Grapheneos & Shizuku - 'better' than stock ?

PrivacyGold

Ok.

I understand trying to get Shizuku with Grapheneos is kinda 'pointless' - it defeats the point of a secure os. However, like alot in life, its the grey, not always black or white.

My question - is Grapheneos & Shizuku as insecure as running Lineageos/Stock. In my case, I would want Shizuku (wireless adb bugging) running all the time. I want to run a xposed framework module

I know, I know. You either have privacy or convenience. You can't have both. Maybe I want a blend, not perfect security and abit more convenience. Surely there are additional privacy features in Grapeheneos that still make it worthwhile ?

Or is it that by getting Shizuku to work, you blow a security hole so wide, you may has well just run LineageOS or stock Android ?

Here's what AI said...

The recommended best practices for running Shizuku securely on GrapheneOS involve several careful steps and considerations aimed at reducing security risks while enabling the desired functionality:

Understand the Risks: Using Shizuku requires enabling ADB debugging (usually wireless debugging), which inherently broadens the attack surface and weakens GrapheneOS's strong security model. It is generally discouraged on production daily driver devices unless you fully understand and accept the risks.

Disable Secure App Spawning: On GrapheneOS, you may need to disable "Secure app spawning" in system settings under Security for Shizuku to work properly.

Use Wireless Debugging Carefully: Enable wireless debugging in Developer Options only when needed. Pair devices carefully using the pairing code. Avoid leaving wireless debugging enabled persistently as it creates a network attack vector.

Keep Shizuku Updated: Use the latest official Shizuku version from trusted sources like GitHub or Google Play to ensure you have the latest security fixes and compatibility improvements.

Run Shizuku with Minimum Permissions: Only grant Shizuku the permissions it needs for your specific use case. Avoid enabling unnecessary permissions or settings.

Allow Background Operation: Make sure Shizuku is allowed to run in the background on GrapheneOS without restrictions or network access being limited, as some manufacturers disable background network access for apps, which can cause Shizuku not to work properly.

Monitor App Behavior: Regularly check that Shizuku or apps using it do not introduce suspicious network or system activity.

Restart After Reboot: Because of system limitations, Shizuku needs to be manually restarted after every reboot.

Avoid Root or Xposed Modules: If you are running GrapheneOS without root, ensure Shizuku and other apps do not rely on rooting or Xposed frameworks, which damage security.

n3t_admin

The use of usb debugging is discouraged. The use of wireless debugging is highly discouraged. The use of Shizuku basically defeats the purpose of GrapheneOS. You also throw around terms like "privacy" and "security" interchangeably - they're not the same thing. Shizuku mainly affects security.

PrivacyGold Or is it that by getting Shizuku to work, you blow a security hole so wide, you may has well just run LineageOS or stock Android ?

LineageOS or stock Android doesn't have adb enabled, so it's worse than running those.

PrivacyGold Here's what AI said...

Please don't trust what "AI" says. It's just a mathematical model that will spit out words, that have the highest probability of coming one after the other. The advice it gave is contradictory in some points and gives you a false sense of security. The AI didn't tell you, which of these

unless you fully understand and accept the risks

risks there would be.

Delaney

PrivacyGold I want to run a xposed framework module

What are you looking to achieve exactly?

de0u

PrivacyGold Here's what AI said...

https://discuss.grapheneos.org/d/11951-ai-generated-text-is-forbidden-with-the-exception-of-automated-translation

Nobody wants posts of the form "I asked a drunk guy at the bar last night about Shizuku and he told me _______", and posting LLM slop here is officially unwanted for roughly the same reason (plus model collapse).

23Sha-ger

PrivacyGold
Maybe start by telling what you trying to achieve/bypass/unlock if you need elevated permissions on a secure by default OS? Chances are that what you are trying to do, unless it's full root access, is possible with another, less invasive way. Call recording is already present for example, it was a popular request in the past.

PrivacyGold

If the options are running Graphenos & Shizuku or Lineageos & Shizuku - Is there zero value in running Grpaheneos & Shizuku over Lineageos & Shizuku

n3t_admin

PrivacyGold Apples and oranges. I was talking about stock LineageOS - that doesn't have the added attack surface of a wide open adb running.
Lineage has a lot of flaws by itself, adding Shizuku is another level of madness honestly.
Don't forget - not only Shizuku can then tamper with your system, it's practically every malicious app you have installed.

