unstable or bug-ridden or generally flawed like some people claim.
Also android app updates aren't really bleeding edge because they are still tested and rolled out, most of the time.
If you are delaying updates a significant amount of time, you are only endangering yourself.
Especially for the OS, you should always keep Is updates enabled to get them as soon as they hit your channel.

JoeBlogs Micro-G instead of using the regular Play Store

MicroG is horrible. It runs privileged and is very cheap and sloppy, hacked together with dangerous and flawed approaches.
It reduces security and usability.
There is nothing good to gain if you would use MicroG on GrapheneOS.
It is not nearly as good, quality- and functionality-wise as sandboxed Play Services.
GrapheneOS would never include it and there is no reason to even want that.

JoeBlogs point of a De-Googled phone

GrapheneOS is not about de-googling.

Zormedin

JoeBlogs I installed this yesterday as I was looking for a decent application firewall. I found it didn't play very well with Mullvad and had to disable my VPN. It's rather frustrating that many of the app firewalls are also competing to try and become a DNS provider and / or VPN / Proxy. Everyone is competing for our data. I'd rather keep my DNS queries with my VPN provider (Mullvad) and I would love to see them implement Oblivious DNS in the future.

Good to know. I like the simplicity of the original Mullvad client and am happy with my config so far but will retry rethink at a later date.

ignoramous

JoeBlogs It's rather frustrating that many of the app firewalls are also competing to try and become a DNS provider and / or VPN / Proxy. Everyone is competing for our data

You can use any DNS or VPN with Rethink. It doesn't force any of it on the end-user.

JoeBlogs I found it didn't play very well with Mullvad and had to disable my VPN.

This shouldn't happen. Were you on Rethink version v055n (the footer of the About UI should show the version number)? You can try setting in Mullvad's WireGuard configuration "Persistent KeepAlive" to 30seconds or so, to see if that fixes up the connectivity issues you see.

Anyhow, in the upcoming version v055o, due soon-ish, we've fixed a bunch around stability and robustness.