PrivacyGold

I never do this, partly because I am the one asking for help.

But your replies are really unhelpful.

The simple question is this, cannot make it any clearer:

If the options are running Graphenos & Shizuku or Lineageos & Shizuku - Is there zero value in running Grpaheneos & Shizuku over Lineageos & Shizuku ?

You're missing the entire point of the post, and avoiding the question. Can anyone else please help

Delaney

PrivacyGold If the options are running Graphenos & Shizuku or Lineageos & Shizuku - Is there zero value in running Grpaheneos & Shizuku over Lineageos & Shizuku ?

There is zero value

wizoatk

PrivacyGold

Some of the other features may be of interest. The Sandboxed Google Play feature is a big one for some people.

https://grapheneos.org/features

de0u

PrivacyGold [The] replies are really unhelpful.

GrapheneOS is an AOSP fork focused on security and privacy.

Shizuku is a tool focused on undermining the Android security model.

It's your device, you can do that... but it is not clear that it is the responsibility of forum members to be helpful with this particular quest.

Hopefully answers will be accurate and not be personal attacks. But "helpful" might not occur.

n3t_admin

PrivacyGold But your replies are really unhelpful.

I'm sorry if you feel that way, but what did you expect in a security-centric forum?
It's obvious you already made up your mind, so I don't think arguing with you is gonna get any of us anywhere.

PrivacyGold You're missing the entire point of the post, and avoiding the question

No, I'm not. I already told you in clear terms that it makes no difference whether you run Shizuku on stock Android, Lineage or Graphene. You always introduce the same risk. All the enhancements of GrapheneOS don't really matter anymore, because you now have a door with 10 very good locks but also a giant hole in your wall with a glowing arrow pointed at it.

PrivacyGold LSPatch

You really don't seem to care. The LSPatch repo has been archived and it's totally deprecated. I would also recommend against using outdated software, that most likely has unpatched security flaws built in. But you do you, I can't change your mind. Convenience seems to be the only thing you really care about.

PrivacyGold

Delaney

Run my Xposed Module using LSPatch (this is Critical for me. Even more so than the security of Grapeneos)

I think I can probaly get it working on Grapeneos, I know its unspported and not recommended.

Its either Grapheneos & LSPatch with Shizuku. Or Lineageos with LSPatch (and Aurora Store). The other features still seem to be of value.

I think I'm more concerned with app privacy than security as a whole. This is where GOS & Shizuku is the better option ( I think!?)

cleanbowtie

PrivacyGold I have no clue what Shizuku is, but there are benefits to Graphene outside of what is being discussed. These include;

Managing network permissions for individual apps
Less bloated experience
PIN Scrambling to prevent shoulder surfing
Duress password

Unless I am missing something here (and in which case I'd love to be corrected) I don't think anything can really 'defeat the purpose' of Graphene. Again, if I'm missing something I would love to be corrected.

de0u

n3t_admin It makes no difference whether you run Shizuku on stock Android, Lineage or Graphene.

I feel as if this is somewhat ill-defined. GrapheneOS has a bunch of hardening, for example MTE on newer devices and hardened_malloc regardless, that, strictly speaking, isn't necessarily negated by Shizuku.

But it might be negated in practice. Maybe Shizuku and/or LSPatch or the whatever module trips MTE or trips hardened_malloc, in which case they'd be turned off and thus not adding any security. Plus I don't think the OP said which device, so maybe there isn't MTE anyway.

I don't think it's the responsibility of this forum to be "helpful" in untangling all of these nuances and contingencies.

Meanwhile arguably there is some responsibility to warn passers-by that there are real risks that have not been investigated.

n3t_admin

de0u isn't necessarily negated by Shizuku.

It certainly isn't. What I see as a problem, is the complexity going down. You'll far more likely see some form of exploit targeting Shizuku users instead of difficult (and much more valuable!) memory based exploits. That's actually the whole point I'm trying to get across. MTE, secure app spawning and all the rest assumes that you have your bases covered. But if the fundamentals are already spoiled, all the "cherry on top" won't save the cake.